Hi Ry4an On May 24, 2010, at 3:32 PM, Ry4an Brase wrote:
When you say "nevertheless the email passed to galaxy looks like a REMOTE_USER + REMOVE_USER_MAILDOMAIN" where are you seeing that? and was REMOVE a typo?
Yes, it's a typo and I'm just guessing that the $userEmail (passed to galaxy) is built on those values...
I'll take a quick stab at explaining our setup and maybe it will help:
We use LDAP for auth with Apache for our Galaxy installation, and here's the key and value information for identity at every step along the way:
Step 1: HTTP Autentication over SSL: Browser -> Apache Key: "Authorization" HTTP Header Value: base64 encoded username (no @domain.tld) and password
Step 2: LDAP Verificatio: Apache -> LDAP Server Key: uid component in LDAP URL Value: plaintext username (no @domain.tld) and password
Step 3: Local HTTP Request: Apache -> Galaxy Key: "REMOTE_USER" HTTP Header Value: Plaintext username (no @domain.tld) (no password)
Step 4: Galaxy Internal Value: plaintext username + $REMOTE_USER_MAILDOMAIN
So at every point on the wire there's no @msi.umn.edu on the username info. Galaxy appends REMOTE_USER_MAILDOMAIN to the "REMOTE_USER" HTTP header after reiceving it from the Apache proxy, and internally galaxy uses ry4an@msi.umn.edu as the username throughout.
That's exactly what I've tried to ask :-) Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)... Thanks d
The Apache config has a few interesting sections:
# put REMOTE_USER into a header for Galaxy <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization
that hunk does a few interesting things which alter the content of Step 3 above: - Extracts the REMOTE_USER environment variable as set by the LDAP Apache module
- Add a HTTP Header named "REMOTE_USER" to the proxy request that goes to Galaxy
- Removes the "Authorization" HTTP Header that was copied from the original (Step 1) request on to the proxied request (Step 3). We do that because that request has the password in essentially plaintext and we don't want that information to leave apache and to enter galaxy.
The other relevant bit of Apache config is:
<Location "/"> # Authentication AuthType Basic AuthBasicProvider ldap AuthName "Galaxy: MSI users only" AuthLDAPUrl ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC AuthLDAPRemoteUserAttribute uid Require ldap-filter objectClass=posixAccount </Location>
which says any URL should require that the user pass an LDAP filter checking to make sure the item retrieved by their 'uid' is in fact a user (and not, say, a printer), though LDAP schemas differ wildly by site and that filter almost certainly doesn't apply in your case.
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
/* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */