AD Intergration

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

AD Intergration

John Chen
Hi,

I am trying to integrate AD with Galaxy. My auth_config.xml  look like the below, but galaxy won't start with those setting.  If anyone has any other sample of a configuration that they don't mind sharing, it be great.

The Python LDAP has been installed, RHEL7 alone with ldap-dev


<auth>
    <authenticator>
        <type>activedirectory</type>
        <options>
            <allow-register>False</allow-register>
            <auto-register>True</auto-register>
            <server><a class="moz-txt-link-freetext" href="ldap://dc1.example.com">ldap://dc1.example.com</server>
            <login-use-username>True</login-use-username>
            <search-fields>sAMAccountName,mail</search-fields>
            <search-base>dc=dc1,dc=example,dc=com</search-base>
            <search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
            <search-user>jsmith</search-user>
            <search-password>mysecret</search-password>
            <bind-user>{sAMAccountName}</bind-user>
            <bind-password>{password}</bind-password>
            <auto-register-username>{sAMAccountName}</auto-register-username>
            <auto-register-email>{mail}</auto-register-email>
        </options>
    </authenticator>
</auth>


Any suggestion ??

Thanks

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Hans-Rudolf Hotz
Hi John


> I am trying to integrate AD with Galaxy. My auth_config.xml  look like
> the below, but galaxy won't start with those setting.

what error do you get in the log?



>      <type>activedirectory</type>

This should be "<type>ldap</type>", shlouldn't-it?



Regards, Hans-Rudolf



___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Nicola Soranzo-2
On 08/06/17 16:36, Hans-Rudolf Hotz wrote:

> Hi John
>
>
>> I am trying to integrate AD with Galaxy. My auth_config.xml  look like
>> the below, but galaxy won't start with those setting.
>
> what error do you get in the log?
>
>
>
>> <type>activedirectory</type>
>
> This should be "<type>ldap</type>", shouldn't-it?
>
>

Actually activedirectory here is fine, it's just an alias for ldap.

Cheers,
Nicola
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Hans-Rudolf Hotz
In reply to this post by Hans-Rudolf Hotz
always keep the mailing list in the loop! in order for others to help or
learn



On 06/08/2017 07:27 PM, John Chen wrote:
> Hans-Rudolf
>
> This is the error I get when I start the Galaxy server.
>
...
> xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105
>

This is very informative. Looking at line 8 in your file:


<server><a class="moz-txt-link-freetext"
href="ldap://ldap.xxx.xx">ldap://ldap.xxx.xx</server>


The element "a" is not  terminated


What happens, if you try just

<server>ldap://ldap.xxx.xx</server>




Regards, Hans-Rudolf
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

John Chen
Hans-Rudolf,

That got me past the error, but I i am now having issue authenticating with against AD, as if its not able to search for the users.  Do I need a binding service account to search AD object?  Does the bottow 5 lines look correct?

           <search-base>cn=galaxy,ou=Security,ou=somegroup,dc=example,dc=org</search-base>
            <search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
            <search-user>ADsearchAccount</search-user>
            <search-password>AD_Search_Passwrd</search-password>
            <bind-user>{sAMAccountName}</bind-user>

The logs show that it found the userID and email, but gets an invalid password on the webportal

galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592 trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: username is testUser
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: options are {'bind-user': '{sAMAccountName}', 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': 'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base': 'cn=xxx-xx,ou=Security,ou=xxxxx xxx,dc=xxx,dc=xx', 'search-filter': '(&(objectClass=user)(sAMAccountName={username}))', 'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx', 'search-user': 'xxxx', 'bind-password': '{password}'}
galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP authenticate: search returned no results
10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST /user/login?use_panels=False HTTP/1.1" 200 - "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"



From: Hans-Rudolf Hotz <[hidden email]>
To: John Chen <[hidden email]>; Galaxy Dev List <[hidden email]>
Sent: Friday, June 9, 2017 3:34 AM
Subject: Re: [galaxy-dev] AD Intergration

always keep the mailing list in the loop! in order for others to help or
learn



On 06/08/2017 07:27 PM, John Chen wrote:
> Hans-Rudolf
>
> This is the error I get when I start the Galaxy server.
>
...
> xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105
>

This is very informative. Looking at line 8 in your file:


<server><a class="moz-txt-link-freetext"
href="ldap://ldap.xxx.xx">ldap://ldap.xxx.xx</server>


The element "a" is not  terminated


What happens, if you try just

<server>ldap://ldap.xxx.xx</server>





Regards, Hans-Rudolf



___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Hans-Rudolf Hotz


On 06/09/2017 03:29 PM, John Chen wrote:
> Hans-Rudolf,
>
> That got me past the error, but I i am now having issue authenticating
> with against AD, as if its not able to search for the users.  Do I need
> a binding service account to search AD object?  Does the bottow 5 lines
> look correct?

They look right, but I can't say whether they are correct. You need to
discuss this with the person who has set up your Active Directory


Hans-Rudolf



>
> <search-base>cn=galaxy,ou=Security,ou=somegroup,dc=example,dc=org</search-base>
>
> <search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
>              <search-user>ADsearchAccount</search-user>
>              <search-password>AD_Search_Passwrd</search-password>
>              <bind-user>{sAMAccountName}</bind-user>
>
> The logs show that it found the userID and email, but gets an invalid
> password on the webportal
>
> galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592
> trans.app.config.auth_config_file: ./config/auth_conf.xml
> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
> authenticate: email is [hidden email]
> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
> authenticate: username is testUser
> galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
> authenticate: options are {'bind-user': '{sAMAccountName}',
> 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True',
> 'allow-register': 'False', 'auto-register-email': '{mail}', 'server':
> 'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base':
> 'cn=xxx-xx,ou=Security,ou=xxxxx xxx,dc=xxx,dc=xx', 'search-filter':
> '(&(objectClass=user)(sAMAccountName={username}))',
> 'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx',
> 'search-user': 'xxxx', 'bind-password': '{password}'}
> galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP
> authenticate: search returned no results
> 10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST
> /user/login?use_panels=False HTTP/1.1" 200 -
> "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False"
> "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"
>
>
> ------------------------------------------------------------------------
> *From:* Hans-Rudolf Hotz <[hidden email]>
> *To:* John Chen <[hidden email]>; Galaxy Dev List
> <[hidden email]>
> *Sent:* Friday, June 9, 2017 3:34 AM
> *Subject:* Re: [galaxy-dev] AD Intergration
>
> always keep the mailing list in the loop! in order for others to help or
> learn
>
>
>
> On 06/08/2017 07:27 PM, John Chen wrote:
>  > Hans-Rudolf
>  >
>  > This is the error I get when I start the Galaxy server.
>  >
> ...
>  > xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105
>  >
>
> This is very informative. Looking at line 8 in your file:
>
>
> <server><a class="moz-txt-link-freetext"
> href="ldap://ldap.xxx.xx">ldap://ldap.xxx.xx</server>
>
>
> The element "a" is not  terminated
>
>
> What happens, if you try just
>
> <server>ldap://ldap.xxx.xx</server>
>
>
>
>
>
> Regards, Hans-Rudolf
>
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Jelle Scholtalbers
Hi John,

as a tip, you can use the tool "ldapsearch", from e.g. the package "openldap-client", to figure out with which attributes you search and which attributes you can retrieve.

Examples:
ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org" # retrieve all AD/ldap entries
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "uid=a_username"  # retrieve all attributes for user with uid "a_username"
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "sAMAccountName=a_username" mail # only retrieve the mail attribute by searching for the sAMAccountName


In addition, if you get it working, you might want to switch to the more secure ldaps if that is supported by your IT.

Cheers,
Jelle



On Mon, Jun 12, 2017 at 8:32 AM, Hans-Rudolf Hotz <[hidden email]> wrote:


On 06/09/2017 03:29 PM, John Chen wrote:
Hans-Rudolf,

That got me past the error, but I i am now having issue authenticating
with against AD, as if its not able to search for the users.  Do I need
a binding service account to search AD object?  Does the bottow 5 lines
look correct?

They look right, but I can't say whether they are correct. You need to discuss this with the person who has set up your Active Directory


Hans-Rudolf




<search-base>cn=galaxy,ou=Security,ou=somegroup,dc=example,dc=org</search-base>

<search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
             <search-user>ADsearchAccount</search-user>
             <search-password>AD_Search_Passwrd</search-password>
             <bind-user>{sAMAccountName}</bind-user>

The logs show that it found the userID and email, but gets an invalid
password on the webportal

galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592
trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: username is testUser
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: options are {'bind-user': '{sAMAccountName}',
'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True',
'allow-register': 'False', 'auto-register-email': '{mail}', 'server':
'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base':
'cn=xxx-xx,ou=Security,ou=xxxxx xxx,dc=xxx,dc=xx', 'search-filter':
'(&(objectClass=user)(sAMAccountName={username}))',
'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx',
'search-user': 'xxxx', 'bind-password': '{password}'}
galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP
authenticate: search returned no results
10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST
/user/login?use_panels=False HTTP/1.1" 200 -
"http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False"
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"


------------------------------------------------------------------------
*From:* Hans-Rudolf Hotz <[hidden email]>
*To:* John Chen <[hidden email]>; Galaxy Dev List
<[hidden email]>
*Sent:* Friday, June 9, 2017 3:34 AM
*Subject:* Re: [galaxy-dev] AD Intergration

always keep the mailing list in the loop! in order for others to help or
learn



On 06/08/2017 07:27 PM, John Chen wrote:
 > Hans-Rudolf
 >
 > This is the error I get when I start the Galaxy server.
 >
...
 > xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105
 >

This is very informative. Looking at line 8 in your file:


<server><a class="moz-txt-link-freetext"
href="ldap://ldap.xxx.xx">ldap://ldap.xxx.xx</server>


The element "a" is not  terminated


What happens, if you try just

<server>ldap://ldap.xxx.xx</server>





Regards, Hans-Rudolf


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/search/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Youssef  GHORBAL
In reply to this post by John Chen
Hello,

From my experience, By default, Active Directory does not allow bind operation over plain LDAP, you need LDAPS for that to happen.
My 2 cents.

Youssef Ghorbal
------------------------------------
On 9 Jun 2017, at 15:29, John Chen <[hidden email]> wrote:

Hans-Rudolf,

That got me past the error, but I i am now having issue authenticating with against AD, as if its not able to search for the users.  Do I need a binding service account to search AD object?  Does the bottow 5 lines look correct?

           <search-base>cn=galaxy,ou=Security,ou=somegroup,dc=example,dc=org</search-base>
            <search-filter>(&amp;(objectClass=user)(sAMAccountName={username}))</search-filter>
            <search-user>ADsearchAccount</search-user>
            <search-password>AD_Search_Passwrd</search-password>
            <bind-user>{sAMAccountName}</bind-user>

The logs show that it found the userID and email, but gets an invalid password on the webportal

galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-09 09:26:34,592 trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: username is testUser
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP authenticate: options are {'bind-user': '{sAMAccountName}', 'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True', 'allow-register': 'False', 'auto-register-email': '{mail}', 'server': '<a href="ldap://xxx.xxx.xx" class="">ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base': 'cn=xxx-xx,ou=Security,ou=xxxxx xxx,dc=xxx,dc=xx', 'search-filter': '(&(objectClass=user)(sAMAccountName={username}))', 'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx', 'search-user': 'xxxx', 'bind-password': '{password}'}
galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP authenticate: search returned no results
10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST /user/login?use_panels=False HTTP/1.1" 200 - "http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"



From: Hans-Rudolf Hotz <[hidden email]>
To: John Chen <[hidden email]>; Galaxy Dev List <[hidden email]>
Sent: Friday, June 9, 2017 3:34 AM
Subject: Re: [galaxy-dev] AD Intergration

always keep the mailing list in the loop! in order for others to help or
learn



On 06/08/2017 07:27 PM, John Chen wrote:
> Hans-Rudolf
>
> This is the error I get when I start the Galaxy server.
>
...
> xml.etree.ElementTree.ParseError: mismatched tag: line 8, column 105
>

This is very informative. Looking at line 8 in your file:


<server><a class="moz-txt-link-freetext"
href="<a href="ldap://ldap.xxx.xx" class="">ldap://ldap.xxx.xx"><a href="ldap://ldap.xxx.xx&lt;/server&gt;" class="">ldap://ldap.xxx.xx</server>


The element "a" is not  terminated


What happens, if you try just

<server><a href="ldap://ldap.xxx.xx&lt;/server&gt;" class="">ldap://ldap.xxx.xx</server>





Regards, Hans-Rudolf


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/search/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

John Chen
In reply to this post by Jelle Scholtalbers
Jelle

I did all that and it looks correct.. it is retrieving the correct field.  This is the error i am still getting..  I am using pretty much the same option in other apps..



galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-14 12:04:40,648 trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: options are {'bind-user': '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False', 'allow-register': 'True', 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email': '{email}', 'server': 'ldap://ldap.nyumc.org', 'auto-register': 'True', 'search-base': 'DC=example,DC=org', 'search-filter': '(mail={email})', 'continue-on-failure': 'True', 'auto-register-username': '{sAMAccountName', 'bind-password': '{password}', 'allow-password-change': 'False'}
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
galaxy.auth.providers.ldap_ad ERROR 2017-06-14 12:04:40,648 LDAP authenticate: search exception
Traceback (most recent call last):
  File "/home/galaxy/galaxy/lib/galaxy/auth/providers/ldap_ad.py", line 118, in authenticate
    ldap.set_option(*opt)
  File "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 135, in set_option
    return _ldap_function_call(None,_ldap.set_option,option,invalue)
  File "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 66, in _ldap_function_call
    result = func(*args,**kwargs)
ValueError: option error


Are you running MS AD ?   if so, could i take a look at your config file?

Thanks
John



From: Jelle Scholtalbers <[hidden email]>
To: Hans-Rudolf Hotz <[hidden email]>
Cc: John Chen <[hidden email]>; Galaxy Dev List <[hidden email]>
Sent: Monday, June 12, 2017 3:16 AM
Subject: Re: [galaxy-dev] AD Intergration

Hi John,

as a tip, you can use the tool "ldapsearch", from e.g. the package "openldap-client", to figure out with which attributes you search and which attributes you can retrieve.

Examples:
ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org" # retrieve all AD/ldap entries
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "uid=a_username"  # retrieve all attributes for user with uid "a_username"
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "sAMAccountName=a_username" mail # only retrieve the mail attribute by searching for the sAMAccountName


In addition, if you get it working, you might want to switch to the more secure ldaps if that is supported by your IT.

Cheers,
Jelle



On Mon, Jun 12, 2017 at 8:32 AM, Hans-Rudolf Hotz <[hidden email]> wrote:


On 06/09/2017 03:29 PM, John Chen wrote:
Hans-Rudolf,

That got me past the error, but I i am now having issue authenticating
with against AD, as if its not able to search for the users.  Do I need
a binding service account to search AD object?  Does the bottow 5 lines
look correct?

