Hello Kimberly, If you're feeling adventurous, you can add the following three lines to the galaxy code and see exactly which variables are passed from apache to galaxy. This helped me a lot while debugging external authentication issues. For each HTTP access, galaxy will print all the environment variables with their values. Then you can test the value of "HTTP_REMOTE_USER" and see if it makes sense. In my case, I discovered that the LDAP module returned the user name in "AUTHENTICATE_SAMACCOUNTNAME" and not in "AUTHENTICATE_uid" or "AUTHENTICATE_email". To manual add the changes: The file to change is "./lib/galaxy/web/framework/middleware/remoteuser.py", add "import sys" at the beginning of the file, and add these two lines: ------- for k,v in environ.items(): sys.stderr.write ( "%s:\t%s\n" % ( k, v ) ) ------- At the begining of the "__call__" method. (Or just use the attached patch file) An example output (in STDERR) would look like: ============ HTTP_COOKIE: galaxysession=eb142648ac45b7709c1ca5bdf2476dcc3e7fc4d2ac0f753c234528c891b375f65d1039c9dae7dba0 SCRIPT_NAME: REQUEST_METHOD: GET PATH_INFO: / SERVER_PROTOCOL: HTTP/1.1 QUERY_STRING: CONTENT_LENGTH: 0 HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7 HTTP_CONNECTION: keep-alive SERVER_NAME: 127.0.0.1 REMOTE_ADDR: 127.0.0.1 SERVER_PORT: 8080 HTTP_HOST: localhost:8080 HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5 CONTENT_TYPE: HTTP_ACCEPT_ENCODING: gzip,deflate HTTP_KEEP_ALIVE: 300 =============== If apache added the LDAP results in an environment variable, you should see it listed, but see HTTP_REMOTE_USER as "null". -gordon Nate Coraor wrote, On 01/15/2010 08:31 AM:
Hi Kimberly,
Since Galaxy is a proxied application, $REMOTE_USER works differently than it does for a PHP script (which runs directly in Apache's environment).
I don't have an authenticating LDAP server that I can test with (we use Kerberos), so unfortunately I'll have to make some guesses here. Could you try adding the following directives:
Inside the <Directory> block:
AuthLDAPRemoteUserAttribute mail
And after (remove the existing RequestHeader):
RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e
Thanks, --nate
Kimberly Begley wrote:
Hello,
Just a quick update - I'm still having problems - I have tested out the remote_user variable setting with a php script and it is being set to the email address entered in the LDAP authentication page but Galaxy is giving me the error:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Any ideas?
Thanks, Kimberly
On Tue, Dec 22, 2009 at 6:30 AM, <galaxy-dev-request@lists.bx.psu.edu <mailto:galaxy-dev-request@lists.bx.psu.edu>> wrote:
Send galaxy-dev mailing list submissions to galaxy-dev@lists.bx.psu.edu <mailto:galaxy-dev@lists.bx.psu.edu>
To subscribe or unsubscribe via the World Wide Web, visit http://lists.bx.psu.edu/listinfo/galaxy-dev or, via email, send a message with subject or body 'help' to galaxy-dev-request@lists.bx.psu.edu <mailto:galaxy-dev-request@lists.bx.psu.edu>
You can reach the person managing the list at galaxy-dev-owner@lists.bx.psu.edu <mailto:galaxy-dev-owner@lists.bx.psu.edu>
When replying, please edit your Subject line so it is more specific than "Re: Contents of galaxy-dev digest..."
Today's Topics:
1. Re: Apache proxy configs (Nate Coraor) 2. Re: Apache proxy configs (Kimberly Begley)
----------------------------------------------------------------------
Message: 1 Date: Mon, 21 Dec 2009 12:35:40 -0500 From: Nate Coraor <nate@bx.psu.edu <mailto:nate@bx.psu.edu>> To: Kimberly Begley <kimberly@fisciconsulting.com <mailto:kimberly@fisciconsulting.com>> Cc: galaxy-dev@bx.psu.edu <mailto:galaxy-dev@bx.psu.edu> Subject: Re: [galaxy-dev] Apache proxy configs Message-ID: <4B2FB1EC.9090304@bx.psu.edu <mailto:4B2FB1EC.9090304@bx.psu.edu>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Have you tried it with your working URL? It looks like it returns a full email:
AuthLDAPURL ldap://servername.part1.part2.edu:389/dc=part1,dc=part2,dc=edu?mail <http://servername.part1.part2.edu:389/dc=part1,dc=part2,dc=edu?mail> RequestHeader set REMOTE_USER %{AUTHENTICATE_mail}e
--nate
Kimberly Begley wrote: > Hello - sorry not enough details - was trying to get an idea if I was > missing another chunk of settings. Server name has been adjusted. > > This is what we have set up for general authentication on the machine > and it works fine. > >> <Directory /> >> Options FollowSymLinks >> AllowOverride None >> >> AuthName " LDAP Test Web Site" >> AuthType Basic >> AuthBasicProvider ldap >> AuthzLDAPAuthoritative off >> AuthLDAPURL >> ldap://servername.part1.part2.edu:389/dc=part1,dc=part2,dc=edu?mail <http://servername.part1.part2.edu:389/dc=part1,dc=part2,dc=edu?mail> >> Require valid-user >> </Directory> >> >> >> OK - instructions say do this: >> >> <Location /> >> AuthType Basic >> AuthBasicProvider ldap >> AuthLDAPURL >>
"ldap://server:389/ou=People,dc=example,dc=org?uid?sub?(objectClass=person)"
>> AuthzLDAPAuthoritative off >> Require valid-user >> </Location> >> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e >> >> >> If I do this: >> >> Directory /> >> Options FollowSymLinks >> AllowOverride None >> >> AuthName " LDAP Test Web Site" >> AuthType Basic >> AuthBasicProvider ldap >> AuthzLDAPAuthoritative off >> >> AuthLDAPURL >>
"ldap://servername.part1.part2.edu:389/ou=People,dc=part1,dc=part2,dc=edu?uid?sub?(objectClass=person)
>> Require valid-user >> </Directory> >> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e >> >> >> gives (in the http error log) from trying to open the sample page....: >> >> Thu Dec 17 22:43:22 2009] [warn] [client ] [7281] auth_ldap >> authenticate: user kimberly@host.net <mailto:kimberly@host.net> >> <mailto:kimberly@host.net <mailto:kimberly@host.net>> authentication failed; URI / [User not found][No >> such object] >> [Thu Dec 17 22:43:22 2009] [error] [client ] user kimberly@host.net <mailto:kimberly@host.net> >> <mailto:kimberly@host.net <mailto:ann@host.net>> not found: / >> [Thu Dec 17 22:43:31 2009] [warn] [client ] [7282] auth_ldap >> authenticate: user kimberly@host.net <mailto:kimberly@host.net> >> <mailto:kimberly@host.net <mailto:ann@host.net>> authentication failed; URI / [User not found][No >> such object] >> [Thu Dec 17 22:43:31 2009] [error] [client ] user kimberly@host.net <mailto:kimberly@host.net> >> <mailto:kimberly@host.net <mailto:ann@host.net>> not found: / >> >> >> >> If I change it so that we omit the uid reference to make it a mail >> reference like this: >> >> Directory /> >> Options FollowSymLinks >> AllowOverride None >> >> AuthName "hpc108 LDAP Test Web Site" >> AuthType Basic >> AuthBasicProvider ldap >> AuthzLDAPAuthoritative off >> AuthLDAPURL >>
"ldap://servername.part1.part2.edu:389/ou=People,dc=part1,dc=part2,dc=edu?mail?sub?(objectClass=person)
