LDAP authentification

classic Classic list List threaded Threaded
12 messages Options
| Threaded
Open this post in threaded view
|

LDAP authentification

Durdevic, Marija

Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.

 

Thanks in advance.

Regards,

Marija

 

Mag. Marija Đurđević

Core Facility Computational Bioanalytics

 

Medical University of Graz

Center for Medical Research

Stiftingtalstraße 24, A-8010 Graz

Austria

 

Phone: +43 316/385-73024

Fax:+43 316/385-73009

 

Email: [hidden email]

Email: [hidden email]

 

Web: https://zmf.medunigraz.at/

 


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Nicola Soranzo-2
Hi Marija,
LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...

Cheers,
Nicola

On 31/05/16 14:20, Durdevic, Marija wrote:

Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.

 

Thanks in advance.

Regards,

Marija

 

Mag. Marija Đurđević

Core Facility Computational Bioanalytics

 

Medical University of Graz

Center for Medical Research

Stiftingtalstraße 24, A-8010 Graz

Austria

 

Phone: +43 316/385-73024

Fax:+43 316/385-73009

 

Email: [hidden email]

Email: [hidden email]

 

Web: https://zmf.medunigraz.at/

 



___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Durdevic, Marija

Dear Nicola,

 

Thank you for response.

I am having all those information, and I am following sample file, but still unsuccessfully.

Here is my auth_conf file:

 

 

<?xml version="1.0"?>

<auth>

    <authenticator>

        <type>ldap</type>

        <filter>'{email}'.endswith('@mycompany.com')</filter>

        <options>

            <allow-register>False</allow-register>

            <auto-register>True</auto-register>

            <allow-password-change>False</allow-password-change>

            <server>ldap://ldap.mycompany.com</server>

            <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>

            <login-use-username>True</login-use-username>

            <continue-on-failure>False</continue-on-failure>

            <search-fields>uid, mail</search-fields>

            <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>

            <search-base>ou=pers,ou=usr,o=com</search-base>

 

            <bind-user>{email}</bind-user>

            <bind-password>{password}</bind-password>

            <auto-register-username>{uid}</auto-register-username>

            <auto-register-email>{email}</auto-register-email>

        </options>

    </authenticator>

 

    <authenticator>

        <type>localdb</type>

        <options>

            <allow-password-change>true</allow-password-change>

        </options>

    </authenticator>

</auth>

 

 

And

 

Thank you for your help.

 

Regards,

Marija

 

From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
Sent: Wednesday, June 01, 2016 12:47 PM
To: Durdevic, Marija; [hidden email]
Subject: Re: [galaxy-dev] LDAP authentification

 

Hi Marija,
LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...

Cheers,
Nicola

On 31/05/16 14:20, Durdevic, Marija wrote:

Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.

 

Thanks in advance.

Regards,

Marija

 

Mag. Marija Đurđević

Core Facility Computational Bioanalytics

 

Medical University of Graz

Center for Medical Research

Stiftingtalstraße 24, A-8010 Graz

Austria

 

Phone: +43 316/385-73024

Fax:+43 316/385-73009

 

Email: [hidden email]

Email: [hidden email]

 

Web: https://zmf.medunigraz.at/

 




___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/
 
To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

 


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Nicola Soranzo-2
Hi Marija,
try to change to this:

<search-filter>(uid={username})</search-filter>

and/or:

<bind-user>{dn}</bind-user>

and let us know if you still have errors (please attach the sanitized logs).

Cheers,
Nicola

On 01/06/16 12:51, Durdevic, Marija wrote:

> Dear Nicola,
>
> Thank you for response.
> I am having all those information, and I am following sample file, but still unsuccessfully.
> Here is my auth_conf file:
>
>
> <?xml version="1.0"?>
> <auth>
>      <authenticator>
>          <type>ldap</type>
>          <filter>'{email}'.endswith('@mycompany.com')</filter>
>          <options>
>              <allow-register>False</allow-register>
>              <auto-register>True</auto-register>
>              <allow-password-change>False</allow-password-change>
>              <server>ldap://ldap.mycompany.com</server>
>              <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>              <login-use-username>True</login-use-username>
>              <continue-on-failure>False</continue-on-failure>
>              <search-fields>uid, mail</search-fields>
>              <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>              <search-base>ou=pers,ou=usr,o=com</search-base>
>
>              <bind-user>{email}</bind-user>
>              <bind-password>{password}</bind-password>
>              <auto-register-username>{uid}</auto-register-username>
>              <auto-register-email>{email}</auto-register-email>
>          </options>
>      </authenticator>
>
>      <authenticator>
>          <type>localdb</type>
>          <options>
>              <allow-password-change>true</allow-password-change>
>          </options>
>      </authenticator>
> </auth>
>
>
> And
>
> Thank you for your help.
>
> Regards,
> Marija
>
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
> Sent: Wednesday, June 01, 2016 12:47 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> Hi Marija,
> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>
> Cheers,
> Nicola
> On 31/05/16 14:20, Durdevic, Marija wrote:
> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>
> Thanks in advance.
> Regards,
> Marija
>
> Mag. Marija Đurđević
> Core Facility Computational Bioanalytics
>
> Medical University of Graz
> Center for Medical Research
> Stiftingtalstraße 24, A-8010 Graz
> Austria
>
> Phone: +43 316/385-73024
> Fax:+43 316/385-73009
>
> Email: [hidden email]<mailto:[hidden email]>
> Email: [hidden email]<mailto:[hidden email]>
>
> Web: https://zmf.medunigraz.at/
>
>
>
>
>
> ___________________________________________________________
>
> Please keep all replies on the list by using "reply all"
>
> in your mail client.  To manage your subscriptions to this
>
> and other Galaxy lists, please use the interface at:
>
>    https://lists.galaxyproject.org/
>
>
>
> To search Galaxy mailing lists use the unified search at:
>
>    http://galaxyproject.org/search/mailinglists/
>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Durdevic, Marija
Dear Nicola,

Thank you very much for your help, I appreciate it a lot.

With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.

I changed configuration to :

<?xml version="1.0"?>
<auth>
  <authenticator>
    <type>ldap</type>
    <filter>'{email}'.endswith('@mycompany.com')</filter>
    <options>
      <allow-register>True</allow-register>
      <auto-register>True</auto-register>
      <allow-password-change>False</allow-password-change>
      <server>ldap://ldap. mycompany.com</server>
      <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
      <login-use-username>False</login-use-username>
      <continue-on-failure>True</continue-on-failure>
      <search-fields>uid,mail</search-fields>
      <search-filter>(mail={email})</search-filter>
      <search-base>ou=pers,ou=usr,o=mcp</search-base>
      <bind-user>{dn}</bind-user>
      <bind-password>{password}</bind-password>
      <auto-register-username>{uid}</auto-register-username>
      <auto-register-email>{mail}</auto-register-email>
    </options>
  </authenticator>

  <authenticator>
    <type>localdb</type>
    <options>
      <allow-password-change>true</allow-password-change>
    </options>
  </authenticator>
</auth>

And error in log file is:


galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user': '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False', 'allow-register': 'True', 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email': '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register': 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter': '(mail={email})', 'continue-on-failure': 'True', 'auto-register-username': '{uid}', 'bind-password': '{password}', 'allow-password-change': 'False'}
galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP authenticate: search attributes are {'mail': ['[hidden email]'], 'uid': ['o_durdevic']}
galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception
Traceback (most recent call last):
  File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
    whoami = l.whoami_s()
  File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
    return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
  File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
    result = func(*args,**kwargs)
PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc': 'Protocol error'}
10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
[pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes} [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False => generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73 bytes (1 switches on core 0)


-----Original Message-----
From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
Sent: Wednesday, June 01, 2016 2:56 PM
To: Durdevic, Marija; [hidden email]
Subject: Re: [galaxy-dev] LDAP authentification

Hi Marija,
try to change to this:

<search-filter>(uid={username})</search-filter>

and/or:

<bind-user>{dn}</bind-user>

and let us know if you still have errors (please attach the sanitized logs).

