Hi Nicola,

So I've realised that none of that was actually the issue. The
(&(uid={username})(mail={email})) part does work fine, it's the setting
of the username that is the issue.  When the first unregistered user
logs in, it works fine but the username is set to -10. When a second
unregistered user attempts to login, they can't. If I manually change
their username, the second user is then able to log in and once again
the username is set to -10. (see attached images).

I think the issue here stems from;

<auto-register-username>{uid}</auto-register-username>

since I don't have a uid property in our ldap server. I've tried all
combinations of auto-register (True/False) and allow-register
(True/False/Challenge) and haven't been able to get it to work. It also
appears that auto-register-username and auto-register-email are
requirements to use this authenticator as without it noone can log in
(including registered users), and I get the following "Internal Server
Error" message.

This is my current auth_config.xml file;

        <authenticator>
                <type>ldap</type>
                        <allow-register>True</allow-register>
                        <server>ldaps://dc1.example.com</server>
                       
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
                       
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
                        <search-password>searchpasssword</search-password>
                        <search-fields>uid,mail</search-fields>
                       
<search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
                        <continue-on-failure>False</continue-on-failure>
                        <bind-user>{dn}</bind-user>
                        <bind-password>{password}</bind-password>
                       
<auto-register-username>{uid}</auto-register-username>
                        <auto-register-email>{mail}</auto-register-email>
                </options>
        </authenticator>

Doesn't one of the allow-register settings make/ask the user to provide
a username rather than trying to auto generate it? or, is there a way to
get the username out of the ldap server if it's not using uid to store it?

Many thanks,

Martin

On 09/02/2015 06:09 PM, Nicola Soranzo wrote:
> Hi Martin,
> I suspect there's an error in the sample auth_conf.xml file,
<search-filter> should try to match only the email, not the username
(unless you specify <login-use-username>True</login-use-username>, in
which case it's viceversa) because it is not known when you first login.
In fact, for ActiveDirectory the filter is:
<search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter>
So, can you try to change:
<search-filter>(&amp;(cn={username})(mail={email}))</search-filter> to
something like:
> <search-filter>(mail={email})</search-filter> Cheers, Nicola
> On 02/09/15 15:51, Martin Vickers wrote:
>>
> Hi Nicola,
>
> It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so
> using ldapsearch I can correctly bind;
>
> dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com
> objectClass: aberPerson
> cn: mjv08
>
> So authentication to the ldap server is working, the issue seems to be
> that when it's an unknown user, it's passing the following search string;
>
> (&(cn=None)(mail=unknownu...@aber.ac.uk))
>
> rather than;
>
> (&(cn=unknownuser)(mail=unknownu...@aber.ac.uk))
>
> hence the;
>
> galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP
> authenticate: username is None
> galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP
> authenticate: search returned no results
>
> How is {username} in auth_config.xml set? Does it parse {email} to get it?
>
> Many thanks,
>
> Martin
>
> On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
> > Hi Martin, > what LDAP server are you using? We have tested only
> OpenLDAP and > ActiveDirectory, but should work on any LDAP server. >
> > If it is OpenLDAP, I think you should use: > >
> <search-fields>uid,mail</search-fields> >
> <search-filter>(&amp;(mail={email})(uid={username}))</search-filter> >
> <auto-register-username>{uid}</auto-register-username> > > More
> details in: > >
> https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
> > > Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha
> scritto: > > Hi All, > > I've been trying to get the new LDAP module
> to work. It works fine for > existing users but I can't get
> auto-register to work. In the logs I can > see the successful logins
> look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG
> 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file:
> ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG
> 2015-09-02 13:35:06,131 LDAP > authenticate: email is mj...@aber.ac.uk
> [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP
> > authenticate: username is mjv08 > .... >
> galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP >
> authentication successful > > and those that are unsuccessful have a
> username as None, which is why > the search filter isn't working; > >
> galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP >
> authenticate: email is unregu...@aber.ac.uk [2] >
> galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP >
> authenticate: username is None > .... > galaxy.auth.providers.ldap_ad
> WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned
> no results > > My auth_config.xml openldap authenticator looks like
> this (edited to > remove openldap server details); > > ldap >
> '{email}'.endswith('@example.com') > > True > Challenge >
> ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > >
> cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > >
> searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) >
> {dn} > {password} > > {cn} > {mail} > > Are there any settings in
> galaxy.ini that are required to enable this to > work? > > Many thanks
> > > Martin > > > > Connetti gratis il mondo con la nuova indoona:  hai
> la chat, le chiamate, le video chiamate e persino le chiamate di
> gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! >
> Scarica subito l’app Vai su https://www.indoona.com/ > >
>
>>
>

-- 

--
Dr. Martin Vickers

Data Manager/HPC Systems Administrator
Institute of Biological, Environmental and Rural Sciences
IBERS New Building
Aberystwyth University

w: http://www.martin-vickers.co.uk/
e: mj...@aber.ac.uk
t: 01970 62 2807

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to