Hi again, 
I'm almost done with the whole stuff...
I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:

Access to Galaxy is denied

Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.

Please contact your local Galaxy administrator.


The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work...
Some configurations:

$ cat /etc/apache2/mods-enabled/proxy.conf 
<IfModule mod_proxy.c>

        ProxyRequests Off

        ProxyVia Off
#       <Proxy balancer://galaxy>
#               BalancerMember http://localhost:8080
#               BalancerMember http://localhost:8081
#       </Proxy>
   RewriteCond %{IS_SUBREQ} ^false$
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader set REMOTE_USER %{RU}e
   RequestHeader unset Authorization

</IfModule>


$ cat /etc/apache2/sites-enabled/000-default 
[…]
  Order deny,allow
  AuthName "Galaxy Login"
  AuthType Basic
  AuthBasicProvider ldap
  AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
  AuthLDAPRemoteUserAttribute mail
  Require ldap-filter objectClass=posixAccount

[…]
RewriteEngine on
RewriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L]
RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L]
RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L]
RewriteRule ^/galaxy(.*) http://127.0.0.1:8080$1 [P]

Any hint?

d



On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:

On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:

That's exactly what I've tried to ask :-)

Also, that means that my galaxy user will be
dcittaro@ifom-ieo-campus.it . The problem is that email address
doesn't exist, as usernames defined in LDAP are not the usernames for
mail addresses... I guess I'll have to study LDAP search syntax and
instruct it to query with my username (dcittaro) and return the email
address stripping the domain (davide.cittaro)...

Glad it helped.  Here are some Apache Directives that will probably
help:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuserattribute

which can only legally be one of the attributes included in your:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl

That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'.
If the email comes back from LDAP with the @domain.tld already appended
then don't set REMOTE_USER_DOMAIN to anything.



--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
galaxy-dev@lists.bx.psu.edu
http://lists.bx.psu.edu/listinfo/galaxy-dev

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
e-mail: davide.cittaro@ifom-ieo-campus.it
*/