Re: [galaxy-dev] AD Intergration
Jelle, After messing around a few time with the config file.. I have it working already. I am able to authenticate against AD now.. Matthias, I saw that posting, but that wasn’t the issue, but thanks anyway. John Chen Tel: 646-524-0080 Cell: 347-587-9655 https://nyumc.webex.com/join/chenj29 Email: john.ch...@nyumc.org On 6/16/17, 12:30 PM, "galaxy-dev on behalf of Matthias Bernt"wrote: Hi Jelle, I just (in this very moment) solved the "option error" issue for our galaxy installation. see my comment on the first issue mentioned by john: https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_galaxyproject_galaxy_issues_3178-23issuecomment-2D306538866=DQIGaQ=j5oPpO0eBH1iio48DtsedbOBGmuw5jHLjgvtN2r4ehE=bOqvdGabzr80lh6GA_AnYh1-lz5wZ9iCLk4PxBK4Z3M=N2VIuDVupElUxyy8Q_CJmDB_VsT9Ck4MTnE5Fpqep3o=s0_hB56pHAp1xLeW2_kGub14aZ7Ci_JANFHwVRT93sg= Maybe you do not need to compile everything from source (as I needed to). Best, Matthias ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.galaxyproject.org_=DQIGaQ=j5oPpO0eBH1iio48DtsedbOBGmuw5jHLjgvtN2r4ehE=bOqvdGabzr80lh6GA_AnYh1-lz5wZ9iCLk4PxBK4Z3M=N2VIuDVupElUxyy8Q_CJmDB_VsT9Ck4MTnE5Fpqep3o=DhvWm0WIbuaJhb5Oafp1-aFc-5JiwLcOUpmaw8OKJEs= To search Galaxy mailing lists use the unified search at: https://urldefense.proofpoint.com/v2/url?u=http-3A__galaxyproject.org_search_=DQIGaQ=j5oPpO0eBH1iio48DtsedbOBGmuw5jHLjgvtN2r4ehE=bOqvdGabzr80lh6GA_AnYh1-lz5wZ9iCLk4PxBK4Z3M=N2VIuDVupElUxyy8Q_CJmDB_VsT9Ck4MTnE5Fpqep3o=oQLWs0ho9aQMZlAaN3v9VFZ09Oa1o6xdnEHylLVQgx4= This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is proprietary, confidential, and exempt from disclosure under applicable law. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this email in error please notify the sender by return email and delete the original message. Please note, the recipient should check this email and any attachments for the presence of viruses. The organization accepts no liability for any damage caused by any virus transmitted by this email. = ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Re: [galaxy-dev] AD Intergration
Hi Jelle, I just (in this very moment) solved the "option error" issue for our galaxy installation. see my comment on the first issue mentioned by john: https://github.com/galaxyproject/galaxy/issues/3178#issuecomment-306538866 Maybe you do not need to compile everything from source (as I needed to). Best, Matthias ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Re: [galaxy-dev] AD Intergration
Hi John, this error looks familiar: https://github.com/galaxyproject/galaxy/issues/3178 https://github.com/galaxyproject/galaxy/issues/4153 https://github.com/galaxyproject/starforge/issues/130 To remedy the 'option' error: source /home/galaxy/galaxy/.venv/bin/activate pip install --upgrade python-ldap Hope this brings you a step further. - Jelle On Wed, Jun 14, 2017 at 6:09 PM, John Chen <jchen...@yahoo.com> wrote: > Jelle > > I did all that and it looks correct.. it is retrieving the correct field. > This is the error i am still getting.. I am using pretty much the same > option in other apps.. > > > > galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-14 12:04:40,648 > trans.app.config.auth_config_file: ./config/auth_conf.xml > galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP > authenticate: email is johnu...@example.org > galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP > authenticate: username is None > galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP > authenticate: options are {'bind-user': '{dn}', 'search-fields': > 'uid,mail', 'login-use-username': 'False', 'allow-register': 'True', > 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', > 'auto-register-email': '{email}', 'server': 'ldap://ldap.nyumc.org', > 'auto-register': 'True', 'search-base': 'DC=example,DC=org', > 'search-filter': '(mail={email})', 'continue-on-failure': 'True', > 'auto-register-username': '{sAMAccountName', 'bind-password': '{password}', > 'allow-password-change': 'False'} > galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP > authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW > -> 24582=3 > galaxy.auth.providers.ldap_ad ERROR 2017-06-14 12:04:40,648 LDAP > authenticate: search exception > Traceback (most recent call last): > File "/home/galaxy/galaxy/lib/galaxy/auth/providers/ldap_ad.py", line > 118, in authenticate > ldap.set_option(*opt) > File > "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", > line 135, in set_option > return _ldap_function_call(None,_ldap.set_option,option,invalue) > File > "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", > line 66, in _ldap_function_call > result = func(*args,**kwargs) > ValueError: option error > > > Are you running MS AD ? if so, could i take a look at your config file? > > Thanks > John > > > -- > *From:* Jelle Scholtalbers <j.scholtalb...