Local installation : Integration with Active Directory


We would like to setup our on premises Galaxy server but I’ve been struggling with one point, AD Authentication.
I’ve been reading the docs Authentication — Galaxy Project 20.09 documentation and it seems it should be quite straightforward, but i’m always getting an error and can’t get around it. I tried to search the help but couldn’t find anything matching my problem.

This is the error I am getting when trying to login with AD user :

galaxy.webapps.galaxy.controllers.user DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] trans.app.config.auth_config_file: /srv/galaxy/config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] LDAP authenticate: email is itadmin@pasteur-kh.org
galaxy.auth.providers.ldap_ad DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] LDAP authenticate: options are {'allow-register': 'False', 'server': 'ldap://XXX', 'search-fields': 'sAMAccountName,mail', 'search-base': 'ou=XXX,dc=XXX,dc=XXX', 'search-user': 'cn=XXX,dc=XXX,dc=XXX', 'search-password': 'XXX', 'bind-user': '{sAMAccountName}@domain.com', 'bind-password': '{password}', 'redact_username_in_logs': False, 'no_password_check': False}
galaxy.web.framework.decorators ERROR 2021-02-23 11:13:01,985 [p:10651,w:1,m:0] [uWSGIWorker1Core1] Uncaught exception in exposed API method:
Traceback (most recent call last):
  File "lib/galaxy/web/framework/decorators.py", line 294, in decorator
    rval = func(self, trans, *args, **kwargs)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 118, in login
    return self.__validate_login(trans, payload, **kwd)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 136, in __validate_login
    message, user = self.__autoregistration(trans, login, password)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 85, in __autoregistration
    autoreg = trans.app.auth_manager.check_auto_registration(trans, login, password)
  File "lib/galaxy/auth/__init__.py", line 63, in check_auto_registration
    auth_results = provider.authenticate(email, username, password, options)
  File "lib/galaxy/auth/providers/ldap_ad.py", line 204, in authenticate
    failure_mode, params = self.ldap_search(email, username, options)
  File "lib/galaxy/auth/providers/ldap_ad.py", line 121, in ldap_search
    raise RuntimeError("Failed to load LDAP module: %s", str(ldap_import_exc))
RuntimeError: ('Failed to load LDAP module: %s', "No module named 'ldap'")

And this is the error i’m getting on web browser :
Uncaught exception in exposed API method:

Additional information
Server : Ubuntu v20.04.1 LTS
pip list|grep ldap python3-ldap git status
On branch release_20.09
Your branch is up to date with ‘origin/release_20.09’.

This is my auth_conf.xml

<?xml version="1.0"?>




Thank you for any help you can provide to us

Note : LDAP is working as I can search my account and when I try to register

# ldapsearch -vv -x -H ldap://xxx.domain.com -b "ou=XXX,dc=domain,dc=com" -D IPC_LDAP -W "sAMAccountName=username"
ldap_initialize( ldap://xxx.domain.com:389/??base )
Enter LDAP Password:
filter: sAMAccountName=username
requesting: All userApplication attributes
# extended LDIF
# LDAPv3
# base <ou=XXX,dc=domain,dc=com> with scope subtree
# filter: sAMAccountName=username
# requesting: ALL

# USER NAME, IT, IT, XXX, domain.com
objectClass: top

And when trying to register with a username that’s already in AD, I get the following message on the web browser :
Account registration not required for your account. Please simply login.

have you solved the issue in the meantime or have you got help from other channels (e.g.: gitter)?

if not, the error message:

('Failed to load LDAP module: %s', "No module named 'ldap'")

looks pretty obvious to me. Have you tried to install “python-ldap” into the virtual environment?

Regards, Hans-Rudolf

Indeed after doing some research, I’ve found out that you needed to have python-ldap v2.xx installed and it was not working with python3-ldap which I had installed (thanks to the bug report opened here : Failed to load LDAP module · Issue #10410 · galaxyproject/galaxy · GitHub )

However, after fixing this and installing the proper python-ldap version, I’m still unable to login

No such user or invalid password. is what I’m getting when trying to login from a web browser

And in Galaxy I’m getting :

galaxy.auth.providers.ldap_ad INFO 2021-03-04 15:14:18,727 [p:328922,w:1,m:0] [uWSGIWorker1Core2] LDAP authenticate: bind exception: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563'}

It’s kinda hard to figure out where the issue is coming from (I’m sure of the LDAP user and password for searches)

This is the new auth_conf.xml that I am currently using, maybe there an option that is set improperly





Thanks for any help.
There is unfortunately very little documentation for using AD accounts or I don’t know where to search for it.

well, I see: ‘Invalid credentials’

So I wonder, if you have the right options for:


as far as I know, the ‘search-user’ should be in the format of “ldapuser@dc1.domain.com

It is difficult to provide full documentation for this, since every set-up is different. I can only recommend, you talk with your local IT folks (who have set up the ldap server) and go through all the possible options.

When I was struggling (this was several years ago), I wrote a little perl script based on https://www.perlmonks.org/?node_id=601806 (first reply by Eric) to test the credentials outside of galaxy, which was much quicker (since it didn’t require a restart every time).