Re: [galaxy-dev] Active Directory Authentication question

Mon, 13 Nov 2017 04:02:48 -0800 

Hi Nicola,

Again I appreciate your help Nicola.  I dropped the database and created new 
one and then I restarted galaxy.  Once galaxy is up then I went to the login 
page and used the username without the @example.com part as you suggested.  Now 
I got a different error as shown below.  Something to do with the ldap_ad.py 
file.  Is there anything I need to add to this file?  Or this is because of my 
configuration file?

galaxy.auth.providers.ldap_ad ERROR 2017-11-13 14:55:50,929 LDAP authenticate: 
search exception
Traceback (most recent call last):
  File "/gpfs/home/gal_admin/galaxy/lib/galaxy/auth/providers/ldap_ad.py", line 
126, in authenticate
    l = ldap.initialize(_get_subs(options, 'server', params))
  File 
"/gpfs/home/gal_admin/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py",
 line 94, in initialize
    return LDAPObject(uri,trace_level,trace_file,trace_stack_limit)
  File 
"/gpfs/home/gal_admin/galaxy/.venv/lib/python2.7/site-packages/ldap/ldapobject.py",
 line 79, in __init__
    self._l = 
ldap.functions._ldap_function_call(ldap._ldap_module_lock,_ldap.initialize,uri)
  File 
"/gpfs/home/gal_admin/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py",
 line 66, in _ldap_function_call
    result = func(*args,**kwargs)
LDAPError: (2, 'No such file or directory')
galaxy.auth DEBUG 2017-11-13 14:55:50,931 Email: , Username , stopping due to 
failed non-continue

Hakeem Almabrazi
Senior Software Architect

Sidra Medical and Research Center
Out-Patient Clinic
PO Box 26999 , Al Luqta Street
Education City North Campus
Qatar Foundation
Tel:+974-4003-7458 (ext:37458)  | Mobile: +974-7479-4201
[email protected]<mailto:[email protected]> |  
www.sidra.org<http://www.sidra.org/>
 [Description: C:\Users\fgenevieve\AppData\Local\Microsoft\Windows\Temporary 
Internet Files\Content.Outlook\O53SYTUP\Sidra-Logo-Member of QF Short.PNG]


From: Nicola Soranzo [mailto:[email protected]] On Behalf Of Nicola 
Soranzo
Sent: Monday, November 13, 2017 1:17 PM
To: Hakeem Almabrazi; [email protected]
Subject: Re: [galaxy-dev] Active Directory Authentication question

Hi Hakeem,
since you are using:

<login-use-username>True</login-use-username>

you need to use your username without the "@mydomain.com" for the first login. 
After the first successful login, Galaxy will store the email associated to 
your username on the AD server in its user database and you will be able to use 
it as an alternative to your username to login.

Cheers,
Nicola
On 12/11/17 10:46, Hakeem Almabrazi wrote:
HI Nicola,

Thank you for your response.  I have added your suggestions but still I am 
getting the same error; the username is None if I used the 
[email protected]<mailto:[email protected]> as a login in the login page.  
Here is the error log I keep getting.

galaxy.webapps.galaxy.controllers.user DEBUG 2017-11-12 13:35:38,507 
trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,507 LDAP authenticate: 
email is [email protected]<mailto:[email protected]>
galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,507 LDAP authenticate: 
username is None
galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,507 LDAP authenticate: 
options are {'bind-user': 
'{sAMAccountName}@research.sidra.local<mailto:sAMAccountName%[email protected]>',
 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 
'allow-register': 'False', 'auto-register-email': '{mail}', 'server': ' 
myAD.mydomain.example.local ', 'auto-register': 'True', 'search-base': 
'cn=Users,dc=mydomian,dc=example,dc=local', 'auto-register-username': 
'{sAMAccountName}', 'search-password': 'PASSWORD', 'search-user': 
'[email protected]<mailto:[email protected]>',
 'bind-password': '{password}', 'allow-password-change': 'False'}
galaxy.auth.providers.ldap_ad DEBUG 2017-11-12 13:35:38,508 LDAP authenticate: 
username must be used to login, cannot be None

And here is my updated auth_config.xml file

<?xml version="1.0"?>
<auth>
<authenticator>
        <type>ldap</type>
        <options>
        <allow-register>False</allow-register>
        <auto-register>True</auto-register>
        <allow-password-change>False</allow-password-change>
        <server>myAD.mydomain.example.local</server>
        <login-use-username>True</login-use-username>

        <search-fields>sAMAccountName,mail</search-fields>
        <search-base>cn=Users,dc=mydomain,dc=example,dc=local</search-base>
        
<search-user>[email protected]<mailto:[email protected]></search-user>
        <search-password>PASSWORD</search-password>

        
<bind-user>{sAMAccountName}@mydomain.example.local<mailto:sAMAccountName%[email protected]></bind-user>
        <bind-password>{password}</bind-password>
        <auto-register-username>{sAMAccountName}</auto-register-username>
        <auto-register-email>{mail}</auto-register-email>

      </options>
    </authenticator>

    <authenticator>
        <type>localdb</type>
        <options>
            <allow-password-change>true</allow-password-change>
        </options>
    </authenticator>

</auth>

I will appreciate it if you think the file looks okay to you.