Cheers,
Nicola

On 01/06/16 12:51, Durdevic, Marija wrote:

> Dear Nicola,
>
> Thank you for response.
> I am having all those information, and I am following sample file, but still unsuccessfully.
> Here is my auth_conf file:
>
>
> <?xml version="1.0"?>
> <auth>
>      <authenticator>
>          <type>ldap</type>
>          <filter>'{email}'.endswith('@mycompany.com')</filter>
>          <options>
>              <allow-register>False</allow-register>
>              <auto-register>True</auto-register>
>              <allow-password-change>False</allow-password-change>
>              <server>ldap://ldap.mycompany.com</server>
>              <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>              <login-use-username>True</login-use-username>
>              <continue-on-failure>False</continue-on-failure>
>              <search-fields>uid, mail</search-fields>
>              <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>              <search-base>ou=pers,ou=usr,o=com</search-base>
>
>              <bind-user>{email}</bind-user>
>              <bind-password>{password}</bind-password>
>              <auto-register-username>{uid}</auto-register-username>
>              <auto-register-email>{email}</auto-register-email>
>          </options>
>      </authenticator>
>
>      <authenticator>
>          <type>localdb</type>
>          <options>
>              <allow-password-change>true</allow-password-change>
>          </options>
>      </authenticator>
> </auth>
>
>
> And
>
> Thank you for your help.
>
> Regards,
> Marija
>
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
> Sent: Wednesday, June 01, 2016 12:47 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> Hi Marija,
> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>
> Cheers,
> Nicola
> On 31/05/16 14:20, Durdevic, Marija wrote:
> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>
> Thanks in advance.
> Regards,
> Marija
>
> Mag. Marija Đurđević
> Core Facility Computational Bioanalytics
>
> Medical University of Graz
> Center for Medical Research
> Stiftingtalstraße 24, A-8010 Graz
> Austria
>
> Phone: +43 316/385-73024
> Fax:+43 316/385-73009
>
> Email: [hidden email]<mailto:[hidden email]>
> Email: [hidden email]<mailto:[hidden email]>
>
> Web: https://zmf.medunigraz.at/
>
>
>
>
>
> ___________________________________________________________
>
> Please keep all replies on the list by using "reply all"
>
> in your mail client.  To manage your subscriptions to this
>
> and other Galaxy lists, please use the interface at:
>
>    https://lists.galaxyproject.org/
>
>
>
> To search Galaxy mailing lists use the unified search at:
>
>    http://galaxyproject.org/search/mailinglists/
>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Nicola Soranzo-2
Hi Marija,
does it work without

<ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>


?

Cheers,
Nicola

On 01/06/16 14:17, Durdevic, Marija wrote:

> Dear Nicola,
>
> Thank you very much for your help, I appreciate it a lot.
>
> With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.
>
> I changed configuration to :
>
> <?xml version="1.0"?>
> <auth>
>    <authenticator>
>      <type>ldap</type>
>      <filter>'{email}'.endswith('@mycompany.com')</filter>
>      <options>
>        <allow-register>True</allow-register>
>        <auto-register>True</auto-register>
>        <allow-password-change>False</allow-password-change>
>        <server>ldap://ldap. mycompany.com</server>
>        <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>        <login-use-username>False</login-use-username>
>        <continue-on-failure>True</continue-on-failure>
>        <search-fields>uid,mail</search-fields>
>        <search-filter>(mail={email})</search-filter>
>        <search-base>ou=pers,ou=usr,o=mcp</search-base>
>        <bind-user>{dn}</bind-user>
>        <bind-password>{password}</bind-password>
>        <auto-register-username>{uid}</auto-register-username>
>        <auto-register-email>{mail}</auto-register-email>
>      </options>
>    </authenticator>
>
>    <authenticator>
>      <type>localdb</type>
>      <options>
>        <allow-password-change>true</allow-password-change>
>      </options>
>    </authenticator>
> </auth>
>
> And error in log file is:
>
>
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP authenticate: email is [hidden email]
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP authenticate: username is None
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user': '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False', 'allow-register': 'True', 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email': '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register': 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter': '(mail={email})', 'continue-on-failure': 'True', 'auto-register-username': '{uid}', 'bind-password': '{password}', 'allow-password-change': 'False'}
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP authenticate: search attributes are {'mail': ['[hidden email]'], 'uid': ['o_durdevic']}
> galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception
> Traceback (most recent call last):
>    File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
>      whoami = l.whoami_s()
>    File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
>      return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
>    File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
>      result = func(*args,**kwargs)
> PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc': 'Protocol error'}
> 10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
> [pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes} [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False => generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73 bytes (1 switches on core 0)
>
>
> -----Original Message-----
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
> Sent: Wednesday, June 01, 2016 2:56 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> Hi Marija,
> try to change to this:
>
> <search-filter>(uid={username})</search-filter>
>
> and/or:
>
> <bind-user>{dn}</bind-user>
>
> and let us know if you still have errors (please attach the sanitized logs).
>
> Cheers,
> Nicola
>
> On 01/06/16 12:51, Durdevic, Marija wrote:
>> Dear Nicola,
>>
>> Thank you for response.
>> I am having all those information, and I am following sample file, but still unsuccessfully.
>> Here is my auth_conf file:
>>
>>
>> <?xml version="1.0"?>
>> <auth>
>>       <authenticator>
>>           <type>ldap</type>
>>           <filter>'{email}'.endswith('@mycompany.com')</filter>
>>           <options>
>>               <allow-register>False</allow-register>
>>               <auto-register>True</auto-register>
>>               <allow-password-change>False</allow-password-change>
>>               <server>ldap://ldap.mycompany.com</server>
>>               <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>               <login-use-username>True</login-use-username>
>>               <continue-on-failure>False</continue-on-failure>
>>               <search-fields>uid, mail</search-fields>
>>               <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>>               <search-base>ou=pers,ou=usr,o=com</search-base>
>>
>>               <bind-user>{email}</bind-user>
>>               <bind-password>{password}</bind-password>
>>               <auto-register-username>{uid}</auto-register-username>
>>               <auto-register-email>{email}</auto-register-email>
>>           </options>
>>       </authenticator>
>>
>>       <authenticator>
>>           <type>localdb</type>
>>           <options>
>>               <allow-password-change>true</allow-password-change>
>>           </options>
>>       </authenticator>
>> </auth>
>>
>>
>> And
>>
>> Thank you for your help.
>>
>> Regards,
>> Marija
>>
>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
>> Sent: Wednesday, June 01, 2016 12:47 PM
>> To: Durdevic, Marija; [hidden email]
>> Subject: Re: [galaxy-dev] LDAP authentification
>>
>> Hi Marija,
>> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>>
>> Cheers,
>> Nicola
>> On 31/05/16 14:20, Durdevic, Marija wrote:
>> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>>
>> Thanks in advance.
>> Regards,
>> Marija
>>
>> Mag. Marija Đurđević
>> Core Facility Computational Bioanalytics
>>
>> Medical University of Graz
>> Center for Medical Research
>> Stiftingtalstraße 24, A-8010 Graz
>> Austria
>>
>> Phone: +43 316/385-73024
>> Fax:+43 316/385-73009
>>
>> Email: [hidden email]<mailto:[hidden email]>
>> Email: [hidden email]<mailto:[hidden email]>
>>
>> Web: https://zmf.medunigraz.at/
>>
>>
>>
>>
>>
>> ___________________________________________________________
>>
>> Please keep all replies on the list by using "reply all"
>>
>> in your mail client.  To manage your subscriptions to this
>>
>> and other Galaxy lists, please use the interface at:
>>
>>     https://lists.galaxyproject.org/
>>
>>
>>
>> To search Galaxy mailing lists use the unified search at:
>>
>>     http://galaxyproject.org/search/mailinglists/
>>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Durdevic, Marija
No, I got the same error message :(

-----Original Message-----
From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
Sent: Wednesday, June 01, 2016 4:11 PM
To: Durdevic, Marija; [hidden email]
Subject: Re: [galaxy-dev] LDAP authentification

Hi Marija,
does it work without

<ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>


?

