External Access Protocols in NOMAD Oasis

Luca_Seravalli · May 2, 2023, 9:50am

Hello to all,
we are considering the installation of NOMAD Oasis on the server of our institute - the IT manager asked me for some more information about external users access to be used in NOMAD Oasis.
I know that there is a white-list mechanism, but the IT manager would need to use a LDAP protocol or a Domain-Access (Windows) protocol.
This would make much easier for us to manage users’ access as we could have a relevant number of users involved.

I did not find informations on this in the OASIS documentation, although I am not an expert by any means and I might not have understood exactly how this could work.

Thank you and all the best

mscheidgen · May 2, 2023, 10:54am

NOMAD uses keycloak as a user management solution. Keycloak is well known, well supported and very popular software. It runs as an individual service and it provides all the login, passwort reset, registering, etc. functionality. For example, if you log into NOMAD, the login form is coming from keycloak. Keycloak also has lots of config options to connect and federate with existing user directories.

You can install your Oasis, either using our central keycloak service that we provide and control, or using your own keycloak service as part of the Oasis installation. With the second option you can configure your keycloak yourself and there are lots of tutorials out there showing how to federated with LDAP/active directory.

this is the section of the Oasis installation documentation, where we talk about running your own keycloak: Operating an OASIS - Documentation
this is an example Oasis configuration that uses its own keycloak: https://nomad-lab.eu/prod/v1/docs/assets/nomad-oasis-with-keycloak.zip
here is one of many keycloak tutorials on active directory (but you can google for much more): Active Directory as a User Federation in Keycloak | by Yasith Kumara | Medium

Unfortunately, we cannot provide support on keycloak itself. There are much better resources from others anyways. Maybe your staff is familiar with it already. We know from other Oasis users that they did exactly what you want to do and did it successfully.

Luca_Seravalli · May 2, 2023, 1:42pm

That is fantastic, Markus,
thank you so much for prompt and exhaustive information - I will pass this to the IT manager.
All the best!

Luca

Luca_Seravalli · May 22, 2023, 3:41pm

Hello,
we were successful in installing NOMAD Oasis and to access it from the local WiFi network. I managed to log as a registered user, however we do have some problems when I try to upload files.

When trying to upload files (that do upload successfully in the standard NOMAD), an error message pops up:
[111] Connection Refused.

Moreover, a list of uploads appear in the “Existing Uploads” section, although with the Status “Process delete_upload failed: OperationalError: [Errno 111] Connection refused”

When trying to delete such failed uploads the message "Unexpected error: “[object Object] (500)” appears. So I believe actually there are no uploads, even if they show up in the list.

The IT guy that manages the server asks for informations about the list of the firewall ports used by NOMAD Oasis, in order to open them directly on the firewall (if I understood it correctly).

Thank you in advance for your advice!

mscheidgen · May 23, 2023, 6:52am

I cannot tell a 100% from the error messages, but its likely that nomad runs, but cannot communicate with elasticsearch. Can you give us the logs of the nomad_oasis_elastic and nomad_oasis_app, ideally short after starting the oasis. Something like this would do the trick:

docker compose down
docker compose up -d
docker logs `nomad_oasis_elastic` > elastic.log
docker logs `nomad_oasis_app` > app.log