They look right, but I can't say whether they are correct. You need to discuss this with the person who has set up your Active Directory


Hans-Rudolf




<search-base>cn=galaxy,ou=Secu rity,ou=somegroup,dc=example, dc=org</search-base>

<search-filter>(&amp;(objectCl ass=user)(sAMAccountName={ username}))</search-filter>
             <search-user>ADsearchAccount< /search-user>
             <search-password>AD_Search_Pa sswrd</search-password>
             <bind-user>{sAMAccountName}</ bind-user>

The logs show that it found the userID and email, but gets an invalid
password on the webportal

galaxy.webapps.galaxy.controll ers.user DEBUG 2017-06-09 09:26:34,592
trans.app.config.auth_config_f ile: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: username is testUser
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: options are {'bind-user': '{sAMAccountName}',
'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True',
'allow-register': 'False', 'auto-register-email': '{mail}', 'server':
'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base':
'cn=xxx-xx,ou=Security,ou=xxxx x xxx,dc=xxx,dc=xx', 'search-filter':
'(&(objectClass=user)(sAMAccou ntName={username}))',
'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx',
'search-user': 'xxxx', 'bind-password': '{password}'}
galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP
authenticate: search returned no results
10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST
/user/login?use_panels=False HTTP/1.1" 200 -
"<a rel="nofollow" shape="rect" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href="http://glxlcdcpvm01.nyumc.org:8080/user/login?use_panels=False">http://glxlcdcpvm01.nyumc.org :8080/user/login?use_panels= False"
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"


------------------------------ ------------------------------ ------------
*From:* Hans-Rudolf Hotz <[hidden email]>
*To:* John Chen <[hidden email]>; Galaxy Dev List
<[hidden email]>
*Sent:* Friday, June 9, 2017 3:34 AM
*Subject:* Re: [galaxy-dev] AD Intergration

always keep the mailing list in the loop! in order for others to help or
learn



On 06/08/2017 07:27 PM, John Chen wrote:
 > Hans-Rudolf
 >
 > This is the error I get when I start the Galaxy server.
 >
...
 > xml.etree.ElementTree.ParseErr or: mismatched tag: line 8, column 105
 >

This is very informative. Looking at line 8 in your file:


<server><a class="moz-txt-link-freetext"
href="ldap://ldap.xxx.xx">ldap ://ldap.xxx.xx</server>


The element "a" is not  terminated


What happens, if you try just

<server>ldap://ldap.xxx.xx</se rver>





Regards, Hans-Rudolf


______________________________ _____________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.o rg/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/sear ch/




___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Jelle Scholtalbers
Hi John,

this error looks familiar:

To remedy the 'option' error:

source /home/galaxy/galaxy/.venv/bin/activate
pip install --upgrade python-ldap


Hope this brings you a step further. 

- Jelle

On Wed, Jun 14, 2017 at 6:09 PM, John Chen <[hidden email]> wrote:
Jelle

I did all that and it looks correct.. it is retrieving the correct field.  This is the error i am still getting..  I am using pretty much the same option in other apps..



galaxy.webapps.galaxy.controllers.user DEBUG 2017-06-14 12:04:40,648 trans.app.config.auth_config_file: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: options are {'bind-user': '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False', 'allow-register': 'True', 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email': '{email}', 'server': 'ldap://ldap.nyumc.org', 'auto-register': 'True', 'search-base': 'DC=example,DC=org', 'search-filter': '(mail={email})', 'continue-on-failure': 'True', 'auto-register-username': '{sAMAccountName', 'bind-password': '{password}', 'allow-password-change': 'False'}
galaxy.auth.providers.ldap_ad DEBUG 2017-06-14 12:04:40,648 LDAP authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
galaxy.auth.providers.ldap_ad ERROR 2017-06-14 12:04:40,648 LDAP authenticate: search exception
Traceback (most recent call last):
  File "/home/galaxy/galaxy/lib/galaxy/auth/providers/ldap_ad.py", line 118, in authenticate
    ldap.set_option(*opt)
  File "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 135, in set_option
    return _ldap_function_call(None,_ldap.set_option,option,invalue)
  File "/home/galaxy/galaxy/.venv/lib/python2.7/site-packages/ldap/functions.py", line 66, in _ldap_function_call
    result = func(*args,**kwargs)
ValueError: option error


Are you running MS AD ?   if so, could i take a look at your config file?

