On May 25, 2010, at 4:04 PM, Ry4an Brase wrote:

On Tue, May 25, 2010 at 02:54:12PM +0200, Davide Cittaro wrote:
Hi again,
I'm almost done with the whole stuff...
I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:

Access to Galaxy is denied

Hrm, just for sanity-check sake you do have 'use_remote_user' enabled in
your universe_wsgi.ini, right?


:-) Yes, it is (Besides, shoud I set to False any other field, such as allow_users_creation?)

Are you certain the 'email' field in your LDAP entries contain the
@domain.tld portion of the email address?  If not you should be setting
remote_user_domain to '@domain.tld'.

Yes, the mail field in LDAP contains the domain. I've commented the remote_user_maildomain in universe_wsgi.ini


What about, and this is just a guess, moving the RewriteConds,
RewriteRule, and RequestHeader lines out of
/etc/apache2/mods-enabled/proxy.conf and into
/etc/apache2/sites-enabled/000-default

Those are vhost specific, so putting them in the general server config
context in which the proxy.conf is interpreted might not see them loaded
in the vhost where your galaxy config lives.


I've moved them into the specific vhost file (which is now 001-galaxy, a separated entry with 8080 binding only)

If that doesn't do it I'd be moving on to debugging using either
tcpdump/etheral, which will let you view the network traffic between
apache and galaxy, or by setting a RewriteLog and RewriteLogLevel 5 and
watching to make sure my rewrite cond/rule setup is infact adding the
variable.


I'm right now testing your suggestion (and the ones on galaxy wiki). I've seen that this rule

RequestHeader set REMOTE_USER %{RU}e 

doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER, I've made this test:

RequestHeader set REMOTE_USER "foo"

and I have these two values:

HTTP_REMOTE_USER = "foo"
REMOTE_USER = davide.cittaro@ifom-ieo-campus.it

I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set to (null) if no RequestHeader is specified... I'm now going to test this

d

The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work...
Some configurations:

$ cat /etc/apache2/mods-enabled/proxy.conf
<IfModule mod_proxy.c>

       ProxyRequests Off

       ProxyVia Off
#       <Proxy balancer://galaxy>
#               BalancerMember http://localhost:8080
#               BalancerMember http://localhost:8081
#       </Proxy>
  RewriteCond %{IS_SUBREQ} ^false$
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1]
  RequestHeader set REMOTE_USER %{RU}e
  RequestHeader unset Authorization

</IfModule>


$ cat /etc/apache2/sites-enabled/000-default
[…]
 Order deny,allow
 AuthName "Galaxy Login"
 AuthType Basic
 AuthBasicProvider ldap
 AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
 AuthLDAPRemoteUserAttribute mail
 Require ldap-filter objectClass=posixAccount

[…]
RewriteEngine on
RewriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L]
RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L]
RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L]
RewriteRule ^/galaxy(.*) http://127.0.0.1:8080$1 [P]

Any hint?

d



On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:

On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:

That's exactly what I've tried to ask :-)

Also, that means that my galaxy user will be
dcittaro@ifom-ieo-campus.it . The problem is that email address
doesn't exist, as usernames defined in LDAP are not the usernames for
mail addresses... I guess I'll have to study LDAP search syntax and
instruct it to query with my username (dcittaro) and return the email
address stripping the domain (davide.cittaro)...

Glad it helped.  Here are some Apache Directives that will probably
help:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuserattribute

which can only legally be one of the attributes included in your:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl

That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'.
If the email comes back from LDAP with the @domain.tld already appended
then don't set REMOTE_USER_DOMAIN to anything.



--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
galaxy-dev@lists.bx.psu.edu
http://lists.bx.psu.edu/listinfo/galaxy-dev

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
e-mail: davide.cittaro@ifom-ieo-campus.it
*/




--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
e-mail: davide.cittaro@ifom-ieo-campus.it
*/