Cheers,
Nicola

On 01/06/16 14:17, Durdevic, Marija wrote:

> Dear Nicola,
>
> Thank you very much for your help, I appreciate it a lot.
>
> With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.
>
> I changed configuration to :
>
> <?xml version="1.0"?>
> <auth>
>    <authenticator>
>      <type>ldap</type>
>      <filter>'{email}'.endswith('@mycompany.com')</filter>
>      <options>
>        <allow-register>True</allow-register>
>        <auto-register>True</auto-register>
>        <allow-password-change>False</allow-password-change>
>        <server>ldap://ldap. mycompany.com</server>
>        <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>        <login-use-username>False</login-use-username>
>        <continue-on-failure>True</continue-on-failure>
>        <search-fields>uid,mail</search-fields>
>        <search-filter>(mail={email})</search-filter>
>        <search-base>ou=pers,ou=usr,o=mcp</search-base>
>        <bind-user>{dn}</bind-user>
>        <bind-password>{password}</bind-password>
>        <auto-register-username>{uid}</auto-register-username>
>        <auto-register-email>{mail}</auto-register-email>
>      </options>
>    </authenticator>
>
>    <authenticator>
>      <type>localdb</type>
>      <options>
>        <allow-password-change>true</allow-password-change>
>      </options>
>    </authenticator>
> </auth>
>
> And error in log file is:
>
>
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP
> authenticate: email is [hidden email]
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP
> authenticate: username is None galaxy.auth.providers.ldap_ad DEBUG
> 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user':
> '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False',
> 'allow-register': 'True', 'ldap-options':
> 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email':
> '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register':
> 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter':
> '(mail={email})', 'continue-on-failure': 'True',
> 'auto-register-username': '{uid}', 'bind-password': '{password}',
> 'allow-password-change': 'False'} galaxy.auth.providers.ldap_ad DEBUG
> 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair
> OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
> authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
> authenticate: search attributes are {'mail':
> ['[hidden email]'], 'uid': ['o_durdevic']} galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception Traceback (most recent call last):
>    File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
>      whoami = l.whoami_s()
>    File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
>      return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
>    File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
>      result = func(*args,**kwargs)
> PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc':
> 'Protocol error'}
> 10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
> [pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes}
> [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False =>
> generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73 bytes
> (1 switches on core 0)
>
>
> -----Original Message-----
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
> Nicola Soranzo
> Sent: Wednesday, June 01, 2016 2:56 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> Hi Marija,
> try to change to this:
>
> <search-filter>(uid={username})</search-filter>
>
> and/or:
>
> <bind-user>{dn}</bind-user>
>
> and let us know if you still have errors (please attach the sanitized logs).
>
> Cheers,
> Nicola
>
> On 01/06/16 12:51, Durdevic, Marija wrote:
>> Dear Nicola,
>>
>> Thank you for response.
>> I am having all those information, and I am following sample file, but still unsuccessfully.
>> Here is my auth_conf file:
>>
>>
>> <?xml version="1.0"?>
>> <auth>
>>       <authenticator>
>>           <type>ldap</type>
>>           <filter>'{email}'.endswith('@mycompany.com')</filter>
>>           <options>
>>               <allow-register>False</allow-register>
>>               <auto-register>True</auto-register>
>>               <allow-password-change>False</allow-password-change>
>>               <server>ldap://ldap.mycompany.com</server>
>>               <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>               <login-use-username>True</login-use-username>
>>               <continue-on-failure>False</continue-on-failure>
>>               <search-fields>uid, mail</search-fields>
>>               <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>>               <search-base>ou=pers,ou=usr,o=com</search-base>
>>
>>               <bind-user>{email}</bind-user>
>>               <bind-password>{password}</bind-password>
>>               <auto-register-username>{uid}</auto-register-username>
>>               <auto-register-email>{email}</auto-register-email>
>>           </options>
>>       </authenticator>
>>
>>       <authenticator>
>>           <type>localdb</type>
>>           <options>
>>               <allow-password-change>true</allow-password-change>
>>           </options>
>>       </authenticator>
>> </auth>
>>
>>
>> And
>>
>> Thank you for your help.
>>
>> Regards,
>> Marija
>>
>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>> Nicola Soranzo
>> Sent: Wednesday, June 01, 2016 12:47 PM
>> To: Durdevic, Marija; [hidden email]
>> Subject: Re: [galaxy-dev] LDAP authentification
>>
>> Hi Marija,
>> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>>
>> Cheers,
>> Nicola
>> On 31/05/16 14:20, Durdevic, Marija wrote:
>> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>>
>> Thanks in advance.
>> Regards,
>> Marija
>>
>> Mag. Marija Đurđević
>> Core Facility Computational Bioanalytics
>>
>> Medical University of Graz
>> Center for Medical Research
>> Stiftingtalstraße 24, A-8010 Graz
>> Austria
>>
>> Phone: +43 316/385-73024
>> Fax:+43 316/385-73009
>>
>> Email:
>> [hidden email]<mailto:[hidden email]
>> t>
>> Email:
>> [hidden email]<mailto:marija.djurdjevic@klinikum-
>> graz.at>
>>
>> Web: https://zmf.medunigraz.at/
>>
>>
>>
>>
>>
>> ___________________________________________________________
>>
>> Please keep all replies on the list by using "reply all"
>>
>> in your mail client.  To manage your subscriptions to this
>>
>> and other Galaxy lists, please use the interface at:
>>
>>     https://lists.galaxyproject.org/
>>
>>
>>
>> To search Galaxy mailing lists use the unified search at:
>>
>>     http://galaxyproject.org/search/mailinglists/
>>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Nicola Soranzo-2
What is your LDAP server software? OpenLDAP or something else?

Cheers,
Nicola

On 01/06/16 15:14, Durdevic, Marija wrote:

