LDAP /OmniAuth

33 views
Skip to first unread message

Cornelius Knopp

unread,
May 16, 2019, 4:40:23 AM5/16/19
to SEEK Developers
Hi,
i'm currently tryin to estalish a connection between SEEK and our local LDAP Service.
Theoretically, it should be possible to connect these services using OmniAuth, which is also enabled in the SEEK Server Admin Area. 

I can't find a way to configure or even access/use this OmniAuth Service from within SEEK.

How can i configure this?

Best regards
Cornelius

Stuart Owen

unread,
May 17, 2019, 10:45:12 AM5/17/19
to seek-de...@googlegroups.com

Hi Cornelius,

The LDAP/OmniAuth was added as a contribution for use at the HITS institute, and as far as I'm aware it wasn't used elsewhere. I've never used it before myself or seen it in action.

I've asked HITS and it seems it is no longer used and the contributor has now left. So I'm afraid I'm not sure if it still works.

However, Alan (in Manchester) has been working on adding support for AAI, which involves incorporating a library (devise) that also provides support for LDAP and other providers. 

We will take a closer look and hopefully have more information next week.

thanks,

Stuart.

--
You received this message because you are subscribed to the Google Groups "SEEK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to seek-develope...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/seek-developers/700f36ee-24f2-43db-ae5f-5911c55bae40%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

alanrw

unread,
Jun 8, 2019, 3:39:13 PM6/8/19
to SEEK Developers
Hello Cornelius

You need to configure the LDAP provider outside the normal SEEK interface. If you look in your SEEK installation directory, there is a file called
config/initializers/seek_configuration.rb-openseek.rb

where you will see:

Seek::Config.default:omniauth_providers, {# # https://github.com/intridea/omniauth-ldap # :ldap => {
# :title => "organization-ldap", 
# :host => 'localhost', 
# :port => 389, 
# :method => :plain,
  # :base => 'DC=example,DC=com',
# :uid => 'samaccountname',
# :password => '',
# :bind_dn => ''
# } }

Sadly although you can alter this file to add in the LDAP values, you cannot do that once your SEEK is installed / running. You will need to change the
value with Rails console (as far as I know).

We can advise on changing the running value.

Alan

carsten.for...@evolbio.mpg.de

unread,
Jul 2, 2019, 6:38:38 AM7/2/19
to SEEK Developers
Hi,
I'm also interested in LDAP authentication for SEEK. The relevant section from my  config/initializers/seek_configuration.rb-openseek.rb is as follows:

# omniauth settings and behaviour
  Seek::Config.default :omniauth_enabled, true
  Seek::Config.default :omniauth_user_create, true
  Seek::Config.default :omniauth_user_activate, true
  Seek::Config.default :omniauth_providers, {
     :ldap => {
       :title => 'Institutional',
       :host => 'ldap.mydomain.com',
       :port => 389,
       :method => :plain,
       :base => 'OU=people,DC=mydomain,DC=com',
       :uid => 'samACCountName',
       :password => '************',
       :bind_dn => 'CN=ldapseek,CN=Users,DC=mydomain,DC=com'
     }
  }

Restarting the rails app with these settings gives me the LDAP tab on the login page. Typing in an existing ldap username and password results in 


No route matches [POST] "/auth/ldap/callback"


On the ldap server, I can see from the logs that the authentication was successful. Any help?
You mean that restarting the server would not pick up the LDAP config?
Can you explain step-by-step how to do  change the values in a running seek instance?

When can we expect the AAI feature in master (or tagged release)?

Cornelius Knopp

unread,
Jul 23, 2019, 9:22:13 AM7/23/19
to SEEK Developers
Hi,
today i managed to drive my seek instance up to the same problem with the missing route to /auth/ldap/callback.

