On May 25, 2010, at 4:04 PM, Ry4an Brase wrote:
On Tue, May 25, 2010 at 02:54:12PM +0200, Davide Cittaro wrote:
Hi again, I'm almost done with the whole stuff... I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:
Access to Galaxy is denied
Hrm, just for sanity-check sake you do have 'use_remote_user' enabled in your universe_wsgi.ini, right?
:-) Yes, it is (Besides, shoud I set to False any other field, such as allow_users_creation?)
Are you certain the 'email' field in your LDAP entries contain the @domain.tld portion of the email address? If not you should be setting remote_user_domain to '@domain.tld'.
Yes, the mail field in LDAP contains the domain. I've commented the remote_user_maildomain in universe_wsgi.ini
What about, and this is just a guess, moving the RewriteConds, RewriteRule, and RequestHeader lines out of /etc/apache2/mods-enabled/proxy.conf and into /etc/apache2/sites-enabled/000-default
Those are vhost specific, so putting them in the general server config context in which the proxy.conf is interpreted might not see them loaded in the vhost where your galaxy config lives.
I've moved them into the specific vhost file (which is now 001-galaxy, a separated entry with 8080 binding only)
If that doesn't do it I'd be moving on to debugging using either tcpdump/etheral, which will let you view the network traffic between apache and galaxy, or by setting a RewriteLog and RewriteLogLevel 5 and watching to make sure my rewrite cond/rule setup is infact adding the variable.
I'm right now testing your suggestion (and the ones on galaxy wiki). I've seen that this rule RequestHeader set REMOTE_USER %{RU}e doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER, I've made this test: RequestHeader set REMOTE_USER "foo" and I have these two values: HTTP_REMOTE_USER = "foo" REMOTE_USER = davide.cittaro@ifom-ieo-campus.it I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set to (null) if no RequestHeader is specified... I'm now going to test this d
The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work... Some configurations:
$ cat /etc/apache2/mods-enabled/proxy.conf <IfModule mod_proxy.c>
ProxyRequests Off
ProxyVia Off # <Proxy balancer://galaxy> # BalancerMember http://localhost:8080 # BalancerMember http://localhost:8081 # </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization
</IfModule>
$ cat /etc/apache2/sites-enabled/000-default […] Order deny,allow AuthName "Galaxy Login" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail Require ldap-filter objectClass=posixAccount
[…] RewriteEngine on RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L] RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L] RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://127.0.0.1:8080$1 [P]
Any hint?
d
On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:
On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:
That's exactly what I've tried to ask :-)
Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)...
Glad it helped. Here are some Apache Directives that will probably help:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuser...
which can only legally be one of the attributes included in your:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'. If the email comes back from LDAP with the @domain.tld already appended then don't set REMOTE_USER_DOMAIN to anything.
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
/* Davide Cittaro
Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy
tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu
/* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */