Re: [galaxy-dev] LDAP authentification

Hi, Thanks to log messages from remoteuser.py in "./lib/galaxy/web/framework/middleware/remoteuser.py": print('affichage des variables d acces') print ('self domain : %s'%self.maildomain) print ('path info : %s'%path_info) print ('admin user : %s' %self.admin_users) http_remote_user = environ.get('HTTP_REMOTE_USER','') print ('http remote user : %s'%http_remote_user) remote_user = environ.get('REMOTE_USER', '') print ('remote user :%s' %remote_user) Galaxy prints every environment variable it receives, and I have seen that HTTP_REMOTE_USER variable is "(null)". Moreover, Galaxy is defined as a valid Proxy (reverse proxy ??) so galaxy.conf is : <VirtualHost localhost:port> # Define Galaxy as a valid Proxy <Proxy localhost:port> Order deny,allow Allow from all

RewriteEngine on # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] # Set the REMOTE_USER header to the contents of the LDAP query response's "uid" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/static/style/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/images/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/images/$1 [L] RewriteRule ^/favicon.ico /usr/local/bioinfo/src/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/favicon.ico /var/www/html/favicon.ico [L] RewriteRule ^/robots.txt /usr/local/bioinfo/src/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) localhost:port$1 [P] </Proxy> <Location "/....." > AuthType Basic AuthBasicProvider ldap AuthName "Galaxy" AuthLDAPURL "ldap://serveur ..." AuthzLDAPAuthoritative on Require valid-user </Location> </VirtualHost> But, I didn't achieve, yet , to access REMOTE_USER value throught proxy. In universe_wsgi.ini, *use_remote_user = True* and *remote_user_maildomain = toulouse.inra.fr* Thanks in advance, Sarah Nate Coraor a écrit : > On Jan 19, 2012, at 10:49 AM, Sarah Maman wrote: > > >> Hi Brad, Hi Christopher, >> >> Thanks a lot. >> I'm talking to Open LDAP. I have changed >> >> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e >> to >> RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e >> >> But I always have the same message /(Access to Galaxy is denied >> Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/ >> > > Hi Sarah, > > This configuration will need to be in your Apache config (the location of which varies depending on your OS and/or how Apache is installed) rather than an .htaccess file. > > --nate > > >> This is my .conf file : >> <Proxy http://localhost:8080> >> Order deny,allow >> Allow from all >> </Proxy> >> >> RewriteEngine on >> >> <Location "/"> >> AuthType Basic >> AuthName Galaxy >> AuthBasicProvider ldap >> AuthLDAPURL "ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u >> id?sub?(objectClass=person)" >> AuthzLDAPAuthoritative off >> Require valid-user >> # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. >> #RewriteCond %{IS_SUBREQ} ^false$ >> #RewriteCond %{LA-U:REMOTE_USER} (.+) >> #RewriteRule . - [E=RU:%1] >> #RequestHeader set REMOTE_USER %{RU}e >> RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e >> </Location> >> >> >> Thanks in advance, >> Sarah >> >> >> >> >> Langhorst, Brad a écrit : >> >>> Hi Sarah: >>> >>> I don't know what kind of LDAP you're talking to... I'm talking to Active >>> Directory and this configuration works in that situation. >>> >>> Order allow,deny >>> allow from all >>> >>> AuthType Basic >>> AuthName "NEB Credentials" >>> AuthBasicProvider ldap >>> AuthzLDAPAuthoritative off >>> AuthLDAPBindDN ccalookup(a)neb.com >>> AuthLDAPBindPassword <password> >>> AuthLDAPURL >>> "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" >>> require valid-user >>> RewriteCond %{IS_SUBREQ} ^false$ >>> RewriteCond %{LA-U:REMOTE_USER} (.+) >>> RewriteRule . - [E=RU:%1] >>> RequestHeader set REMOTE_USER >>> %{AUTHENTICATE_sAMAccountName}e >>> >>> >>> >> ___________________________________________________________ >> Please keep all replies on the list by using "reply all" >> in your mail client. To manage your subscriptions to this >> and other Galaxy lists, please use the interface at: >> >> http://lists.bx.psu.edu/ >> >> > >