<Directory />
Options FollowSymLinks
AllowOverride None
AuthName " LDAP Test Web Site"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://servername.part1.part2.edu:389/dc=part1,dc=part2,dc=edu?mail
Require valid-user
</Directory>
OK - instructions say do this:
<Location />
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://server:389/ou=People,dc=example,dc=org?uid?sub?(objectClass=person)"
AuthzLDAPAuthoritative off
Require valid-user
</Location>
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
If I do this:
Directory />
Options FollowSymLinks
AllowOverride None
AuthName " LDAP Test Web Site"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://servername.part1.part2.edu:389/ou=People,dc=part1,dc=part2,dc=edu?uid?sub?(objectClass=person)"
Require valid-user
</Directory>
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
gives (in the http error log) from trying to open the sample page....:
Thu Dec 17 22:43:22 2009] [warn] [client ] [7281] auth_ldap authenticate: user kimberly@host.net authentication failed; URI / [User not found][No such object]
[Thu Dec 17 22:43:22 2009] [error] [client ] user kimberly@host.net not found: /
[Thu Dec 17 22:43:31 2009] [warn] [client ] [7282] auth_ldap authenticate: user kimberly@host.net authentication failed; URI / [User not found][No such object]
[Thu Dec 17 22:43:31 2009] [error] [client ] user kimberly@host.net not found: /
If I change it so that we omit the uid reference to make it a mail reference like this:
Directory />
Options FollowSymLinks
AllowOverride None
AuthName "hpc108 LDAP Test Web Site"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://servername.part1.part2.edu:389/ou=People,dc=part1,dc=part2,dc=edu?mail?sub?(objectClass=person)"
Require valid-user
</Directory>
RequestHeader set REMOTE_USER %{AUTHENTICATE_mail}e
The sample page connects but the galaxy page says the REMOTE_USER is empty like this:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Then if I change it up a bit and keep the URL line with the mail reference and change the request header to the uid reference - the sample page loads but the galaxy page gives the above access denied message and these messages in the galaxy log:
10.1.74.61 - - [17/Dec/2009:22:59:08 -0400] "GET /galaxy_test/ HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10"
10.1.74.61 - - [17/Dec/2009:22:59:22 -0400] "GET /galaxy_test/ HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10"
I have also tried a zillion combinations with the ou, dc and sub tags to no avail - but I might have missed the one combination that works!
Just putting this out there in case it is obvious to you guys where the problem may be.....
Kimberly Begley wrote:I am trying to set up the apache proxy setting for a local galaxy install.I have this section set but the REMOTE_USER is not getting set properly:<Location />AuthType BasicAuthBasicProvider ldapAuthLDAPURL "ldap://server:389/ou=People,dc=domain,dc=edu?uid?sub?(objectClass=person)"AuthzLDAPAuthoritative offRequire valid-user</Location>RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}eI have a feeling I'm missing something.The authentication for the server is working but the galaxy interface gives the error message that the remote user is not being sent.Any additional settings that I'm missing here?
Hi Kimberly,
If you're using that exact block, it would not work. Your AuthLDAPURL value will need to be modified to your site. This normally means changing:
"ldap://" to "ldaps://" if using LDAP over SSL.
"server" to the hostname of your LDAP server.
"389" to an alternate port if applicable.
"ou=People" to another organizational unit if your user accounts live at a different location in the LDAP directory (although "People" is the standard)
"dc=domain,dc=edu" to the base distinguished name used by your LDAP server (usually, but not always, your DNS domain)
"uid" to the LDAP field containing the user name.
"person" to one of the object classes assigned to account entries.
This requires a pretty substantial knowledge of LDAP, so if unsure, it'd be best to contact your LDAP directory administrator.
--nate