Are you using SEEK as Docker-compose containers? Then you might have to "copy" them to your personal DockerHub Account in order to save the altered settings.
1) Edit the files inside the running docker container
to access the
Containr bash, use `docker exec -it -u root CONTAINER_ID bash`
2) Save the running container as an image `docker commit CONTAINER_ID IMAGE_NAME`
3) Login into dockerhub `docker login` (might be only possible if preceeded by `sudo su -`)
4) Tag your image: `docker tag IMAGE_NAME DOCKER_NAME/IMAGE_NAME[:VERSION]`
5) Push the image to dockerhub `docker push DOCKER_NAME/IMAGE_NAME[:VERSION]`


Then you're able to replace "fairdom/seek:version" by "DOCKER_NAME/IMAGE_NAME:version"

The AAI feature was mentioned as "future development" at the PAL & User Meeting last week.

regards,
Cornelius

alanrw

unread,
Jul 23, 2019, 4:53:18 PM7/23/19
to SEEK Developers
Hi.

If you look in the config, you should see a file called routes.rb

In that file, there is a line (around 790) that says

get '/auth/:provider/callback' => 'sessions#create'

Can you try changing that to

post '/auth/:provider/callback' => 'sessions#create'

For the timescale of the AAI release.that is now being worked on
(mainly by me). It should be done in the next few weeks - say mid-August.
Will you be interested in testing / reviewing the development releases?

Alan

Cornelius Knopp

unread,
Jul 24, 2019, 1:35:33 AM7/24/19
to SEEK Developers
Hi,

I will try and let you know if this solves the problem.

Yes i would be very interested in testing/reviewing this feature.

Regards
Cornelius

Carsten Fortmann-Grote

unread,
Jul 26, 2019, 2:18:15 AM7/26/19
to seek-de...@googlegroups.com
Hi, thanks for looking into this.

I use SEEK installed from sources. Issue observed in both
master/HEAD and tag 1.83.

Regards, Carsten


On 7/23/19 3:22 PM, Cornelius Knopp wrote:
> Hi,
> today i managed to drive my seek instance up to the same problem with
> the missing route to /auth/ldap/callback.
>
> Are you using SEEK as Docker-compose containers? Then you might have to
> "copy" them to your personal DockerHub Account in order to save the
> altered settings.
> |
> |
> 1)Editthe files inside the running docker container
> to access the Containrbash,use`docker exec -it -u root CONTAINER_ID bash`
> 2)Savethe running container asan image `docker commit CONTAINER_ID
> IMAGE_NAME`
> 3)Loginintodockerhub `docker login`(might be only possible ifpreceeded
> by`sudo su -`)
> 4)Tagyour image:`docker tag IMAGE_NAME DOCKER_NAME/IMAGE_NAME[:VERSION]`
> 5)Pushthe image to dockerhub `docker push DOCKER_NAME/IMAGE_NAME[:VERSION]`
>
>
> Thenyou're able to replace "fairdom/seek:version" by
> "DOCKER_NAME/IMAGE_NAME:version"
> |
> |
>
> The AAI feature was mentioned as "future development" at the PAL & User
> Meeting last week.
>
> regards,
> Cornelius
>
>
> Am Dienstag, 2. Juli 2019 12:38:38 UTC+2 schrieb
> carsten.fo...@evolbio.mpg.de:
>
> Hi,
> I'm also interested in LDAP authentication for SEEK. The relevant
> section from my
> config/initializers/seek_configuration.rb-openseek.rb is as follows:
>
> # omniauth settings and behaviour
> Seek::Config.default :omniauth_enabled, true
> Seek::Config.default :omniauth_user_create, true
> Seek::Config.default :omniauth_user_activate, true
> Seek::Config.default :omniauth_providers, {
> :ldap => {
> :title => 'Institutional',
> :host => 'ldap.mydomain.com <http://ldap.mydomain.com>',
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "SEEK Developers" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/seek-developers/SljG2kjkscU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> seek-develope...@googlegroups.com
> <mailto:seek-develope...@googlegroups.com>.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/seek-developers/27848d4f-4725-446e-b9e5-3fa1dcf4ed18%40googlegroups.com
> <https://groups.google.com/d/msgid/seek-developers/27848d4f-4725-446e-b9e5-3fa1dcf4ed18%40googlegroups.com?utm_medium=email&utm_source=footer>.

