Local installation : Integration with Active Directory

,
1

Hello,

We would like to setup our on premises Galaxy server but I’ve been struggling with one point, AD Authentication.
I’ve been reading the docs Authentication — Galaxy Project 20.09 documentation and it seems it should be quite straightforward, but i’m always getting an error and can’t get around it. I tried to search the help but couldn’t find anything matching my problem.

This is the error I am getting when trying to login with AD user :

galaxy.webapps.galaxy.controllers.user DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] trans.app.config.auth_config_file: /srv/galaxy/config/auth_conf.xml
galaxy.auth.providers.ldap_ad DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] LDAP authenticate: email is itadmin@pasteur-kh.org
galaxy.auth.providers.ldap_ad DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] LDAP authenticate: username is None
galaxy.auth.providers.ldap_ad DEBUG 2021-02-23 11:13:01,984 [p:10651,w:1,m:0] [uWSGIWorker1Core1] LDAP authenticate: options are {'allow-register': 'False', 'server': 'ldap://XXX', 'search-fields': 'sAMAccountName,mail', 'search-base': 'ou=XXX,dc=XXX,dc=XXX', 'search-user': 'cn=XXX,dc=XXX,dc=XXX', 'search-password': 'XXX', 'bind-user': '{sAMAccountName}@domain.com', 'bind-password': '{password}', 'redact_username_in_logs': False, 'no_password_check': False}
galaxy.web.framework.decorators ERROR 2021-02-23 11:13:01,985 [p:10651,w:1,m:0] [uWSGIWorker1Core1] Uncaught exception in exposed API method:
Traceback (most recent call last):
  File "lib/galaxy/web/framework/decorators.py", line 294, in decorator
    rval = func(self, trans, *args, **kwargs)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 118, in login
    return self.__validate_login(trans, payload, **kwd)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 136, in __validate_login
    message, user = self.__autoregistration(trans, login, password)
  File "lib/galaxy/webapps/galaxy/controllers/user.py", line 85, in __autoregistration
    autoreg = trans.app.auth_manager.check_auto_registration(trans, login, password)
  File "lib/galaxy/auth/__init__.py", line 63, in check_auto_registration
    auth_results = provider.authenticate(email, username, password, options)
  File "lib/galaxy/auth/providers/ldap_ad.py", line 204, in authenticate
    failure_mode, params = self.ldap_search(email, username, options)
  File "lib/galaxy/auth/providers/ldap_ad.py", line 121, in ldap_search
    raise RuntimeError("Failed to load LDAP module: %s", str(ldap_import_exc))
RuntimeError: ('Failed to load LDAP module: %s', "No module named 'ldap'")

And this is the error i’m getting on web browser :
Uncaught exception in exposed API method:

Additional information
Server : Ubuntu v20.04.1 LTS
pip list|grep ldap python3-ldap 0.9.8.4 git status
On branch release_20.09
Your branch is up to date with ‘origin/release_20.09’.

This is my auth_conf.xml

<?xml version="1.0"?>
<auth>
<authenticator>
        <type>ldap</type>

        <options>
			<allow-register>False</allow-register>
            <server>ldap://ldapserver.domain.com</server>
            <search-fields>sAMAccountName,mail</search-fields>
            <search-base>ou=XXX,dc=XXX,dc=XXX</search-base>

            <search-user>cn=XXX,dc=XXX,dc=XXX</search-user>
            <search-password>XXX</search-password>


        </options>
</authenticator>

Thank you for any help you can provide to us

Note : LDAP is working as I can search my account and when I try to register

# ldapsearch -vv -x -H ldap://xxx.domain.com -b "ou=XXX,dc=domain,dc=com" -D IPC_LDAP -W "sAMAccountName=username"
ldap_initialize( ldap://xxx.domain.com:389/??base )
Enter LDAP Password:
filter: sAMAccountName=username
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=XXX,dc=domain,dc=com> with scope subtree
# filter: sAMAccountName=username
# requesting: ALL
#

# USER NAME, IT, IT, XXX, domain.com
dn: CN=USER NAME,OU=IT,OU=IT,OU=XXX,DC=domain,DC=com
objectClass: top

And when trying to register with a username that’s already in AD, I get the following message on the web browser :
Account registration not required for your account. Please simply login.

2

Hi
have you solved the issue in the meantime or have you got help from other channels (e.g.: gitter)?

if not, the error message:

('Failed to load LDAP module: %s', "No module named 'ldap'")

looks pretty obvious to me. Have you tried to install “python-ldap” into the virtual environment?

Regards, Hans-Rudolf

3

Indeed after doing some research, I’ve found out that you needed to have python-ldap v2.xx installed and it was not working with python3-ldap which I had installed (thanks to the bug report opened here : Failed to load LDAP module · Issue #10410 · galaxyproject/galaxy · GitHub )

However, after fixing this and installing the proper python-ldap version, I’m still unable to login

No such user or invalid password. is what I’m getting when trying to login from a web browser

And in Galaxy I’m getting :

galaxy.auth.providers.ldap_ad INFO 2021-03-04 15:14:18,727 [p:328922,w:1,m:0] [uWSGIWorker1Core2] LDAP authenticate: bind exception: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563'}

It’s kinda hard to figure out where the issue is coming from (I’m sure of the LDAP user and password for searches)

This is the new auth_conf.xml that I am currently using, maybe there an option that is set improperly

<auth>
        <authenticator>
			<type>ldap</type>
                <filter>'{email}'.endswith('@domain.com')</filter>

                <options>
                        <allow-register>True</allow-register>
                        <auto-register>True</auto-register>
                        <allow-password-change>False</allow-password-change>
                        <auto-create-roles>False</auto-create-roles>
                        <auto-create-groups>False</auto-create-groups>
                        <auto-assign-roles-to-groups-only>False</auto-assign-roles-to-groups-only>

                        <server>ldap://dc1.domain.com</server>
                        <login-use-username>False</login-use-username>
                        <continue-on-failure>False</continue-on-failure>
                        <search-fields>sAMAccountName,mail</search-fields>
                        <search-base>ou=USERS,dc=domain,dc=org</search-base>
                        <search-filter>(&amp;(objectClass=user)(mail={email}))</search-filter>
                        <search-user>ldapuser</search-user>
                        <search-password>ldappassword</search-password>
                        <bind-user>{sAMAccountName}</bind-user>
                        <bind-password>{password}</bind-password>
                        <auto-register-username>{sAMAccountName}</auto-register-username>
                        <auto-register-email>{mail}</auto-register-email>

                </options>
    </authenticator>
</auth>

Thanks for any help.
There is unfortunately very little documentation for using AD accounts or I don’t know where to search for it.

4

well, I see: ‘Invalid credentials’

So I wonder, if you have the right options for:

<server>ldap://dc1.domain.com</server>
<search-user>ldapuser</search-user>
<search-password>ldappassword</search-password>

as far as I know, the ‘search-user’ should be in the format of “ldapuser@dc1.domain.com

It is difficult to provide full documentation for this, since every set-up is different. I can only recommend, you talk with your local IT folks (who have set up the ldap server) and go through all the possible options.

When I was struggling (this was several years ago), I wrote a little perl script based on https://www.perlmonks.org/?node_id=601806 (first reply by Eric) to test the credentials outside of galaxy, which was much quicker (since it didn’t require a restart every time).

Hans-Rudolf