> No, I got the same error message :(
>
> -----Original Message-----
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
> Sent: Wednesday, June 01, 2016 4:11 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> Hi Marija,
> does it work without
>
> <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>
>
> ?
>
> Cheers,
> Nicola
>
> On 01/06/16 14:17, Durdevic, Marija wrote:
>> Dear Nicola,
>>
>> Thank you very much for your help, I appreciate it a lot.
>>
>> With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.
>>
>> I changed configuration to :
>>
>> <?xml version="1.0"?>
>> <auth>
>>     <authenticator>
>>       <type>ldap</type>
>>       <filter>'{email}'.endswith('@mycompany.com')</filter>
>>       <options>
>>         <allow-register>True</allow-register>
>>         <auto-register>True</auto-register>
>>         <allow-password-change>False</allow-password-change>
>>         <server>ldap://ldap. mycompany.com</server>
>>         <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>         <login-use-username>False</login-use-username>
>>         <continue-on-failure>True</continue-on-failure>
>>         <search-fields>uid,mail</search-fields>
>>         <search-filter>(mail={email})</search-filter>
>>         <search-base>ou=pers,ou=usr,o=mcp</search-base>
>>         <bind-user>{dn}</bind-user>
>>         <bind-password>{password}</bind-password>
>>         <auto-register-username>{uid}</auto-register-username>
>>         <auto-register-email>{mail}</auto-register-email>
>>       </options>
>>     </authenticator>
>>
>>     <authenticator>
>>       <type>localdb</type>
>>       <options>
>>         <allow-password-change>true</allow-password-change>
>>       </options>
>>     </authenticator>
>> </auth>
>>
>> And error in log file is:
>>
>>
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP
>> authenticate: email is [hidden email]
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP
>> authenticate: username is None galaxy.auth.providers.ldap_ad DEBUG
>> 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user':
>> '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False',
>> 'allow-register': 'True', 'ldap-options':
>> 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email':
>> '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register':
>> 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter':
>> '(mail={email})', 'continue-on-failure': 'True',
>> 'auto-register-username': '{uid}', 'bind-password': '{password}',
>> 'allow-password-change': 'False'} galaxy.auth.providers.ldap_ad DEBUG
>> 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair
>> OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>> authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>> authenticate: search attributes are {'mail':
>> ['[hidden email]'], 'uid': ['o_durdevic']} galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception Traceback (most recent call last):
>>     File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
>>       whoami = l.whoami_s()
>>     File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
>>       return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
>>     File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
>>       result = func(*args,**kwargs)
>> PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc':
>> 'Protocol error'}
>> 10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
>> [pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes}
>> [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False =>
>> generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73 bytes
>> (1 switches on core 0)
>>
>>
>> -----Original Message-----
>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>> Nicola Soranzo
>> Sent: Wednesday, June 01, 2016 2:56 PM
>> To: Durdevic, Marija; [hidden email]
>> Subject: Re: [galaxy-dev] LDAP authentification
>>
>> Hi Marija,
>> try to change to this:
>>
>> <search-filter>(uid={username})</search-filter>
>>
>> and/or:
>>
>> <bind-user>{dn}</bind-user>
>>
>> and let us know if you still have errors (please attach the sanitized logs).
>>
>> Cheers,
>> Nicola
>>
>> On 01/06/16 12:51, Durdevic, Marija wrote:
>>> Dear Nicola,
>>>
>>> Thank you for response.
>>> I am having all those information, and I am following sample file, but still unsuccessfully.
>>> Here is my auth_conf file:
>>>
>>>
>>> <?xml version="1.0"?>
>>> <auth>
>>>        <authenticator>
>>>            <type>ldap</type>
>>>            <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>            <options>
>>>                <allow-register>False</allow-register>
>>>                <auto-register>True</auto-register>
>>>                <allow-password-change>False</allow-password-change>
>>>                <server>ldap://ldap.mycompany.com</server>
>>>                <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>                <login-use-username>True</login-use-username>
>>>                <continue-on-failure>False</continue-on-failure>
>>>                <search-fields>uid, mail</search-fields>
>>>                <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>>>                <search-base>ou=pers,ou=usr,o=com</search-base>
>>>
>>>                <bind-user>{email}</bind-user>
>>>                <bind-password>{password}</bind-password>
>>>                <auto-register-username>{uid}</auto-register-username>
>>>                <auto-register-email>{email}</auto-register-email>
>>>            </options>
>>>        </authenticator>
>>>
>>>        <authenticator>
>>>            <type>localdb</type>
>>>            <options>
>>>                <allow-password-change>true</allow-password-change>
>>>            </options>
>>>        </authenticator>
>>> </auth>
>>>
>>>
>>> And
>>>
>>> Thank you for your help.
>>>
>>> Regards,
>>> Marija
>>>
>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>> Nicola Soranzo
>>> Sent: Wednesday, June 01, 2016 12:47 PM
>>> To: Durdevic, Marija; [hidden email]
>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>
>>> Hi Marija,
>>> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>>>
>>> Cheers,
>>> Nicola
>>> On 31/05/16 14:20, Durdevic, Marija wrote:
>>> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>>>
>>> Thanks in advance.
>>> Regards,
>>> Marija
>>>
>>> Mag. Marija Đurđević
>>> Core Facility Computational Bioanalytics
>>>
>>> Medical University of Graz
>>> Center for Medical Research
>>> Stiftingtalstraße 24, A-8010 Graz
>>> Austria
>>>
>>> Phone: +43 316/385-73024
>>> Fax:+43 316/385-73009
>>>
>>> Email:
>>> [hidden email]<mailto:[hidden email]
>>> t>
>>> Email:
>>> [hidden email]<mailto:marija.djurdjevic@klinikum-
>>> graz.at>
>>>
>>> Web: https://zmf.medunigraz.at/
>>>
>>>
>>>
>>>
>>>
>>> ___________________________________________________________
>>>
>>> Please keep all replies on the list by using "reply all"
>>>
>>> in your mail client.  To manage your subscriptions to this
>>>
>>> and other Galaxy lists, please use the interface at:
>>>
>>>      https://lists.galaxyproject.org/
>>>
>>>
>>>
>>> To search Galaxy mailing lists use the unified search at:
>>>
>>>      http://galaxyproject.org/search/mailinglists/
>>>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Durdevic, Marija
Hi Nicola,

The server is eDirectory. But this should not have any effect on LDAP authentication as the protocol is standardized, as they told me from administration support.
 
Cheers,
Marija

-----Original Message-----
From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
Sent: Wednesday, June 01, 2016 4:21 PM
To: Durdevic, Marija; [hidden email]
Subject: Re: [galaxy-dev] LDAP authentification

What is your LDAP server software? OpenLDAP or something else?

Cheers,
Nicola

On 01/06/16 15:14, Durdevic, Marija wrote:

> No, I got the same error message :(
>
> -----Original Message-----
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
> Nicola Soranzo
> Sent: Wednesday, June 01, 2016 4:11 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> Hi Marija,
> does it work without
>
> <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>
>
> ?
>
> Cheers,
> Nicola
>
> On 01/06/16 14:17, Durdevic, Marija wrote:
>> Dear Nicola,
>>
>> Thank you very much for your help, I appreciate it a lot.
>>
>> With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.
>>
>> I changed configuration to :
>>
>> <?xml version="1.0"?>
>> <auth>
>>     <authenticator>
>>       <type>ldap</type>
>>       <filter>'{email}'.endswith('@mycompany.com')</filter>
>>       <options>
>>         <allow-register>True</allow-register>
>>         <auto-register>True</auto-register>
>>         <allow-password-change>False</allow-password-change>
>>         <server>ldap://ldap. mycompany.com</server>
>>         <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>         <login-use-username>False</login-use-username>
>>         <continue-on-failure>True</continue-on-failure>
>>         <search-fields>uid,mail</search-fields>
>>         <search-filter>(mail={email})</search-filter>
>>         <search-base>ou=pers,ou=usr,o=mcp</search-base>
>>         <bind-user>{dn}</bind-user>
>>         <bind-password>{password}</bind-password>
>>         <auto-register-username>{uid}</auto-register-username>
>>         <auto-register-email>{mail}</auto-register-email>
>>       </options>
>>     </authenticator>
>>
>>     <authenticator>
>>       <type>localdb</type>
>>       <options>
>>         <allow-password-change>true</allow-password-change>
>>       </options>
>>     </authenticator>
>> </auth>
>>
>> And error in log file is:
>>
>>
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP
>> authenticate: email is [hidden email]
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP
>> authenticate: username is None galaxy.auth.providers.ldap_ad DEBUG
>> 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user':
>> '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False',
>> 'allow-register': 'True', 'ldap-options':
>> 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email':
>> '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register':
>> 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter':
>> '(mail={email})', 'continue-on-failure': 'True',
>> 'auto-register-username': '{uid}', 'bind-password': '{password}',
>> 'allow-password-change': 'False'} galaxy.auth.providers.ldap_ad DEBUG
>> 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair
>> OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>> authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>> authenticate: search attributes are {'mail':
>> ['[hidden email]'], 'uid': ['o_durdevic']} galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception Traceback (most recent call last):
>>     File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
>>       whoami = l.whoami_s()
>>     File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
>>       return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
>>     File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
>>       result = func(*args,**kwargs)
>> PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc':
>> 'Protocol error'}
>> 10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
>> [pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes}
>> [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False =>
>> generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73
>> bytes
>> (1 switches on core 0)
>>
>>
>> -----Original Message-----
>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>> Nicola Soranzo
>> Sent: Wednesday, June 01, 2016 2:56 PM
>> To: Durdevic, Marija; [hidden email]
>> Subject: Re: [galaxy-dev] LDAP authentification
>>
>> Hi Marija,
>> try to change to this:
>>
>> <search-filter>(uid={username})</search-filter>
>>
>> and/or:
>>
>> <bind-user>{dn}</bind-user>
>>
>> and let us know if you still have errors (please attach the sanitized logs).
>>
>> Cheers,
>> Nicola
>>
>> On 01/06/16 12:51, Durdevic, Marija wrote:
>>> Dear Nicola,
>>>
>>> Thank you for response.
>>> I am having all those information, and I am following sample file, but still unsuccessfully.
>>> Here is my auth_conf file:
>>>
>>>
>>> <?xml version="1.0"?>
>>> <auth>
>>>        <authenticator>
>>>            <type>ldap</type>
>>>            <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>            <options>
>>>                <allow-register>False</allow-register>
>>>                <auto-register>True</auto-register>
>>>                <allow-password-change>False</allow-password-change>
>>>                <server>ldap://ldap.mycompany.com</server>
>>>                <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>                <login-use-username>True</login-use-username>
>>>                <continue-on-failure>False</continue-on-failure>
>>>                <search-fields>uid, mail</search-fields>
>>>                <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>>>                <search-base>ou=pers,ou=usr,o=com</search-base>
>>>
>>>                <bind-user>{email}</bind-user>
>>>                <bind-password>{password}</bind-password>
>>>                <auto-register-username>{uid}</auto-register-username>
>>>                <auto-register-email>{email}</auto-register-email>
>>>            </options>
>>>        </authenticator>
>>>
>>>        <authenticator>
>>>            <type>localdb</type>
>>>            <options>
>>>                <allow-password-change>true</allow-password-change>
>>>            </options>
>>>        </authenticator>
>>> </auth>
>>>
>>>
>>> And
>>>
>>> Thank you for your help.
>>>
>>> Regards,
>>> Marija
>>>
>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>> Nicola Soranzo
>>> Sent: Wednesday, June 01, 2016 12:47 PM
>>> To: Durdevic, Marija; [hidden email]
>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>
>>> Hi Marija,
>>> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>>>
>>> Cheers,
>>> Nicola
>>> On 31/05/16 14:20, Durdevic, Marija wrote:
>>> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>>>
>>> Thanks in advance.
>>> Regards,
>>> Marija
>>>
>>> Mag. Marija Đurđević
>>> Core Facility Computational Bioanalytics
>>>
>>> Medical University of Graz
>>> Center for Medical Research
>>> Stiftingtalstraße 24, A-8010 Graz
>>> Austria
>>>
>>> Phone: +43 316/385-73024
>>> Fax:+43 316/385-73009
>>>
>>> Email:
>>> [hidden email]<mailto:marija.djurdjevic@medunigraz.
>>> a
>>> t>
>>> Email:
>>> [hidden email]<mailto:marija.djurdjevic@klinikum
>>> -
>>> graz.at>
>>>
>>> Web: https://zmf.medunigraz.at/
>>>
>>>
>>>
>>>
>>>
>>> ___________________________________________________________
>>>
>>> Please keep all replies on the list by using "reply all"
>>>
>>> in your mail client.  To manage your subscriptions to this
>>>
>>> and other Galaxy lists, please use the interface at:
>>>
>>>      https://lists.galaxyproject.org/
>>>
>>>
>>>
>>> To search Galaxy mailing lists use the unified search at:
>>>
>>>      http://galaxyproject.org/search/mailinglists/
>>>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Nicola Soranzo-2
Hi Marija,
thanks for the info, I suspect that eDirectory may not implement the
"Who Am I?" LDAP extended operation, defined in RFC 4532, see:

https://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.whoami_s

Can you check (or have your sysadmins check) the logs of the eDirectory
server?
I don't have any other idea, sorry!

Cheers,
Nicola

On 02/06/16 09:24, Durdevic, Marija wrote:

> Hi Nicola,
>
> The server is eDirectory. But this should not have any effect on LDAP authentication as the protocol is standardized, as they told me from administration support.
>  
> Cheers,
> Marija
>
> -----Original Message-----
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
> Sent: Wednesday, June 01, 2016 4:21 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> What is your LDAP server software? OpenLDAP or something else?
>
> Cheers,
> Nicola
>
> On 01/06/16 15:14, Durdevic, Marija wrote:
>> No, I got the same error message :(
>>
>> -----Original Message-----
>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>> Nicola Soranzo
>> Sent: Wednesday, June 01, 2016 4:11 PM
>> To: Durdevic, Marija; [hidden email]
>> Subject: Re: [galaxy-dev] LDAP authentification
>>
>> Hi Marija,
>> does it work without
>>
>> <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>
>>
>> ?
>>
>> Cheers,
>> Nicola
>>
>> On 01/06/16 14:17, Durdevic, Marija wrote:
>>> Dear Nicola,
>>>
>>> Thank you very much for your help, I appreciate it a lot.
>>>
>>> With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.
>>>
>>> I changed configuration to :
>>>
>>> <?xml version="1.0"?>
>>> <auth>
>>>      <authenticator>
>>>        <type>ldap</type>
>>>        <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>        <options>
>>>          <allow-register>True</allow-register>
>>>          <auto-register>True</auto-register>
>>>          <allow-password-change>False</allow-password-change>
>>>          <server>ldap://ldap. mycompany.com</server>
>>>          <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>          <login-use-username>False</login-use-username>
>>>          <continue-on-failure>True</continue-on-failure>
>>>          <search-fields>uid,mail</search-fields>
>>>          <search-filter>(mail={email})</search-filter>
>>>          <search-base>ou=pers,ou=usr,o=mcp</search-base>
>>>          <bind-user>{dn}</bind-user>
>>>          <bind-password>{password}</bind-password>
>>>          <auto-register-username>{uid}</auto-register-username>
>>>          <auto-register-email>{mail}</auto-register-email>
>>>        </options>
>>>      </authenticator>
>>>
>>>      <authenticator>
>>>        <type>localdb</type>
>>>        <options>
>>>          <allow-password-change>true</allow-password-change>
>>>        </options>
>>>      </authenticator>
>>> </auth>
>>>
>>> And error in log file is:
>>>
>>>
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP
>>> authenticate: email is [hidden email]
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP
>>> authenticate: username is None galaxy.auth.providers.ldap_ad DEBUG
>>> 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user':
>>> '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False',
>>> 'allow-register': 'True', 'ldap-options':
>>> 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email':
>>> '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register':
>>> 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter':
>>> '(mail={email})', 'continue-on-failure': 'True',
>>> 'auto-register-username': '{uid}', 'bind-password': '{password}',
>>> 'allow-password-change': 'False'} galaxy.auth.providers.ldap_ad DEBUG
>>> 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair
>>> OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>>> authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>>> authenticate: search attributes are {'mail':
>>> ['[hidden email]'], 'uid': ['o_durdevic']} galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception Traceback (most recent call last):
>>>      File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
>>>        whoami = l.whoami_s()
>>>      File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
>>>        return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
>>>      File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
>>>        result = func(*args,**kwargs)
>>> PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc':
>>> 'Protocol error'}
>>> 10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
>>> [pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes}
>>> [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False =>
>>> generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73
>>> bytes
>>> (1 switches on core 0)
>>>
>>>
>>> -----Original Message-----
>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>> Nicola Soranzo
>>> Sent: Wednesday, June 01, 2016 2:56 PM
>>> To: Durdevic, Marija; [hidden email]
>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>
>>> Hi Marija,
>>> try to change to this:
>>>
>>> <search-filter>(uid={username})</search-filter>
>>>
>>> and/or:
>>>
>>> <bind-user>{dn}</bind-user>
>>>
>>> and let us know if you still have errors (please attach the sanitized logs).
>>>
>>> Cheers,
>>> Nicola
>>>
>>> On 01/06/16 12:51, Durdevic, Marija wrote:
>>>> Dear Nicola,
>>>>
>>>> Thank you for response.
>>>> I am having all those information, and I am following sample file, but still unsuccessfully.
>>>> Here is my auth_conf file:
>>>>
>>>>
>>>> <?xml version="1.0"?>
>>>> <auth>
>>>>         <authenticator>
>>>>             <type>ldap</type>
>>>>             <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>>             <options>
>>>>                 <allow-register>False</allow-register>
>>>>                 <auto-register>True</auto-register>
>>>>                 <allow-password-change>False</allow-password-change>
>>>>                 <server>ldap://ldap.mycompany.com</server>
>>>>                 <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>>                 <login-use-username>True</login-use-username>
>>>>                 <continue-on-failure>False</continue-on-failure>
>>>>                 <search-fields>uid, mail</search-fields>
>>>>                 <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>>>>                 <search-base>ou=pers,ou=usr,o=com</search-base>
>>>>
>>>>                 <bind-user>{email}</bind-user>
>>>>                 <bind-password>{password}</bind-password>
>>>>                 <auto-register-username>{uid}</auto-register-username>
>>>>                 <auto-register-email>{email}</auto-register-email>
>>>>             </options>
>>>>         </authenticator>
>>>>
>>>>         <authenticator>
>>>>             <type>localdb</type>
>>>>             <options>
>>>>                 <allow-password-change>true</allow-password-change>
>>>>             </options>
>>>>         </authenticator>
>>>> </auth>
>>>>
>>>>
>>>> And
>>>>
>>>> Thank you for your help.
>>>>
>>>> Regards,
>>>> Marija
>>>>
>>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>>> Nicola Soranzo
>>>> Sent: Wednesday, June 01, 2016 12:47 PM
>>>> To: Durdevic, Marija; [hidden email]
>>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>>
>>>> Hi Marija,
>>>> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>>>>
>>>> Cheers,
>>>> Nicola
>>>> On 31/05/16 14:20, Durdevic, Marija wrote:
>>>> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>>>>
>>>> Thanks in advance.
>>>> Regards,
>>>> Marija
>>>>
>>>> Mag. Marija Đurđević
>>>> Core Facility Computational Bioanalytics
>>>>
>>>> Medical University of Graz
>>>> Center for Medical Research
>>>> Stiftingtalstraße 24, A-8010 Graz
>>>> Austria
>>>>
>>>> Phone: +43 316/385-73024
>>>> Fax:+43 316/385-73009
>>>>
>>>> Email:
>>>> [hidden email]<mailto:marija.djurdjevic@medunigraz.
>>>> a
>>>> t>
>>>> Email:
>>>> [hidden email]<mailto:marija.djurdjevic@klinikum
>>>> -
>>>> graz.at>
>>>>
>>>> Web: https://zmf.medunigraz.at/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ___________________________________________________________
>>>>
>>>> Please keep all replies on the list by using "reply all"
>>>>
>>>> in your mail client.  To manage your subscriptions to this
>>>>
>>>> and other Galaxy lists, please use the interface at:
>>>>
>>>>       https://lists.galaxyproject.org/
>>>>
>>>>
>>>>
>>>> To search Galaxy mailing lists use the unified search at:
>>>>
>>>>       http://galaxyproject.org/search/mailinglists/
>>>>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Durdevic, Marija
Dear Nicola,

