Hi Martin,
that's exactly what I was suggesting in my last email, sorry for not explaining myself better with a complete example!


I'm happy it's working for you now, I will create a PR to update the sample file example.

Thanks,
Nicola

On 03/09/15 12:47, Martin Vickers wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Okay I've solved it. The issue was that a) (mail={email}) is all that is required in the search filter (to allow non-registered users) b) to return cn and mail in the search-fields for use with the auto-register-username and email. Finally, ensure auto-register is set to True.

            <auto-register>True</auto-register>
            <server>ldaps://dc1.example.com</server>
<search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base>
<search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user>
<search-password>searchpassword</search-password>
            <search-fields>cn,mail</search-fields>
<search-filter>(mail={email})</search-filter>
<continue-on-failure>False</continue-on-failure>
            <bind-user>{dn}</bind-user>
            <bind-password>{password}</bind-password>
<auto-register-username>{cn}</auto-register-username>
<auto-register-email>{mail}</auto-register-email>

Cheers,

Martin

On 09/03/2015 11:59 AM, Martin Vickers wrote:
> Hi Nicola, > > So I've realised that none of that was actually the issue. The (&(uid={username})(mail={email})) part does work fine, it's the setting of the username that is the issue. When the first unregistered user logs in, it works fine but the username is set to -10. When a second unregistered user attempts to login, they can't. If I manually change their username, the second user is then able to log in and once again the username is set to -10. (see attached images). > > I think the issue here stems from; > > <auto-register-username>{uid}</auto-register-username> > > since I don't have a uid property in our ldap server. I've tried all combinations of auto-register (True/False) and allow-register (True/False/Challenge) and haven't been able to get it to work. It also appears that auto-register-username and auto-register-email are requirements to use this authenticator as without it noone can log in (including registered users), and I get the following "Internal Server Error" message. > > This is my current auth_config.xml file; > > <authenticator> > <type>ldap</type> > <allow-register>True</allow-register> > <server>ldaps://dc1.example.com</server> > <search-base>ou=Person,dc=dc1,dc=example,dc=com</search-base> > <search-user>cn=searchuser,ou=Person,dc=dc1,dc=example,dc=com</search-user> > <search-password>searchpasssword</search-password> > <search-fields>uid,mail</search-fields> > <search-filter>(&#124;(mail={email})(uid={username}))</search-filter> > <continue-on-failure>False</continue-on-failure> > <bind-user>{dn}</bind-user> > <bind-password>{password}</bind-password> > <auto-register-username>{uid}</auto-register-username> > <auto-register-email>{mail}</auto-register-email> > </options> > </authenticator> > > Doesn't one of the allow-register settings make/ask the user to provide a username rather than trying to auto generate it? or, is there a way to get the username out of the ldap server if it's not using uid to store it? > > Many thanks, > > Martin > > On 09/02/2015 06:09 PM, Nicola Soranzo wrote: > > Hi Martin, > > I suspect there's an error in the sample auth_conf.xml file, <search-filter> should try to match only the email, not the username (unless you specify <login-use-username>True</login-use-username>, in which case it's viceversa) because it is not known when you first login. In fact, for ActiveDirectory the filter is: <search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter> So, can you try to change: <search-filter>(&amp;(cn={username})(mail={email}))</search-filter> to something like: > > <search-filter>(mail={email})</search-filter> Cheers, Nicola > > On 02/09/15 15:51, Martin Vickers wrote: > >> >> Hi Nicola, >> >> It's an OpenLDAP server. uid isn't set on ours, it's cn instead, so using ldapsearch I can correctly bind; >> >> dn: cn=mjv08,ou=Person,dc=dc1,dc=example,dc=com >> objectClass: aberPerson >> cn: mjv08 >> >> So authentication to the ldap server is working, the issue seems to be that when it's an unknown user, it's passing the following search string; >> >> (&(cn=None)(mail=unknownu...