-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Okay I've solved it. The issue was that a) (mail={email}) is all that is
required in the search filter (to allow non-registered users) b) to
return cn and mail in the search-fields for use with the
auto-register-username and email. Finally, ensure auto-register is set
to True.

            <auto-register>True</auto-register>
            <server>ldaps://dc1.example.com</server>
            <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
           
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
            <search-password>searchpassword</search-password>
            <search-fields>cn,mail</search-fields>
            <search-filter>(mail={email})</search-filter>
            <continue-on-failure>False</continue-on-failure>
            <bind-user>{dn}</bind-user>
            <bind-password>{password}</bind-password>
            <auto-register-username>{cn}</auto-register-username>
            <auto-register-email>{mail}</auto-register-email>

Cheers,

Martin

On 09/03/2015 11:59 AM, Martin Vickers wrote:
> Hi Nicola,
>
> So I've realised that none of that was actually the issue. The
(&(uid={username})(mail={email})) part does work fine, it's the setting
of the username that is the issue.  When the first unregistered user
logs in, it works fine but the username is set to -10. When a second
unregistered user attempts to login, they can't. If I manually change
their username, the second user is then able to log in and once again
the username is set to -10. (see attached images).
>
> I think the issue here stems from;
>
> <auto-register-username>{uid}</auto-register-username>
>
> since I don't have a uid property in our ldap server. I've tried all
combinations of auto-register (True/False) and allow-register
(True/False/Challenge) and haven't been able to get it to work. It also
appears that auto-register-username and auto-register-email are
requirements to use this authenticator as without it noone can log in
(including registered users), and I get the following "Internal Server
Error" message.
>
> This is my current auth_config.xml file;
>
>         <authenticator>
>                 <type>ldap</type>
>                         <allow-register>True</allow-register>
>                         <server>ldaps://dc1.example.com</server>
>                        
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
>                        
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
>                         <search-password>searchpasssword</search-password>
>                         <search-fields>uid,mail</search-fields>
>                        
<search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>                         <continue-on-failure>False</continue-on-failure>
>                         <bind-user>{dn}</bind-user>
>                         <bind-password>{password}</bind-password>
>                        
<auto-register-username>{uid}</auto-register-username>
>                         <auto-register-email>{mail}</auto-register-email>
>                 </options>
>         </authenticator>
>
> Doesn't one of the allow-register settings make/ask the user to
provide a username rather than trying to auto generate it? or, is there
a way to get the username out of the ldap server if it's not using uid
to store it?
>
> Many thanks,
>
> Martin
>
> On 09/02/2015 06:09 PM, Nicola Soranzo wrote:
> > Hi Martin,
> > I suspect there's an error in the sample auth_conf.xml file,
<search-filter> should try to match only the email, not the username
(unless you specify <login-use-username>True</login-use-username>, in
which case it's viceversa) because it is not known when you first login.
In fact, for ActiveDirectory the filter is:
<search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter>
So, can you try to change:
<search-filter>(&amp;(cn={username})(mail={email}))</search-filter> to
something like:
> > <search-filter>(mail={email})</search-filter> Cheers, Nicola
> > On 02/09/15 15:51, Martin Vickers wrote:
> >>
>> Hi Nicola,
>>
>> It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so
using ldapsearch I can correctly bind;
>>
>> dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com
>> objectClass: aberPerson
>> cn: mjv08
>>
>> So authentication to the ldap server is working, the issue seems to
be that when it's an unknown user, it's passing the following search string;
>>
>> (&(cn=None)(mail=unknownu...@aber.ac.uk))
>>
>> rather than;
>>
>> (&(cn=unknownuser)(mail=unknownu...@aber.ac.uk))
>>
>> hence the;
>>
>> galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP
authenticate: username is None
>> galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP
authenticate: search returned no results
>>
>> How is {username} in auth_config.xml set? Does it parse {email} to
get it?
>>
>> Many thanks,
>>
>> Martin
>>
>> On 09/02/2015 03:38 PM, Nicola Soranzo wrote:
>> > Hi Martin, > what LDAP server are you using? We have tested only
OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > >
If it is OpenLDAP, I think you should use: > >
<search-fields>uid,mail</search-fields> >
<search-filter>(&amp;(mail={email})(uid={username}))</search-filter> >
<auto-register-username>{uid}</auto-register-username> > > More details
in: > >
https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
> > Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto:
> > Hi All, > > I've been trying to get the new LDAP module to work. It
works fine for > existing users but I can't get auto-register to work.
In the logs I can > see the successful logins look like this; > >
galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 >
trans.app.config.auth_config_file: ./config/auth_conf.xml >
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP >
authenticate: email is mj...@aber.ac.uk [1] >
galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP >
authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad
DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and
those that are unsuccessful have a username as None, which is why > the
search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG
2015-09-02 13:47:13,951 LDAP > authenticate: email is
unregu...@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG
2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... >
galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP >
authenticate: search returned no results > > My auth_config.xml openldap
authenticator looks like this (edited to > remove openldap server
details); > > ldap > '{email}'.endswith('@example.com') > > True >
Challenge > ldaps://dc1.example.com > >
ou=People,dc=dc1,dc=example,dc=com > >
cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword
> cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > >
{cn} > {mail} > > Are there any settings in galaxy.ini that are required
to enable this to > work? > > Many thanks > > Martin > > > > Connetti
gratis il mondo con la nuova indoona:  hai la chat, le chiamate, le
video chiamate e persino le chiamate di gruppo. > E chiami gratis anche
i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su
https://www.indoona.com/ > >
>>
> >>
> >
>
> --
>
> --
> Dr. Martin Vickers
>
> Data Manager/HPC Systems Administrator
> Institute of Biological, Environmental and Rural Sciences
> IBERS New Building
> Aberystwyth University
>
> w: http://www.martin-vickers.co.uk/
> e: mj...@aber.ac.uk
> t: 01970 62 2807
>

- -- 

- --
Dr. Martin Vickers

Data Manager/HPC Systems Administrator
Institute of Biological, Environmental and Rural Sciences
IBERS New Building
Aberystwyth University

w: http://www.martin-vickers.co.uk/
e: mj...@aber.ac.uk
t: 01970 62 2807
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJV6DNUAAoJEHa0a8GkKQgInOgIALJ3m2/DYUEgHre3go/KBIuo
I2h59wSEqjzhkX3SzUho96lRK1OHy481r7fJAW89BojYlNSlyw9qnA1mvaD4CxKi
DuLyhNHDCFOQngXeiZrfqzkHNJ2bjJQiJ8yHHUBZPuq4S+E9PbP4o52N8Z63SXUL
pz1bEWjUiNSRq3k2BjcEQkIVF3IZuwx0ygM3tKnWQK3IRQTCuO/dvdXJeNvw3kb7
P45OukPWCI5PpcfUnYMZQX0HRTGOaqZnhVEZyEXTcEXURY6aZMJOS8pcxd8QeGib
SMcbykYO+MLOjY8F0N+vnjse5K3qDIDbPxMD1AHtu6K2r9iHHDoGHivemP23piE=
=Uz+C
-----END PGP SIGNATURE-----

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to