Thanks
John



From: Jelle Scholtalbers <[hidden email]>
To: Hans-Rudolf Hotz <[hidden email]>
Cc: John Chen <[hidden email]>; Galaxy Dev List <[hidden email]>
Sent: Monday, June 12, 2017 3:16 AM
Subject: Re: [galaxy-dev] AD Intergration

Hi John,

as a tip, you can use the tool "ldapsearch", from e.g. the package "openldap-client", to figure out with which attributes you search and which attributes you can retrieve.

Examples:
ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org" # retrieve all AD/ldap entries
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "uid=a_username"  # retrieve all attributes for user with uid "a_username"
$ ldapsearch -vv -x -H ldap://dc1.example.com -b cn=Users,dc=exampke,dc=org "sAMAccountName=a_username" mail # only retrieve the mail attribute by searching for the sAMAccountName


In addition, if you get it working, you might want to switch to the more secure ldaps if that is supported by your IT.

Cheers,
Jelle



On Mon, Jun 12, 2017 at 8:32 AM, Hans-Rudolf Hotz <[hidden email]> wrote:


On 06/09/2017 03:29 PM, John Chen wrote:
Hans-Rudolf,

That got me past the error, but I i am now having issue authenticating
with against AD, as if its not able to search for the users.  Do I need
a binding service account to search AD object?  Does the bottow 5 lines
look correct?

They look right, but I can't say whether they are correct. You need to discuss this with the person who has set up your Active Directory


Hans-Rudolf




<search-base>cn=galaxy,ou=Secu rity,ou=somegroup,dc=example, dc=org</search-base>

<search-filter>(&amp;(objectCl ass=user)(sAMAccountName={ username}))</search-filter>
             <search-user>ADsearchAccount< /search-user>
             <search-password>AD_Search_Pa sswrd</search-password>
             <bind-user>{sAMAccountName}</ bind-user>

The logs show that it found the userID and email, but gets an invalid
password on the webportal

galaxy.webapps.galaxy.controll ers.user DEBUG 2017-06-09 09:26:34,592
trans.app.config.auth_config_f ile: ./config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: username is testUser
galaxy.auth.providers.ldap_ad DEBUG 2017-06-09 09:26:34,592 LDAP
authenticate: options are {'bind-user': '{sAMAccountName}',
'search-fields': 'sAMAccountName,mail', 'login-use-username': 'True',
'allow-register': 'False', 'auto-register-email': '{mail}', 'server':
'ldap://xxx.xxx.xx', 'auto-register': 'True', 'search-base':
'cn=xxx-xx,ou=Security,ou=xxxx x xxx,dc=xxx,dc=xx', 'search-filter':
'(&(objectClass=user)(sAMAccou ntName={username}))',
'auto-register-username': '{sAMAccountName}', 'search-password': 'xxxx',
'search-user': 'xxxx', 'bind-password': '{password}'}
galaxy.auth.providers.ldap_ad WARNING 2017-06-09 09:26:34,596 LDAP
authenticate: search returned no results
10.127.220.227 - - [09/Jun/2017:09:26:34 -0400] "POST
/user/login?use_panels=False HTTP/1.1" 200 -
"http://glxlcdcpvm01.nyumc.org :8080/user/login?use_panels= False"
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"


------------------------------ ------------------------------ ------------
*From:* Hans-Rudolf Hotz <[hidden email]>
*To:* John Chen <[hidden email]>; Galaxy Dev List
<[hidden email]>
*Sent:* Friday, June 9, 2017 3:34 AM
*Subject:* Re: [galaxy-dev] AD Intergration


always keep the mailing list in the loop! in order for others to help or
learn



On 06/08/2017 07:27 PM, John Chen wrote:
 > Hans-Rudolf
 >
 > This is the error I get when I start the Galaxy server.
 >
...
 > xml.etree.ElementTree.ParseErr or: mismatched tag: line 8, column 105
 >

This is very informative. Looking at line 8 in your file:


