Hi John, as a tip, you can use the tool "ldapsearch", from e.g. the package "openldap-client", to figure out with which attributes you search and which attributes you can retrieve.
Examples: $ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org" # retrieve all AD/ldap entries $ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "uid=a_username" # retrieve all attributes for user with uid "a_username" $ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "sAMAccountName=a_username" mail # only retrieve the mail attribute by searching for the sAMAccountName In addition, if you get it working, you might want to switch to the more secure ldap*s* if that is supported by your IT. Cheers, Jelle On Mon, Jun 12, 2017 at 8:32 AM, Hans-Rudolf Hotz <h...@fmi.ch> wrote: > > > On 06/09/2017 03:29 PM, John Chen wrote: > >> Hans-Rudolf, >> >> That got me past the error, but I i am now having issue authenticating >> with against AD, as if its not able to search for the users. Do I need >> a binding service account to search AD object? Does the bottow 5 lines >> look correct? >> > > They look right, but I can't say whether they are correct. You need to > discuss this with the person who has set up your Active Directory > > > Hans-Rudolf > > > > >> <search-base>cn=galaxy,ou=Security,ou=somegroup,dc=example, >> dc=org</search-base> >> >> <search-filter>(&(objectClass=user)(sAMAccountName={ >> username}))</search-filter> >> <search-user>ADsearchAccount</search-user> >> <search-password>AD_Search_Passwrd</search-password> >> <bind-user>{sAMAccountName}</bind-user> >> >> The logs show that it found the userID and email, but gets an invalid >> password on the webportal >> >> galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592 >> trans.app.config.auth_config_file: ./config/auth_conf.xml >> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP >> authenticate: email is testuser.n...@example.org >> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP >> authenticate: username is testUser >> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP >> authenticate: options are {'bind-user': '{sAMAccountName}', >> 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', >> 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': >> 'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base': >> 'cn=xxx-xx,ou=Security,ou=xxxxx xxx,dc=xxx,dc=xx', 'search-filter': >> '(&(objectClass=user)(sAMAccountName={username}))', >> 'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx', >> 'search-user': 'xxxx', 'bind-password': '{password}'} >> galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP >> authenticate: search returned no results >> 10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST >> /user/login?use_panels=False HTTP/1.1" 200 - >> "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False"; >> "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 >> Firefox/53.0" >> >> >> ------------------------------------------------------------------------ >> *From:* Hans-Rudolf Hotz <h...@fmi.ch> >> *To:* John Chen <jchen...@yahoo.com>; Galaxy Dev List >> <galaxy-dev@lists.galaxyproject.org> >> *Sent:* Friday, June 9, 2017 3:34 AM >> *Subject:* Re: [galaxy-dev] AD Intergration >> >> always keep the mailing list in the loop! in order for others to help or >> learn >> >> >> >> On 06/08/2017 07:27 PM, John Chen wrote: >> > Hans-Rudolf >> > >> > This is the error I get when I start the Galaxy server. >> > >> ... >> > xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105 >> > >> >> This is very informative. Looking at line 8 in your file: >> >> >> <server><a class="moz-txt-link-freetext" >> href="ldap://ldap.xxx.xx";>ldap://ldap.xxx.xx</server> >> >> >> The element "a" is not terminated >> >> >> What happens, if you try just >> >> <server>ldap://ldap.xxx.xx</server> >> >> >> >> >> >> Regards, Hans-Rudolf >> >> >> ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/ >
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