@gmail.com> > *To:* Hans-Rudolf Hotz <h...@fmi.ch> > *Cc:* John Chen <jchen...@yahoo.com>; Galaxy Dev List <galaxy-dev@lists. > galaxyproject.org> > *Sent:* Monday, June 12, 2017 3:16 AM > *Subject:* Re: [galaxy-dev] AD Intergration > > Hi John, > > as a tip, you can use the tool "ldapsearch", from e.g. the package > "openldap-client", to figure out with which attributes you search and which > attributes you can retrieve. > > Examples: > $ ldapsearch -vv -x -H ldap://dc1.example.com -b > cn=Users,dc=exampke,dc=org" # retrieve all AD/ldap entries > $ ldapsearch -vv -x -H ldap://dc1.example.com -b > cn=Users,dc=exampke,dc=org "uid=a_username" # retrieve all attributes for > user with uid "a_username" > $ ldapsearch -vv -x -H ldap://dc1.example.com -b > cn=Users,dc=exampke,dc=org "sAMAccountName=a_username" mail # only > retrieve the mail attribute by searching for the sAMAccountName > > > In addition, if you get it working, you might want to switch to the more > secure ldap*s* if that is supported by your IT. > > Cheers, > Jelle > > > > On Mon, Jun 12, 2017 at 8:32 AM, Hans-Rudolf Hotz <h...@fmi.ch> wrote: > > > > On 06/09/2017 03:29 PM, John Chen wrote: > > Hans-Rudolf, > > That got me past the error, but I i am now having issue authenticating > with against AD, as if its not able to search for the users. Do I need > a binding service account to search AD object? Does the bottow 5 lines > look correct? > > > They look right, but I can't say whether they are correct. You need to > discuss this with the person who has set up your Active Directory > > > Hans-Rudolf > > > > > cn=galaxy,ou=Secu rity,ou=somegroup,dc=example, > dc=org > > ((objectCl ass=user)(sAMAccountName={ > username})) > ADsearchAccount< /search-user> > AD_Search_Pa sswrd > {sAMAccountName} > > The logs show that it found the userID and email, but gets an invalid > password on the webportal > > galaxy.webapps.galaxy.controll ers.user DEBUG 2017-06-09 09:26:34,5
Re: [galaxy-dev] AD Intergration
Hello, >From my experience, By default, Active Directory does not allow bind operation >over plain LDAP, you need LDAPS for that to happen. My 2 cents. Youssef Ghorbal On 9 Jun 2017, at 15:29, John Chen <jchen...@yahoo.com<mailto:jchen...@yahoo.com>> wrote: Hans-Rudolf, That got me past the error, but I i am now having issue authenticating with against AD, as if its not able to search for the users. Do I need a binding service account to search AD object? Does the bottow 5 lines look correct? cn=galaxy,ou=Security,ou=somegroup,dc=example,dc=org ((objectClass=user)(sAMAccountName={username})) ADsearchAccount AD_Search_Passwrd {sAMAccountName} The logs show that it found the userID and email, but gets an invalid password on the webportal galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592 trans.app.config.auth_config_file: ./config/auth_conf.xml galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: email is testuser.n...@example.org<mailto:testuser.n...@example.org> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: username is testUser galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: options are {'bind-user': '{sAMAccountName}', 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': 'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base': 'cn=xxx-xx,ou=Security,ou=x xxx,dc=xxx,dc=xx', 'search-filter': '(&(objectClass=user)(sAMAccountName={username}))', 'auto-register-username': '{sAMAccountName}', 'search-password': '', 'search-user': '', 'bind-password': '{password}'} galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP authenticate: search returned no results 10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST /user/login?use_panels=False HTTP/1.1" 200 - "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False; "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0" From: Hans-Rudolf Hotz <h...