Thank you very much for your time and help. I will see with my administrators how to solve this issue.

Regards,
Marija

-----Original Message-----
From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
Sent: Thursday, June 02, 2016 12:51 PM
To: Durdevic, Marija; [hidden email]
Subject: Re: [galaxy-dev] LDAP authentification

Hi Marija,
thanks for the info, I suspect that eDirectory may not implement the "Who Am I?" LDAP extended operation, defined in RFC 4532, see:

https://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.whoami_s

Can you check (or have your sysadmins check) the logs of the eDirectory server?
I don't have any other idea, sorry!

Cheers,
Nicola

On 02/06/16 09:24, Durdevic, Marija wrote:

> Hi Nicola,
>
> The server is eDirectory. But this should not have any effect on LDAP authentication as the protocol is standardized, as they told me from administration support.
>  
> Cheers,
> Marija
>
> -----Original Message-----
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
> Nicola Soranzo
> Sent: Wednesday, June 01, 2016 4:21 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> What is your LDAP server software? OpenLDAP or something else?
>
> Cheers,
> Nicola
>
> On 01/06/16 15:14, Durdevic, Marija wrote:
>> No, I got the same error message :(
>>
>> -----Original Message-----
>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>> Nicola Soranzo
>> Sent: Wednesday, June 01, 2016 4:11 PM
>> To: Durdevic, Marija; [hidden email]
>> Subject: Re: [galaxy-dev] LDAP authentification
>>
>> Hi Marija,
>> does it work without
>>
>> <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>
>>
>> ?
>>
>> Cheers,
>> Nicola
>>
>> On 01/06/16 14:17, Durdevic, Marija wrote:
>>> Dear Nicola,
>>>
>>> Thank you very much for your help, I appreciate it a lot.
>>>
>>> With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.
>>>
>>> I changed configuration to :
>>>
>>> <?xml version="1.0"?>
>>> <auth>
>>>      <authenticator>
>>>        <type>ldap</type>
>>>        <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>        <options>
>>>          <allow-register>True</allow-register>
>>>          <auto-register>True</auto-register>
>>>          <allow-password-change>False</allow-password-change>
>>>          <server>ldap://ldap. mycompany.com</server>
>>>          <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>          <login-use-username>False</login-use-username>
>>>          <continue-on-failure>True</continue-on-failure>
>>>          <search-fields>uid,mail</search-fields>
>>>          <search-filter>(mail={email})</search-filter>
>>>          <search-base>ou=pers,ou=usr,o=mcp</search-base>
>>>          <bind-user>{dn}</bind-user>
>>>          <bind-password>{password}</bind-password>
>>>          <auto-register-username>{uid}</auto-register-username>
>>>          <auto-register-email>{mail}</auto-register-email>
>>>        </options>
>>>      </authenticator>
>>>
>>>      <authenticator>
>>>        <type>localdb</type>
>>>        <options>
>>>          <allow-password-change>true</allow-password-change>
>>>        </options>
>>>      </authenticator>
>>> </auth>
>>>
>>> And error in log file is:
>>>
>>>
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP
>>> authenticate: email is [hidden email]
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP
>>> authenticate: username is None galaxy.auth.providers.ldap_ad DEBUG
>>> 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user':
>>> '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False',
>>> 'allow-register': 'True', 'ldap-options':
>>> 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email':
>>> '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register':
>>> 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter':
>>> '(mail={email})', 'continue-on-failure': 'True',
>>> 'auto-register-username': '{uid}', 'bind-password': '{password}',
>>> 'allow-password-change': 'False'} galaxy.auth.providers.ldap_ad
>>> DEBUG
>>> 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair
>>> OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>>> authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>>> authenticate: search attributes are {'mail':
>>> ['[hidden email]'], 'uid': ['o_durdevic']} galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception Traceback (most recent call last):
>>>      File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
>>>        whoami = l.whoami_s()
>>>      File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
>>>        return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
>>>      File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
>>>        result = func(*args,**kwargs)
>>> PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc':
>>> 'Protocol error'}
>>> 10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
>>> [pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes}
>>> [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False =>
>>> generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73
>>> bytes
>>> (1 switches on core 0)
>>>
>>>
>>> -----Original Message-----
>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>> Nicola Soranzo
>>> Sent: Wednesday, June 01, 2016 2:56 PM
>>> To: Durdevic, Marija; [hidden email]
>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>
>>> Hi Marija,
>>> try to change to this:
>>>
>>> <search-filter>(uid={username})</search-filter>
>>>
>>> and/or:
>>>
>>> <bind-user>{dn}</bind-user>
>>>
>>> and let us know if you still have errors (please attach the sanitized logs).
>>>
>>> Cheers,
>>> Nicola
>>>
>>> On 01/06/16 12:51, Durdevic, Marija wrote:
>>>> Dear Nicola,
>>>>
>>>> Thank you for response.
>>>> I am having all those information, and I am following sample file, but still unsuccessfully.
>>>> Here is my auth_conf file:
>>>>
>>>>
>>>> <?xml version="1.0"?>
>>>> <auth>
>>>>         <authenticator>
>>>>             <type>ldap</type>
>>>>             <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>>             <options>
>>>>                 <allow-register>False</allow-register>
>>>>                 <auto-register>True</auto-register>
>>>>                 <allow-password-change>False</allow-password-change>
>>>>                 <server>ldap://ldap.mycompany.com</server>
>>>>                 <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>>                 <login-use-username>True</login-use-username>
>>>>                 <continue-on-failure>False</continue-on-failure>
>>>>                 <search-fields>uid, mail</search-fields>
>>>>                 <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>>>>                 <search-base>ou=pers,ou=usr,o=com</search-base>
>>>>
>>>>                 <bind-user>{email}</bind-user>
>>>>                 <bind-password>{password}</bind-password>
>>>>                 <auto-register-username>{uid}</auto-register-username>
>>>>                 <auto-register-email>{email}</auto-register-email>
>>>>             </options>
>>>>         </authenticator>
>>>>
>>>>         <authenticator>
>>>>             <type>localdb</type>
>>>>             <options>
>>>>                 <allow-password-change>true</allow-password-change>
>>>>             </options>
>>>>         </authenticator>
>>>> </auth>
>>>>
>>>>
>>>> And
>>>>
>>>> Thank you for your help.
>>>>
>>>> Regards,
>>>> Marija
>>>>
>>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>>> Nicola Soranzo
>>>> Sent: Wednesday, June 01, 2016 12:47 PM
>>>> To: Durdevic, Marija; [hidden email]
>>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>>
>>>> Hi Marija,
>>>> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>>>>
>>>> Cheers,
>>>> Nicola
>>>> On 31/05/16 14:20, Durdevic, Marija wrote:
>>>> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>>>>
>>>> Thanks in advance.
>>>> Regards,
>>>> Marija
>>>>
>>>> Mag. Marija Đurđević
>>>> Core Facility Computational Bioanalytics
>>>>
>>>> Medical University of Graz
>>>> Center for Medical Research
>>>> Stiftingtalstraße 24, A-8010 Graz
>>>> Austria
>>>>
>>>> Phone: +43 316/385-73024
>>>> Fax:+43 316/385-73009
>>>>
>>>> Email:
>>>> [hidden email]<mailto:marija.djurdjevic@medunigraz.
>>>> a
>>>> t>
>>>> Email:
>>>> [hidden email]<mailto:marija.djurdjevic@kliniku
>>>> m
>>>> -
>>>> graz.at>
>>>>
>>>> Web: https://zmf.medunigraz.at/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ___________________________________________________________
>>>>
>>>> Please keep all replies on the list by using "reply all"
>>>>
>>>> in your mail client.  To manage your subscriptions to this
>>>>
>>>> and other Galaxy lists, please use the interface at:
>>>>
>>>>       https://lists.galaxyproject.org/
>>>>
>>>>
>>>>
>>>> To search Galaxy mailing lists use the unified search at:
>>>>
>>>>       http://galaxyproject.org/search/mailinglists/
>>>>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
| Threaded
Open this post in threaded view
|