>> Require valid-user >> </Directory> >> RequestHeader set REMOTE_USER %{AUTHENTICATE_mail}e >> >> The sample page connects but the galaxy page says the REMOTE_USER is >> empty like this: >> >> Access to Galaxy is denied >> >> Galaxy is configured to authenticate users via an external method >> (such as HTTP authentication in Apache), but a username was not >> provided by the upstream (proxy) server. This is generally due to a >> misconfiguration in the upstream server. >> >> Please contact your local Galaxy administrator. >> >> >> >> Then if I change it up a bit and keep the URL line with the mail >> reference and change the request header to the uid reference - the >> sample page loads but the galaxy page gives the above access denied >> message and these messages in the galaxy log: >> >> >> >> >> 10.1.74.61 - - [17/Dec/2009:22:59:08 -0400] "GET /galaxy_test/ >> HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; >> en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 >> Safari/531.21.10" >> >> 10.1.74.61 - - [17/Dec/2009:22:59:22 -0400] "GET /galaxy_test/ >> HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; >> en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 >> Safari/531.21.10" >> >> >> >> >> I have also tried a zillion combinations with the ou, dc and sub tags >> to no avail - but I might have missed the one combination that works! >> >> Just putting this out there in case it is obvious to you guys where >> the problem may be..... > > Any ideas? > > Thanks in advance, > > Kimberly > >> > On 19/12/2009, at 1:54 AM, Nate Coraor wrote: > >> Kimberly Begley wrote: >> >>> I am trying to set up the apache proxy setting for a local galaxy >>> install. >>> I have this section set but the REMOTE_USER is not getting set properly: >>> <Location /> >>> AuthType Basic >>> AuthBasicProvider ldap >>> AuthLDAPURL >>>
"ldap://server:389/ou=People,dc=domain,dc=edu?uid?sub?(objectClass=person)"
>>> AuthzLDAPAuthoritative off >>> Require valid-user >>> </Location> >>> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e >>> I have a feeling I'm missing something. >>> The authentication for the server is working but the galaxy interface >>> gives the error message that the remote user is not being sent. >>> Any additional settings that I'm missing here? >> >> Hi Kimberly, >> >> If you're using that exact block, it would not work. Your AuthLDAPURL >> value will need to be modified to your site. This normally means >> changing: >> >> "ldap://" to "ldaps://" if using LDAP over SSL. >> "server" to the hostname of your LDAP server. >> "389" to an alternate port if applicable. >> "ou=People" to another organizational unit if your user accounts live >> at a different location in the LDAP directory (although "People" is >> the standard) >> "dc=domain,dc=edu" to the base distinguished name used by your LDAP >> server (usually, but not always, your DNS domain) >> "uid" to the LDAP field containing the user name. >> "person" to one of the object classes assigned to account entries. >> >> This requires a pretty substantial knowledge of LDAP, so if unsure, >> it'd be best to contact your LDAP directory administrator. >> >> --nate > > Kimberly Begley | Bioinformatician, Project Manager > Tel: +61 7 3371 6554 | Mobile: 0422 393 833 > Email: kimberly@fisciconsulting.com <mailto:kimberly@fisciconsulting.com> > <mailto:kimberly@fisciconsulting.com <mailto:kimberly@fisciconsulting.com>> Web: www.fisciconsulting.com <http://www.fisciconsulting.com> > <http://www.fisciconsulting.com> > 91/59 Keating St, Indooroopilly QLD 4068 Australia > > > -------------- > If you are not the authorized recipient of this email please contact > Finance Science Consulting by return email or telephone at +61 7 5545 > 4761. In this case you must delete document and not use or disclose the > information and/or copyright material of Finance Science Consulting. > Finance Science Consulting states that any opinions expressed in this > email are those of the individual sender and should not be taken as > representative of the views of the Company. > > > > > > >
------------------------------
Message: 2 Date: Tue, 22 Dec 2009 06:04:56 +1000 From: Kimberly Begley <kimberly@fisciconsulting.com <mailto:kimberly@fisciconsulting.com>> To: Nate Coraor <nate@bx.psu.edu <mailto:nate@bx.psu.edu>> Cc: galaxy-dev@bx.psu.edu <mailto:galaxy-dev@bx.psu.edu> Subject: Re: [galaxy-dev] Apache proxy configs Message-ID: <B3487D90-DDC2-4DDB-A281-A625BFB058B7@fisciconsulting.com <mailto:B3487D90-DDC2-4DDB-A281-A625BFB058B7@fisciconsulting.com>> Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Hi Nate,
Yes - it works fine for the sample ldap page but gives the same galaxy message on screen:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Galaxy log says:
21/Dec/2009:15:00:22 -0400] "GET /galaxy_test/ HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/ 531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10"
Thanks, Kimberly
On 22/12/2009, at 3:35 AM, Nate Coraor wrote:
> Have you tried it with your working URL? It looks like it returns a > full email: > > AuthLDAPURL ldap://servername.part1.part2.edu:389/ <http://servername.part1.part2.edu:389/> > dc=part1,dc=part2,dc=edu?mail > RequestHeader set REMOTE_USER %{AUTHENTICATE_mail}e > > --nate > > Kimberly Begley wrote: >> Hello - sorry not enough details - was trying to get an idea if I >> was missing another chunk of settings. Server name has been adjusted. >> This is what we have set up for general authentication on the >> machine and it works fine. >>> <Directory /> >>> Options FollowSymLinks >>> AllowOverride None >>> >>> AuthName " LDAP Test Web Site" >>> AuthType Basic >>> AuthBasicProvider ldap >>> AuthzLDAPAuthoritative off >>> AuthLDAPURL ldap://servername.part1.part2.edu:389/ <http://servername.part1.part2.edu:389/> >>> dc=part1,dc=part2,dc=edu?mail >>> Require valid-user >>> </Directory> >>> >>> >>> OK - instructions say do this: >>> >>> <Location /> >>> AuthType Basic >>> AuthBasicProvider ldap >>> AuthLDAPURL "ldap://server:389/ou=People,dc=example,dc=org?uid? >>> sub?(objectClass=person)" >>> AuthzLDAPAuthoritative off >>> Require valid-user >>> </Location> >>> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e >>> >>> >>> If I do this: >>> >>> Directory /> >>> Options FollowSymLinks >>> AllowOverride None >>> >>> AuthName " LDAP Test Web Site" >>> AuthType Basic >>> AuthBasicProvider ldap >>> AuthzLDAPAuthoritative off >>> >>> AuthLDAPURL "ldap://servername.part1.part2.edu:389/ <http://servername.part1.part2.edu:389/> >>> ou=People,dc=part1,dc=part2,dc=edu?uid?sub?(objectClass=person)" >>> Require valid-user >>> </Directory> >>> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e >>> >>> >>> gives (in the http error log) from trying to open the sample >>> page....: >>> >>> Thu Dec 17 22:43:22 2009] [warn] [client ] [7281] auth_ldap >>> authenticate: user kimberly@host.net <mailto:kimberly@host.net> <mailto:kimberly@host.net <mailto:ann@host.net>> >>> authentication failed; URI / [User not found][No such object] >>> [Thu Dec 17 22:43:22 2009] [error] [client ] user >>> kimberly@host.net <mailto:kimberly@host.net> <mailto:kimberly@host.net <mailto:ann@host.net>> not found: / >>> [Thu Dec 17 22:43:31 2009] [warn] [client ] [7282] auth_ldap >>> authenticate: user kimberly@host.net <mailto:kimberly@host.net> <mailto:kimberly@host.net <mailto:ann@host.net>> >>> authentication failed; URI / [User not found][No such object] >>> [Thu Dec 17 22:43:31 2009] [error] [client ] user >>> kimberly@host.net <mailto:kimberly@host.net> <mailto:kimberly@host.net <mailto:ann@host.net>> not found: / >>> >>> >>> >>> If I change it so that we omit the uid reference to make it a mail >>> reference like this: >>> >>> Directory /> >>> Options FollowSymLinks >>> AllowOverride None >>> >>> AuthName "hpc108 LDAP Test Web Site" >>> AuthType Basic >>> AuthBasicProvider ldap >>> AuthzLDAPAuthoritative off >>> AuthLDAPURL "ldap://servername.part1.part2.edu:389/ <http://servername.part1.part2.edu:389/> >>> ou=People,dc=part1,dc=part2,dc=edu?mail?sub?(objectClass=person)" >>> Require valid-user >>> </Directory> >>> RequestHeader set REMOTE_USER %{AUTHENTICATE_mail}e >>> >>> The sample page connects but the galaxy page says the REMOTE_USER >>> is empty like this: >>> >>> Access to Galaxy is denied >>> >>> Galaxy is configured to authenticate users via an external method >>> (such as HTTP authentication in Apache), but a username was not >>> provided by the upstream (proxy) server. This is generally due to >>> a misconfiguration in the upstream server. >>> >>> Please contact your local Galaxy administrator. >>> >>> >>> >>> Then if I change it up a bit and keep the URL line with the mail >>> reference and change the request header to the uid reference - the >>> sample page loads but the galaxy page gives the above access >>> denied message and these messages in the galaxy log: >>> >>> >>> >>> >>> 10.1.74.61 - - [17/Dec/2009:22:59:08 -0400] "GET /galaxy_test/ >>> HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X >>> 10_5_8; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/ >>> 4.0.4 Safari/531.21.10" >>> >>> 10.1.74.61 - - [17/Dec/2009:22:59:22 -0400] "GET /galaxy_test/ >>> HTTP/1.1" 403 - "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X >>> 10_5_8; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/ >>> 4.0.4 Safari/531.21.10" >>> >>> >>> >>> >>> I have also tried a zillion combinations with the ou, dc and sub >>> tags to no avail - but I might have missed the one combination >>> that works! >>> >>> Just putting this out there in case it is obvious to you guys >>> where the problem may be..... >> Any ideas? >> Thanks in advance, >> Kimberly >>> >> On 19/12/2009, at 1:54 AM, Nate Coraor wrote: >>> Kimberly Begley wrote: >>> >>>> I am trying to set up the apache proxy setting for a local galaxy >>>> install. >>>> I have this section set but the REMOTE_USER is not getting set >>>> properly: >>>> <Location /> >>>> AuthType Basic >>>> AuthBasicProvider ldap >>>> AuthLDAPURL "ldap://server:389/ou=People,dc=domain,dc=edu?uid? >>>> sub?(objectClass=person)" >>>> AuthzLDAPAuthoritative off >>>> Require valid-user >>>> </Location> >>>> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e >>>> I have a feeling I'm missing something. >>>> The authentication for the server is working but the galaxy >>>> interface gives the error message that the remote user is not >>>> being sent. >>>> Any additional settings that I'm missing here? >>> >>> Hi Kimberly, >>> >>> If you're using that exact block, it would not work. Your >>> AuthLDAPURL value will need to be modified to your site. This >>> normally means changing: >>> >>> "ldap://" to "ldaps://" if using LDAP over SSL. >>> "server" to the hostname of your LDAP server. >>> "389" to an alternate port if applicable. >>> "ou=People" to another organizational unit if your user accounts >>> live at a different location in the LDAP directory (although >>> "People" is the standard) >>> "dc=domain,dc=edu" to the base distinguished name used by your >>> LDAP server (usually, but not always, your DNS domain) >>> "uid" to the LDAP field containing the user name. >>> "person" to one of the object classes assigned to account entries. >>> >>> This requires a pretty substantial knowledge of LDAP, so if >>> unsure, it'd be best to contact your LDAP directory administrator. >>> >>> --nate >> Kimberly Begley | Bioinformatician, Project Manager >> Tel: +61 7 3371 6554 | Mobile: 0422 393 833 >> Email: kimberly@fisciconsulting.com <mailto:kimberly@fisciconsulting.com> <mailto:kimberly@fisciconsulting.com <mailto:kimberly@fisciconsulting.com> >> > Web: www.fisciconsulting.com <http://www.fisciconsulting.com> <http://www.fisciconsulting.com> >> 91/59 Keating St, Indooroopilly QLD 4068 Australia >> -------------- >> If you are not the authorized recipient of this email please >> contact Finance Science Consulting by return email or telephone at >> +61 7 5545 4761. In this case you must delete document and not use >> or disclose the information and/or copyright material of Finance >> Science Consulting. Finance Science Consulting states that any >> opinions expressed in this email are those of the individual sender >> and should not be taken as representative of the views of the >> Company. >
Kimberly Begley | Bioinformatician, Project Manager Tel: +61 7 3371 6554 | Mobile: 0422 393 833 Email: kimberly@fisciconsulting.com <mailto:kimberly@fisciconsulting.com> Web: www.fisciconsulting.com <http://www.fisciconsulting.com> 91/59 Keating St, Indooroopilly QLD 4068 Australia
-------------- If you are not the authorized recipient of this email please contact Finance Science Consulting by return email or telephone at +61 7 5545 4761. In this case you must delete document and not use or disclose the information and/or copyright material of Finance Science Consulting. Finance Science Consulting states that any opinions expressed in this email are those of the individual sender and should not be taken as representative of the views of the Company.