signature.asc

Carsten Fortmann-Grote

unread,
Jul 26, 2019, 2:21:05 AM7/26/19
to seek-de...@googlegroups.com
I confirm that @alanrw 's fix solves the issue at hand. see also

https://github.com/seek4science/seek/issues/82

Regards, Carsten

On 7/23/19 10:53 PM, 'alanrw' via SEEK Developers wrote:
> Hi.
>
> If you look in the config, you should see a file called routes.rb
>
> In that file, there is a line (around 790) that says
>
> get '/auth/:provider/callback'=> 'sessions#create'
>
> Can you try changing that to
>
> post '/auth/:provider/callback'=> 'sessions#create'
>
> For the timescale of the AAI release.that is now being worked on
> (mainly by me). It should be done in the next few weeks - say mid-August.
> Will you be interested in testing / reviewing the development releases?
>
> Alan
>
> On Tuesday, 23 July 2019 14:22:13 UTC+1, Cornelius Knopp wrote:
>
> Hi,
> today i managed to drive my seek instance up to the same problem
> with the missing route to /auth/ldap/callback.
>
> Are you using SEEK as Docker-compose containers? Then you might have
> to "copy" them to your personal DockerHub Account in order to save
> the altered settings.
> |
> |
> 1)Editthe files inside the running docker container
> to access the Containrbash,use`docker exec -it -u root CONTAINER_ID
> bash`
> 2)Savethe running container asan image `docker commit CONTAINER_ID
> IMAGE_NAME`
> 3)Loginintodockerhub `docker login`(might be only possible
> ifpreceeded by`sudo su -`)
> 4)Tagyour image:`docker tag IMAGE_NAME DOCKER_NAME/IMAGE_NAME[:VERSION]`
> 5)Pushthe image to dockerhub `docker push
> DOCKER_NAME/IMAGE_NAME[:VERSION]`
>
>
> Thenyou're able to replace "fairdom/seek:version" by
> "DOCKER_NAME/IMAGE_NAME:version"
> |
> |
>
> The AAI feature was mentioned as "future development" at the PAL &
> User Meeting last week.
>
> regards,
> Cornelius
>
>
> Am Dienstag, 2. Juli 2019 12:38:38 UTC+2 schrieb
> carsten.fo...@evolbio.mpg.de:
>
> Hi,
> I'm also interested in LDAP authentication for SEEK. The
> relevant section from my 
> config/initializers/seek_configuration.rb-openseek.rb is as follows:
>
> # omniauth settings and behaviour
>   Seek::Config.default :omniauth_enabled, true
>   Seek::Config.default :omniauth_user_create, true
>   Seek::Config.default :omniauth_user_activate, true
>   Seek::Config.default :omniauth_providers, {
>      :ldap => {
>        :title => 'Institutional',
>        :host => 'ldap.mydomain.com <http://ldap.mydomain.com>',
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "SEEK Developers" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/seek-developers/SljG2kjkscU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> seek-develope...@googlegroups.com
> <mailto:seek-develope...@googlegroups.com>.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/seek-developers/17150d77-d9e6-4b49-b827-f0a8d37c16e4%40googlegroups.com
> <https://groups.google.com/d/msgid/seek-developers/17150d77-d9e6-4b49-b827-f0a8d37c16e4%40googlegroups.com?utm_medium=email&utm_source=footer>.

signature.asc

Cornelius Knopp

unread,
Jul 26, 2019, 3:57:57 AM7/26/19
to SEEK Developers
I can confirm it too!
Thanks a lot.

Carole Goble

unread,
Jul 26, 2019, 4:24:03 AM7/26/19
to Cornelius Knopp, SEEK Developers

Thanks Alan!

Carole

--

You received this message because you are subscribed to the Google Groups "SEEK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to seek-develope...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages