On Mon, May 24, 2010 at 12:42:43PM +0200, Davide Cittaro wrote:
AFAIK one can put galaxy behind a http proxy and let this to manage the authentication binding do LDAP. This morning I've been looking at the universe_wsgi.ini file and I've seen this:
# Use user provided in an upstream server's $REMOTE_USER variable #use_remote_user = False
# If use_remote_user is enabled and your external authentication # method just returns bare usernames, set a default mail domain #remote_user_maildomain = example.org
I suppose I should set use_remote_user = True to enable proxied authentication... nevertheless the email passed to galaxy looks like a $REMOTE_USER + REMOVE_USER_MAILDOMAIN set in the unverse_wsgi.ini... does that mean that I will not able to authenticate as my ldap username is dcittaro and my email is davide.cittaro@ifom-ieo-campus.it?
When you say "nevertheless the email passed to galaxy looks like a REMOTE_USER + REMOVE_USER_MAILDOMAIN" where are you seeing that? and was REMOVE a typo? I'll take a quick stab at explaining our setup and maybe it will help: We use LDAP for auth with Apache for our Galaxy installation, and here's the key and value information for identity at every step along the way: Step 1: HTTP Autentication over SSL: Browser -> Apache Key: "Authorization" HTTP Header Value: base64 encoded username (no @domain.tld) and password Step 2: LDAP Verificatio: Apache -> LDAP Server Key: uid component in LDAP URL Value: plaintext username (no @domain.tld) and password Step 3: Local HTTP Request: Apache -> Galaxy Key: "REMOTE_USER" HTTP Header Value: Plaintext username (no @domain.tld) (no password) Step 4: Galaxy Internal Value: plaintext username + $REMOTE_USER_MAILDOMAIN So at every point on the wire there's no @msi.umn.edu on the username info. Galaxy appends REMOTE_USER_MAILDOMAIN to the "REMOTE_USER" HTTP header after reiceving it from the Apache proxy, and internally galaxy uses ry4an@msi.umn.edu as the username throughout. The Apache config has a few interesting sections: # put REMOTE_USER into a header for Galaxy <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization that hunk does a few interesting things which alter the content of Step 3 above: - Extracts the REMOTE_USER environment variable as set by the LDAP Apache module - Add a HTTP Header named "REMOTE_USER" to the proxy request that goes to Galaxy - Removes the "Authorization" HTTP Header that was copied from the original (Step 1) request on to the proxied request (Step 3). We do that because that request has the password in essentially plaintext and we don't want that information to leave apache and to enter galaxy. The other relevant bit of Apache config is: <Location "/"> # Authentication AuthType Basic AuthBasicProvider ldap AuthName "Galaxy: MSI users only" AuthLDAPUrl ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC AuthLDAPRemoteUserAttribute uid Require ldap-filter objectClass=posixAccount </Location> which says any URL should require that the user pass an LDAP filter checking to make sure the item retrieved by their 'uid' is in fact a user (and not, say, a printer), though LDAP schemas differ wildly by site and that filter almost certainly doesn't apply in your case. -- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu