On May 24, 2010, at 3:32 PM, Ry4an Brase wrote:

When you say "nevertheless the email passed to galaxy looks like a
REMOTE_USER + REMOVE_USER_MAILDOMAIN" where are you seeing that? and
was REMOVE a typo?

Yes, it's a typo and I'm just guessing that the $userEmail (passed to galaxy) is built on those values...

I'll take a quick stab at explaining our setup and maybe it will help:

We use LDAP for auth with Apache for our Galaxy installation, and here's
the key and value information for identity at every step along the way:

Step 1: HTTP Autentication over SSL: Browser -> Apache
   Key: "Authorization" HTTP Header
   Value: base64 encoded username (no @domain.tld) and password

Step 2: LDAP Verificatio: Apache -> LDAP Server
   Key: uid component in LDAP URL
   Value: plaintext username (no @domain.tld) and password

Step 3: Local HTTP Request: Apache -> Galaxy
   Key: "REMOTE_USER" HTTP Header
   Value: Plaintext username (no @domain.tld) (no password)

Step 4: Galaxy Internal
   Value: plaintext username + $REMOTE_USER_MAILDOMAIN

So at every point on the wire there's no @msi.umn.edu on the username info.
Galaxy appends REMOTE_USER_MAILDOMAIN to the "REMOTE_USER" HTTP header
after reiceving it from the Apache proxy, and internally galaxy uses
ry4an@msi.umn.edu as the username throughout.

That's exactly what I've tried to ask :-)

Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)...

Thanks

The Apache config has a few interesting sections:

   # put REMOTE_USER into a header for Galaxy
   <Proxy http://localhost:8080>
       Order deny,allow
       Allow from all
   </Proxy>
   RewriteCond %{IS_SUBREQ} ^false$
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader set REMOTE_USER %{RU}e
   RequestHeader unset Authorization

that hunk does a few interesting things which alter the content of Step
3 above:
   - Extracts the REMOTE_USER environment variable as set by the LDAP
     Apache module

   - Add a HTTP Header named "REMOTE_USER" to the proxy request that
     goes to Galaxy

   - Removes the "Authorization" HTTP Header that was copied from the
     original (Step 1) request on to the proxied request (Step 3). We
     do that because that request has the password in essentially
     plaintext and we don't want that information to leave apache and
     to enter galaxy.

The other relevant bit of Apache config is:

   <Location "/">
       # Authentication
       AuthType Basic
       AuthBasicProvider ldap
       AuthName "Galaxy: MSI users only"
       AuthLDAPUrl ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC
       AuthLDAPRemoteUserAttribute uid
       Require ldap-filter objectClass=posixAccount
   </Location>

which says any URL should require that the user pass an LDAP filter
checking to make sure the item retrieved by their 'uid' is in fact a
user (and not, say, a printer), though LDAP schemas differ wildly by
site and that filter almost certainly doesn't apply in your case.

--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
galaxy-dev@lists.bx.psu.edu
http://lists.bx.psu.edu/listinfo/galaxy-dev

Davide Cittaro

Cogentech - Consortium for Genomic Technologies

via adamello, 16

20139 Milano

Italy

tel.: +39(02)574303007

e-mail: davide.cittaro@ifom-ieo-campus.it