@fmi.ch<mailto:h...@fmi.ch>> To: John Chen <jchen...@yahoo.com<mailto:jchen...@yahoo.com>>; Galaxy Dev List <galaxy-dev@lists.galaxyproject.org<mailto:galaxy-dev@lists.galaxyproject.org>> Sent: Friday, June 9, 2017 3:34 AM Subject: Re: [galaxy-dev] AD Intergration always keep the mailing list in the loop! in order for others to help or learn On 06/08/2017 07:27 PM, John Chen wrote: > Hans-Rudolf > > This is the error I get when I start the Galaxy server. > ... > xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105 > This is very informative. Looking at line 8 in your file: ldap://ldap.xxx.xx;>ldap://ldap.xxx.xx The element "a" is not terminated What happens, if you try just ldap://ldap.xxx.xx Regards, Hans-Rudolf ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/ ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Re: [galaxy-dev] AD Intergration
Hi John, as a tip, you can use the tool "ldapsearch", from e.g. the package "openldap-client", to figure out with which attributes you search and which attributes you can retrieve. Examples: $ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org" # retrieve all AD/ldap entries $ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "uid=a_username" # retrieve all attributes for user with uid "a_username" $ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "sAMAccountName=a_username" mail # only retrieve the mail attribute by searching for the sAMAccountName In addition, if you get it working, you might want to switch to the more secure ldap*s* if that is supported by your IT. Cheers, Jelle On Mon, Jun 12, 2017 at 8:32 AM, Hans-Rudolf Hotz <h...@fmi.ch> wrote: > > > On 06/09/2017 03:29 PM, John Chen wrote: > >> Hans-Rudolf, >> >> That got me past the error, but I i am now having issue authenticating >> with against AD, as if its not able to search for the users. Do I need >> a binding service account to search AD object? Does the bottow 5 lines >> look correct? >> > > They look right, but I can't say whether they are correct. You need to > discuss this with the person who has set up your Active Directory > > > Hans-Rudolf > > > > >> cn=galaxy,ou=Security,ou=somegroup,dc=example, >> dc=org >> >> ((objectClass=user)(sAMAccountName={ >> username})) >> ADsearchAccount >> AD_Search_Passwrd >> {sAMAccountName} >> >> The logs show that it found the userID and email, but gets an invalid >> password on the webportal >> >> galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592 >> trans.app.config.auth_config_file: ./config/auth_conf.xml >> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP >> authenticate: email is testuser.n...@example.org >> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP >> authenticate: username is testUser >> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP >> authenticate: options are {'bind-user': '{sAMAccountName}', >> 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', >> 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': >> 'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base': >> 'cn=xxx-xx,ou=Security,ou=x xxx,dc=xxx,dc=xx', 'search-filter': >> '(&(objectClass=user)(sAMAccountName={username}))', >> 'auto-register-username': '{sAMAccountName}', 'search-password': '', >> 'search-user': '', 'bind-password': '{password}'} >> galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP >> authenticate: search returned no results >> 10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST >> /user/login?use_panels=False HTTP/1.1" 200 - >> "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False; >> "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 >> Firefox/53.0" >> >> >> >> *From:* Hans-Rudolf Hotz <h...@fmi.ch> >> *To:* John Chen <jchen...@yahoo.com>; Galaxy Dev List >> <galaxy-dev@lists.galaxyproject.org> >> *Sent:* Friday, June 9, 2017 3:34 AM >> *Subject:* Re: [galaxy-dev] AD Intergration >> >> always keep the mailing list in the loop! in order for others to help or >> learn >> >> >> >> On 06/08/2017 07:27 PM, John Chen wrote: >> > Hans-Rudolf >> > >> > This is the error I get when I start the Galaxy server. >> > >> ... >> > xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105 >> > >> >> This is very informative. Looking at line 8 in your file: >> >> >> > href="ldap://ldap.xxx.xx;>ldap://ldap.xxx.xx >> >> >> The element "a" is not terminated >> >> >> What happens, if you try just >> >> ldap://ldap.xxx.xx >> >> >> >> >> >> Regards, Hans-Rudolf >> >> >> ___ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/ > ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Re: [galaxy-dev] AD Intergration
On 06/09/2017 03:29 PM, John Chen wrote: Hans-Rudolf, That got me past the error, but I i am now having issue authenticating with against AD, as if its not able to search for the users. Do I need a binding service account to search AD object? Does the bottow 5 lines look correct? They look right, but I can't say whether they are correct. You need to discuss this with the person who has set up your Active Directory Hans-Rudolf cn=galaxy,ou=Security,ou=somegroup,dc=example,dc=org ((objectClass=user)(sAMAccountName={username})) ADsearchAccount AD_Search_Passwrd {sAMAccountName} The logs show that it found the userID and email, but gets an invalid password on the webportal galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592 trans.app.config.auth_config_file: ./config/auth_conf.xml galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: email is testuser.n...@example.org galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: username is testUser galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: options are {'bind-user': '{sAMAccountName}', 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': 'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base': 'cn=xxx-xx,ou=Security,ou=x xxx,dc=xxx,dc=xx', 'search-filter': '(&(objectClass=user)(sAMAccountName={username}))', 'auto-register-username': '{sAMAccountName}', 'search-password': '', 'search-user': '', 'bind-password': '{password}'} galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP authenticate: search returned no results 10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST /user/login?use_panels=False HTTP/1.1" 200 - "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False; "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0" *From:* Hans-Rudolf Hotz <h...@fmi.ch> *To:* John Chen <jchen...@yahoo.com>; Galaxy Dev List <galaxy-dev@lists.galaxyproject.org> *Sent:* Friday, June 9, 2017 3:34 AM *Subject:* Re: [galaxy-dev] AD Intergration always keep the mailing list in the loop! in order for others to help or learn On 06/08/2017 07:27 PM, John Chen wrote: > Hans-Rudolf > > This is the error I get when I start the Galaxy server. > ... > xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105 > This is very informative. Looking at line 8 in your file: ldap://ldap.xxx.xx;>ldap://ldap.xxx.xx The element "a" is not terminated What happens, if you try just ldap://ldap.xxx.xx Regards, Hans-Rudolf ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Re: [galaxy-dev] AD Intergration
always keep the mailing list in the loop! in order for others to help or learn On 06/08/2017 07:27 PM, John Chen wrote: Hans-Rudolf This is the error I get when I start the Galaxy server. ... xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105 This is very informative. Looking at line 8 in your file: href="ldap://ldap.xxx.xx;>ldap://ldap.xxx.xx The element "a" is not terminated What happens, if you try just ldap://ldap.xxx.xx Regards, Hans-Rudolf ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Re: [galaxy-dev] AD Intergration
On 08/06/17 16:36, Hans-Rudolf Hotz wrote: Hi John I am trying to integrate AD with Galaxy. My auth_config.xml look like the below, but galaxy won't start with those setting. what error do you get in the log? activedirectory This should be "ldap", shouldn't-it? Actually activedirectory here is fine, it's just an alias for ldap. Cheers, Nicola ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/
Re: [galaxy-dev] AD Intergration
Hi John I am trying to integrate AD with Galaxy. My auth_config.xml look like the below, but galaxy won't start with those setting. what error do you get in the log? activedirectory This should be "ldap", shlouldn't-it? Regards, Hans-Rudolf ___ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/