<server><a class="moz-txt-link-freetext"
href="ldap://ldap.xxx.xx">ldap ://ldap.xxx.xx</server>


The element "a" is not  terminated


What happens, if you try just

<server>ldap://ldap.xxx.xx</se rver>





Regards, Hans-Rudolf


______________________________ _____________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
 https://lists.galaxyproject.o rg/

To search Galaxy mailing lists use the unified search at:
 http://galaxyproject.org/sear ch/





___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Matthias Bernt
In reply to this post by John Chen
Hi Jelle,

I just (in this very moment) solved the "option error" issue for our
galaxy installation.

see my comment on the first issue mentioned by john:

https://github.com/galaxyproject/galaxy/issues/3178#issuecomment-306538866

Maybe you do not need to compile everything from source (as I needed to).

Best,
Matthias

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/
Reply | Threaded
Open this post in threaded view
|

Re: AD Intergration

Chen, John (IT)
Jelle,

After messing around a few time with the config file.. I have it working already.   I am able to authenticate against AD now..

Matthias,
I saw that posting, but that wasn’t the issue, but thanks anyway.



John Chen
Tel: 646-524-0080

Cell: 347-587-9655
https://nyumc.webex.com/join/chenj29

Email: [hidden email]

On 6/16/17, 12:30 PM, "galaxy-dev on behalf of Matthias Bernt" <[hidden email] on behalf of [hidden email]> wrote:

    Hi Jelle,
   
    I just (in this very moment) solved the "option error" issue for our
    galaxy installation.
   
    see my comment on the first issue mentioned by john:
   
    https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_galaxyproject_galaxy_issues_3178-23issuecomment-2D306538866&d=DQIGaQ&c=j5oPpO0eBH1iio48DtsedbOBGmuw5jHLjgvtN2r4ehE&r=bOqvdGabzr80lh6GA_AnYh1-lz5wZ9iCLk4PxBK4Z3M&m=N2VIuDVupElUxyy8Q_CJmDB_VsT9Ck4MTnE5Fpqep3o&s=s0_hB56pHAp1xLeW2_kGub14aZ7Ci_JANFHwVRT93sg&e= 
   
    Maybe you do not need to compile everything from source (as I needed to).
   
    Best,
    Matthias
   
    ___________________________________________________________
    Please keep all replies on the list by using "reply all"
    in your mail client.  To manage your subscriptions to this
    and other Galaxy lists, please use the interface at:
      https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.galaxyproject.org_&d=DQIGaQ&c=j5oPpO0eBH1iio48DtsedbOBGmuw5jHLjgvtN2r4ehE&r=bOqvdGabzr80lh6GA_AnYh1-lz5wZ9iCLk4PxBK4Z3M&m=N2VIuDVupElUxyy8Q_CJmDB_VsT9Ck4MTnE5Fpqep3o&s=DhvWm0WIbuaJhb5Oafp1-aFc-5JiwLcOUpmaw8OKJEs&e= 
   
    To search Galaxy mailing lists use the unified search at:
      https://urldefense.proofpoint.com/v2/url?u=http-3A__galaxyproject.org_search_&d=DQIGaQ&c=j5oPpO0eBH1iio48DtsedbOBGmuw5jHLjgvtN2r4ehE&r=bOqvdGabzr80lh6GA_AnYh1-lz5wZ9iCLk4PxBK4Z3M&m=N2VIuDVupElUxyy8Q_CJmDB_VsT9Ck4MTnE5Fpqep3o&s=oQLWs0ho9aQMZlAaN3v9VFZ09Oa1o6xdnEHylLVQgx4&e= 


------------------------------------------------------------
This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is proprietary, confidential, and exempt from disclosure under applicable law. Any unauthorized review, use, disclosure, or distribution is prohibited. If you have received this email in error please notify the sender by return email and delete the original message. Please note, the recipient should check this email and any attachments for the presence of viruses. The organization accepts no liability for any damage caused by any virus transmitted by this email.
=================================
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/