Re: LDAP authentification

Durdevic, Marija
In reply to this post by Nicola Soranzo-2
Dear Nicola,

I arranged with my IT administration office to use their AD for LDAP. I correct my auth_conf.xml file. Authentication was successful, but I got error message in Galaxy client side: No such user or invalid password
And user is not created in the database.

Galaxy Log file is:

galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,077 LDAP authenticate: email is [hidden email]
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,077 LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,078 LDAP authenticate: options are {'bind-user': '{dn}', 'search-fields': 'cn,mail', 'login-use-username': 'False', 'allow-register': 'False', 'ldap-options': 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email': '{mail}', 'server': 'ldap:server.com', 'auto-register': 'True', 'search-base': 'OU=pers,OU=usr,DC=mga,DC=server,DC=com', 'search-filter': '(|(mail={email})(cn={username}))', 'continue-on-failure': 'False', 'auto-register-username': '{cn}', 'search-password': 'password', 'search-user': 'CN=AD Read,CN=Users,DC=mgd,DC=server,DC=com', 'bind-password': '{password}', 'allow-password-change': 'False'}
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,130 LDAP authenticate: Valid LDAP option pair OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,146 LDAP authenticate: dn is CN=o_durdevic,OU=pers,OU=usr,DC=mgd,DC=server,DC=com
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,146 LDAP authenticate: search attributes are {'mail': ['[hidden email]'], 'cn': ['o_durdevic']}
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,154 MY_LOG: (97, [], 2, [])
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,155 LDAP authenticate: whoami is u:MGD\o_durdevic
galaxy.auth.providers.ldap_ad DEBUG 2016-06-03 12:09:20,155 LDAP authentication successful

10.17.16.180 - - [03/Jun/2016:12:09:20 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
[pid: 1985|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes} [Fri Jun  3 12:09:20 2016] POST /user/login?use_panels=False => generated 5018 bytes in 144 msecs (HTTP/1.1 200) 2 headers in 73 bytes (1 switches on core 0)

Any solution?

Regards,
Marija

-----Original Message-----
From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of Nicola Soranzo
Sent: Thursday, June 02, 2016 12:51 PM
To: Durdevic, Marija; [hidden email]
Subject: Re: [galaxy-dev] LDAP authentification

Hi Marija,
thanks for the info, I suspect that eDirectory may not implement the "Who Am I?" LDAP extended operation, defined in RFC 4532, see:

https://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.whoami_s

Can you check (or have your sysadmins check) the logs of the eDirectory server?
I don't have any other idea, sorry!

Cheers,
Nicola

On 02/06/16 09:24, Durdevic, Marija wrote:

