LDAP/AD auth_conf.xml setting

Question: LDAP/AD auth_conf.xml setting

19 months ago by

leshin • 0

leshin • 0 wrote:

Hi,

We have a galaxy server setup by using our institution's LDAP/AD server through apache proxy to do the authentication. We would like to switch our authentication from apache proxy to using auth_conf.xml file. But, after trying for a long time, we still can not make it work. I wonder can someone help with us to properly setup the content of auth_conf.xml file. We really appreciate.

leshin

Our apache config file looks like this:

    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthName "Galaxy server login"
    AuthLDAPBindDN "CN=BIND_USER,OU=Special Accounts,OU=Domain Accounts,DC=AM,DC=SAMPLE,DC=com"
    AuthLDAPBindPassword 'BIND_PASSWORD'
    AuthLDAPURL "ldap://ldap_server.com:3268/DC=SAMPLE,dc=com?sAMAccountName?sub?(objectClass=*)"
    Require 'valid-use'  
    AuthLDAPGroupAttribute uniquemember
    RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e

Our auth_conf.xml looks like:

    <type>ldap</type>

    <filter>'{email}'.endswith(‘@sample.com')</filter>

    <options>

    <allow-register>True</allow-register>

    <auto-register>True</auto-register>

        <!-- LDAP-specific options -->
    <server>ldap://ldap_server.com:3268</server>
    <login-use-username>True</login-use-username>

        <!-- For Active Directory: -->
        <search-fields>sAMAccountName,mail</search-fields>
        <search-base>DC=SAMPLE,dc=com</search-base>

        <!-- If login-use-username is True -->
        <search-filter>(&amp;(objectClass=*)(sAMAccountName={username}))</search-filter>
        <search-user>CN=BIND_USER,OU=Special Accounts,OU=Domain Accounts,DC=AM,DC=SAMPLE,DC=com</search-user>
        <search-password>BIND_PASSWORD</search-password>
</options>

software error • 888 views

ADD COMMENT • link •

modified 19 months ago • written 19 months ago by leshin • 0

Hi leshin

I am not an apache expert, but I guess all the authentication is no longer required in the apache config file, once you have switch to doing the authentication within galaxy based on the settings in the auth_conf.xml file.

So I would go step by step. First try to get the authentication within galaxy based on the settings in the auth_conf.xml file to work without using apache proxy at all. Have a look here: https://galaxyproject.org/admin/config/external-user-auth/ (Don't forget to check the last line of this page )

Once this is working, turn on apache just to do provide the proxy

Hope this helps Regards, Hans-Rudolf

ADD REPLY • link written 19 months ago by Hotz, Hans-Rudolf • 1.8k

Hi Hans-Rudolf,

Thanks a lot for your reply. In fact, I just want to use auth_conf.xml to do the authentication instead of using apache. My problem is that I can not properly convert my current LDAP configuration into auth_conf.xml file to make the authentication work. Again, my apache config file is working fine and I could not make my auth_conf.xml work so far. If you have some comments about how to correct my autho_conf.xml, it will be very helpful to us.

Best

Le-Shin

ADD REPLY • link written 19 months ago by leshin • 0

Hi Le-Shin

Setting the correct options in the auth_conf.xml file is difficult, and the options depend on the settings of your local ldap server.

What kind of error do you get in the galaxy log file?

Hans-Rudolf

ADD REPLY • link written 19 months ago by Hotz, Hans-Rudolf • 1.8k

Similar posts • Search »