Thank you

Hakeem Almabrazi
Senior Software Architect

Sidra Medical and Research Center
Out-Patient Clinic
PO Box 26999 , Al Luqta Street
Education City North Campus
Qatar Foundation
Tel:+974-4003-7458 (ext:37458)  | Mobile: +974-7479-4201
[email protected]<mailto:[email protected]> |  
www.sidra.org<http://www.sidra.org/>
 [Description:                  
C:\Users\fgenevieve\AppData\Local\Microsoft\Windows\Temporary                  
Internet                  Files\Content.Outlook\O53SYTUP\Sidra-Logo-Member of 
QF                  Short.PNG]


From: Nicola Soranzo [mailto:[email protected]] On Behalf Of Nicola 
Soranzo
Sent: Thursday, November 09, 2017 5:44 PM
To: Hakeem Almabrazi; 
[email protected]<mailto:[email protected]>
Subject: Re: [galaxy-dev] Active Directory Authentication question

Hi Hakeem,
a couple of suggestions:
- allow-register should be False
- I don't see a line with something like 
<server>ldap://dc1.example.com</server> , but I suppose you have omitted it
- if your AD server doesn't allow anonymous searches (like in my case), you 
need to specify also:

<search-user>cn=jsmith,ou=People,dc=domain,dc=com</search-user>
<search-password>mysecret</search-password>

- you definitely need to specify an adapted version of these:

        
<bind-user>{sAMAccountName}@dc1.example.com<mailto:[email protected]></bind-user>
        <bind-password>{password}</bind-password>
        <auto-register-username>{sAMAccountName}</auto-register-username>
        <auto-register-email>{mail}</auto-register-email>

Hope that helps!

Cheers,
Nicola
On 09/11/17 11:24, Hakeem Almabrazi wrote:
Hello,

I have installed the latest galaxy and I would like to use the MS Active 
Directory 2012 for authentication.  I tried to follow the instructions outlined 
here https://galaxyproject.org/admin/config/external-user-auth/  without 
touching the lib/galaxy/auth/providers/ldap_ad_py since I thought this is 
related to ldap not AD.

Here is the exact auth_config.xml file
+++++++++++++++++++++++++
<?xml version="1.0"?>
<auth>
<authenticator>
        <type>ldap</type>
        <options>
        <allow-register>True</allow-register>
        <auto-register>True</auto-register>
        <allow-password-change>False</allow-password-change>
        <login-use-username>True</login-use-username>
            <!-- For Active Directory: -->
            <search-fields>sAMAccountName,mail</search-fields>
            <search-base>dc=dc1,dc=example,dc=com</search-base>
            <!-- If login-use-username is True -->
        
<search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
      </options>
    </authenticator>
</auth>
+++++++++++++++++

When I try to login using a real user email and pwd, it says "No user of valid 
password" in the Galaxy page.  And here is the error log I keep getting.

galaxy.webapps.galaxy.controllers.user DEBUG 2017-11-09 13:55:37,940 
trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: 
email is [email protected]<mailto:[email protected]>
galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: 
username is None
galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: 
options are {'search-fields': 'sAMAccountName,mail', 'login-use-username': 
'True', 'allow-register': 'True', 'auto-register': 'True', 'search-base': 
'dc=dc1,dc=example,dc=com', 'search-filter': 
'(&(objectClass=user)(sAMAccountName={username}))', 'allow-password-change': 
'False'}
galaxy.auth.providers.ldap_ad DEBUG 2017-11-09 13:55:37,940 LDAP authenticate: 
username must be used to login, cannot be None
galaxy.auth DEBUG 2017-11-09 13:55:37,941 Email: , Username , stopping due to 
failed non-continue

Is there anything missing from my auth_config.xml file?

I appreciate any kind of help figuring this out.

Best regards,

Hak


Disclaimer: This email and its attachments may be confidential and are intended 
solely for the use of the individual to whom it is addressed. If you are not 
the intended recipient, any reading, printing, storage, disclosure, copying or 
any other action taken in respect of this e-mail is prohibited and may be 
unlawful. If you are not the intended recipient, please notify the sender 
immediately by using the reply function and then permanently delete what you 
have received. Any views or opinions expressed are solely those of the author 
and do not necessarily represent those of Sidra Medical and Research Center.




___________________________________________________________

Please keep all replies on the list by using "reply all"

in your mail client.  To manage your subscriptions to this

and other Galaxy lists, please use the interface at:

  https://lists.galaxyproject.org/



To search Galaxy mailing lists use the unified search at:

  http://galaxyproject.org/search/

Disclaimer: This email and its attachments may be confidential and are intended 
solely for the use of the individual to whom it is addressed. If you are not 
the intended recipient, any reading, printing, storage, disclosure, copying or 
any other action taken in respect of this e-mail is prohibited and may be 
unlawful. If you are not the intended recipient, please notify the sender 
immediately by using the reply function and then permanently delete what you 
have received. Any views or opinions expressed are solely those of the author 
and do not necessarily represent those of Sidra Medical and Research Center.

Disclaimer: This email and its attachments may be confidential and are intended 
solely for the use of the individual to whom it is addressed. If you are not 
the intended recipient, any reading, printing, storage, disclosure, copying or 
any other action taken in respect of this e-mail is prohibited and may be 
unlawful. If you are not the intended recipient, please notify the sender 
immediately by using the reply function and then permanently delete what you 
have received. Any views or opinions expressed are solely those of the author 
and do not necessarily represent those of Sidra Medical and Research Center.

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/

Reply via email to