> Hi Nicola,
>
> The server is eDirectory. But this should not have any effect on LDAP authentication as the protocol is standardized, as they told me from administration support.
>  
> Cheers,
> Marija
>
> -----Original Message-----
> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
> Nicola Soranzo
> Sent: Wednesday, June 01, 2016 4:21 PM
> To: Durdevic, Marija; [hidden email]
> Subject: Re: [galaxy-dev] LDAP authentification
>
> What is your LDAP server software? OpenLDAP or something else?
>
> Cheers,
> Nicola
>
> On 01/06/16 15:14, Durdevic, Marija wrote:
>> No, I got the same error message :(
>>
>> -----Original Message-----
>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>> Nicola Soranzo
>> Sent: Wednesday, June 01, 2016 4:11 PM
>> To: Durdevic, Marija; [hidden email]
>> Subject: Re: [galaxy-dev] LDAP authentification
>>
>> Hi Marija,
>> does it work without
>>
>> <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>
>>
>> ?
>>
>> Cheers,
>> Nicola
>>
>> On 01/06/16 14:17, Durdevic, Marija wrote:
>>> Dear Nicola,
>>>
>>> Thank you very much for your help, I appreciate it a lot.
>>>
>>> With recommended changes, I am getting just error message in Galaxy web-app: No such user or invalid password. There is no error msg in log file.
>>>
>>> I changed configuration to :
>>>
>>> <?xml version="1.0"?>
>>> <auth>
>>>      <authenticator>
>>>        <type>ldap</type>
>>>        <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>        <options>
>>>          <allow-register>True</allow-register>
>>>          <auto-register>True</auto-register>
>>>          <allow-password-change>False</allow-password-change>
>>>          <server>ldap://ldap. mycompany.com</server>
>>>          <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>          <login-use-username>False</login-use-username>
>>>          <continue-on-failure>True</continue-on-failure>
>>>          <search-fields>uid,mail</search-fields>
>>>          <search-filter>(mail={email})</search-filter>
>>>          <search-base>ou=pers,ou=usr,o=mcp</search-base>
>>>          <bind-user>{dn}</bind-user>
>>>          <bind-password>{password}</bind-password>
>>>          <auto-register-username>{uid}</auto-register-username>
>>>          <auto-register-email>{mail}</auto-register-email>
>>>        </options>
>>>      </authenticator>
>>>
>>>      <authenticator>
>>>        <type>localdb</type>
>>>        <options>
>>>          <allow-password-change>true</allow-password-change>
>>>        </options>
>>>      </authenticator>
>>> </auth>
>>>
>>> And error in log file is:
>>>
>>>
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,135 LDAP
>>> authenticate: email is [hidden email]
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,136 LDAP
>>> authenticate: username is None galaxy.auth.providers.ldap_ad DEBUG
>>> 2016-06-01 15:13:28,136 LDAP authenticate: options are {'bind-user':
>>> '{dn}', 'search-fields': 'uid,mail', 'login-use-username': 'False',
>>> 'allow-register': 'True', 'ldap-options':
>>> 'OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW', 'auto-register-email':
>>> '{mail}', 'server': 'ldap://ldap.medunigraz.at', 'auto-register':
>>> 'True', 'search-base': 'ou=pers,ou=usr,o=mug', 'search-filter':
>>> '(mail={email})', 'continue-on-failure': 'True',
>>> 'auto-register-username': '{uid}', 'bind-password': '{password}',
>>> 'allow-password-change': 'False'} galaxy.auth.providers.ldap_ad
>>> DEBUG
>>> 2016-06-01 15:13:28,144 LDAP authenticate: Valid LDAP option pair
>>> OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW -> 24582=3
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>>> authenticate: dn is cn=o_durdevic,ou=pers,ou=usr,o=mug
>>> galaxy.auth.providers.ldap_ad DEBUG 2016-06-01 15:13:28,160 LDAP
>>> authenticate: search attributes are {'mail':
>>> ['[hidden email]'], 'uid': ['o_durdevic']} galaxy.auth.providers.ldap_ad WARNING 2016-06-01 15:13:28,169 LDAP authenticate: bind exception Traceback (most recent call last):
>>>      File "lib/galaxy/auth/providers/ldap_ad.py", line 168, in authenticate
>>>        whoami = l.whoami_s()
>>>      File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 641, in whoami_s
>>>        return self._ldap_call(self._l.whoami_s,serverctrls,clientctrls)
>>>      File "/home/galaxy/galaxy/.venv/local/lib/python2.7/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
>>>        result = func(*args,**kwargs)
>>> PROTOCOL_ERROR: {'info': 'Unrecognized extended operation', 'desc':
>>> 'Protocol error'}
>>> 10.17.16.180 - - [01/Jun/2016:15:13:28 +0200] "POST /user/login?use_panels=False HTTP/1.1" 200 - "https://galaxy.medunigraz.at/user/login?use_panels=False" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36"
>>> [pid: 23119|app: 0|req: 1/1] 10.17.16.180 () {54 vars in 1146 bytes}
>>> [Wed Jun  1 15:13:28 2016] POST /user/login?use_panels=False =>
>>> generated 5018 bytes in 101 msecs (HTTP/1.1 200) 2 headers in 73
>>> bytes
>>> (1 switches on core 0)
>>>
>>>
>>> -----Original Message-----
>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>> Nicola Soranzo
>>> Sent: Wednesday, June 01, 2016 2:56 PM
>>> To: Durdevic, Marija; [hidden email]
>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>
>>> Hi Marija,
>>> try to change to this:
>>>
>>> <search-filter>(uid={username})</search-filter>
>>>
>>> and/or:
>>>
>>> <bind-user>{dn}</bind-user>
>>>
>>> and let us know if you still have errors (please attach the sanitized logs).
>>>
>>> Cheers,
>>> Nicola
>>>
>>> On 01/06/16 12:51, Durdevic, Marija wrote:
>>>> Dear Nicola,
>>>>
>>>> Thank you for response.
>>>> I am having all those information, and I am following sample file, but still unsuccessfully.
>>>> Here is my auth_conf file:
>>>>
>>>>
>>>> <?xml version="1.0"?>
>>>> <auth>
>>>>         <authenticator>
>>>>             <type>ldap</type>
>>>>             <filter>'{email}'.endswith('@mycompany.com')</filter>
>>>>             <options>
>>>>                 <allow-register>False</allow-register>
>>>>                 <auto-register>True</auto-register>
>>>>                 <allow-password-change>False</allow-password-change>
>>>>                 <server>ldap://ldap.mycompany.com</server>
>>>>                 <ldap-options>OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW</ldap-options>
>>>>                 <login-use-username>True</login-use-username>
>>>>                 <continue-on-failure>False</continue-on-failure>
>>>>                 <search-fields>uid, mail</search-fields>
>>>>                 <search-filter>(&#124;(mail={email})(uid={username}))</search-filter>
>>>>                 <search-base>ou=pers,ou=usr,o=com</search-base>
>>>>
>>>>                 <bind-user>{email}</bind-user>
>>>>                 <bind-password>{password}</bind-password>
>>>>                 <auto-register-username>{uid}</auto-register-username>
>>>>                 <auto-register-email>{email}</auto-register-email>
>>>>             </options>
>>>>         </authenticator>
>>>>
>>>>         <authenticator>
>>>>             <type>localdb</type>
>>>>             <options>
>>>>                 <allow-password-change>true</allow-password-change>
>>>>             </options>
>>>>         </authenticator>
>>>> </auth>
>>>>
>>>>
>>>> And
>>>>
>>>> Thank you for your help.
>>>>
>>>> Regards,
>>>> Marija
>>>>
>>>> From: Nicola Soranzo [mailto:[hidden email]] On Behalf Of
>>>> Nicola Soranzo
>>>> Sent: Wednesday, June 01, 2016 12:47 PM
>>>> To: Durdevic, Marija; [hidden email]
>>>> Subject: Re: [galaxy-dev] LDAP authentification
>>>>
>>>> Hi Marija,
>>>> LDAP authentication is usually quite site-specific, config/auth_conf.xml.sample contains example and documentation that should help you, but you still need to know the necessary details about how LDAP authentication works on your network, e.g. LDAP type (OpenLDAP or MS Active Directory), server address, search and bind parameters...
>>>>
>>>> Cheers,
>>>> Nicola
>>>> On 31/05/16 14:20, Durdevic, Marija wrote:
>>>> Can someone please be so kind to post auth_conf.xml file with all changes. I am trying to setup it, but unsuccessfully.
>>>>
>>>> Thanks in advance.
>>>> Regards,
>>>> Marija
>>>>
>>>> Mag. Marija Đurđević
>>>> Core Facility Computational Bioanalytics
>>>>
>>>> Medical University of Graz
>>>> Center for Medical Research
>>>> Stiftingtalstraße 24, A-8010 Graz
>>>> Austria
>>>>
>>>> Phone: +43 316/385-73024
>>>> Fax:+43 316/385-73009
>>>>
>>>> Email:
>>>> [hidden email]<mailto:marija.djurdjevic@medunigraz.
>>>> a
>>>> t>
>>>> Email:
>>>> [hidden email]<mailto:marija.djurdjevic@kliniku
>>>> m
>>>> -
>>>> graz.at>
>>>>
>>>> Web: https://zmf.medunigraz.at/
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ___________________________________________________________
>>>>
>>>> Please keep all replies on the list by using "reply all"
>>>>
>>>> in your mail client.  To manage your subscriptions to this
>>>>
>>>> and other Galaxy lists, please use the interface at:
>>>>
>>>>       https://lists.galaxyproject.org/
>>>>
>>>>
>>>>
>>>> To search Galaxy mailing lists use the unified search at:
>>>>
>>>>       http://galaxyproject.org/search/mailinglists/
>>>>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/