@aber.ac.uk)) >> >> rather than; >> >> (&(cn=unknownuser)(mail=unknownu...@aber.ac.uk)) >> >> hence the; >> >> galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 15:40:07,322 LDAP authenticate: username is None >> galaxy.auth.providers.ldap_ad WARNING 2015-09-02 15:40:07,485 LDAP authenticate: search returned no results >> >> How is {username} in auth_config.xml set? Does it parse {email} to get it? >> >> Many thanks, >> >> Martin >> >> On 09/02/2015 03:38 PM, Nicola Soranzo wrote: >> > Hi Martin, > what LDAP server are you using? We have tested only OpenLDAP and > ActiveDirectory, but should work on any LDAP server. > > If it is OpenLDAP, I think you should use: > > <search-fields>uid,mail</search-fields> > <search-filter>(&amp;(mail={email})(uid={username}))</search-filter> > <auto-register-username>{uid}</auto-register-username> > > More details in: > > https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample > > Cheers, > Nicola > > Il 02.09.2015 15:03 Martin Vickers ha scritto: > > Hi All, > > I've been trying to get the new LDAP module to work. It works fine for > existing users but I can't get auto-register to work. In the logs I can > see the successful logins look like this; > > galaxy.webapps.galaxy.controllers.user DEBUG 2015-09-02 13:35:06,130 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: email is mj...@aber.ac.uk [1] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,131 LDAP > authenticate: username is mjv08 > .... > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:35:06,235 LDAP > authentication successful > > and those that are unsuccessful have a username as None, which is why > the search filter isn't working; > > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: email is unregu...@aber.ac.uk [2] > galaxy.auth.providers.ldap_ad DEBUG 2015-09-02 13:47:13,951 LDAP > authenticate: username is None > .... > galaxy.auth.providers.ldap_ad WARNING 2015-09-02 13:47:14,110 LDAP > authenticate: search returned no results > > My auth_config.xml openldap authenticator looks like this (edited to > remove openldap server details); > > ldap > '{email}'.endswith('@example.com') > > True > Challenge > ldaps://dc1.example.com > > ou=People,dc=dc1,dc=example,dc=com > > cn=searchuser,ou=People,dc=dc1,dc=example,dc=com > > searchuserpassword > cn,mail > > (&(cn={username})(mail={email})) > {dn} > {password} > > {cn} > {mail} > > Are there any settings in galaxy.ini that are required to enable this to > work? > > Many thanks > > Martin > > > > Connetti gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo. > E chiami gratis anche i numeri fissi e mobili nel mondo! > Scarica subito l’app Vai su https://www.indoona.com/ > > >> > >> > > > > -- > > -- > Dr. Martin Vickers > > Data Manager/HPC Systems Administrator > Institute of Biological, Environmental and Rural Sciences > IBERS New Building > Aberystwyth University > > w: http://www.martin-vickers.co.uk/ > e: mj...@aber.ac.uk > t: 01970 62 2807 >

- --
- --
Dr. Martin Vickers

Data Manager/HPC Systems Administrator
Institute of Biological, Environmental and Rural Sciences
IBERS New Building
Aberystwyth University

w: http://www.martin-vickers.co.uk/
e: mj...@aber.ac.uk
t: 01970 62 2807
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJV6DNUAAoJEHa0a8GkKQgInOgIALJ3m2/DYUEgHre3go/KBIuo
I2h59wSEqjzhkX3SzUho96lRK1OHy481r7fJAW89BojYlNSlyw9qnA1mvaD4CxKi
DuLyhNHDCFOQngXeiZrfqzkHNJ2bjJQiJ8yHHUBZPuq4S+E9PbP4o52N8Z63SXUL
pz1bEWjUiNSRq3k2BjcEQkIVF3IZuwx0ygM3tKnWQK3IRQTCuO/dvdXJeNvw3kb7
P45OukPWCI5PpcfUnYMZQX0HRTGOaqZnhVEZyEXTcEXURY6aZMJOS8pcxd8QeGib
SMcbykYO+MLOjY8F0N+vnjse5K3qDIDbPxMD1AHtu6K2r9iHHDoGHivemP23piE=
=Uz+C
-----END PGP SIGNATURE-----


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to