Hi Harris, I can't pin-point your issue exactly, to be honest I don't quite remember how I got to this working configuration. Still please take a look at this configuration as I'm using it in almost exactly the same enviroment, Centos 6/Apache 2.2.15/Active Directory... <VirtualHost *:80> ServerAdmin admin@local ServerName galaxy.local:80 <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteEngine on <Location "/"> AuthName "Galaxy BFX" AuthType Basic AuthBasicAuthoritative off AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL [LDAP_URL] AuthLDAPBindDN [DN] AuthLDAPBindPassword [PW] Require valid-user # Set the REMOTE_USER header to the contents of the LDAP query response's "uid" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e XSendFile on XSendFilePath / </Location> RewriteRule ^/static/style/(.*) /local/opt/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /local/opt/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /local/opt/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /local/opt/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /local/opt/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P] ErrorLog logs/galaxy.local-error_log CustomLog logs/galaxy.local-access_log common </VirtualHost> Cheers, Carlos On Mon, Nov 19, 2012 at 12:49 PM, Harris Shapiro <hjshapiro@gmail.com> wrote:
Hello,
I'm writing because I've been trying for the past few days to configure Galaxy to use Apache-based LDAP authentication, but have reached a point where I'm basically stuck. The system in a virtual machine running:
- CentOS 5.8 - Apache 2.2.3
I'm trying to configure a Galaxy instance at "localhost:8080", with Active Directory authentication.
I started with the admin page documentation:
http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
and also worked through the troubleshooting examples found at:
a) http://user.list.galaxyproject.org/Galaxy-Apache-External-Authentication-tt4... b) http://gmod.827538.n3.nabble.com/galaxy-dev-ldap-integration-td839409.html c) http://lists.bx.psu.edu/pipermail/galaxy-dev/2010-January/001676.html
Following the debugging steps suggested by URL (a), I'm able to verify that:
1) The authentication clause I have works, without rewrite rules and without a proxy. 2) Without rewrite rules and a proxy, the Apache environment has the AUTHENTICATE_SAMACCOUNTNAME and REMOTE_USER environment variables set.
Unfortunately, when I turn on the proxy (setting "use_remote_user" and "remote_user_maildomain" in universe_wsgi.ini accordingly), I get the following error message when I try accessing the "localhost:8080" URL, the following error message appears:
"Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator."
As suggested by URLs (a) and (c), I modified ./lib/galaxy/web/framework/middleware/remoteuser.py to print the environment seen by that script. None of the remote user information seems to be making to the script, either from AUTHENTICATE_SAMACCOUNTNAME or REMOTE_USER, no matter which of the suggested combinations of "RewriteCond", "RewriteRule", and "RequestHeader" options I tried. In addition, the troubleshooting suggestions to force a REMOTE_USER value to be set via a directive like:
RequestHeader add REMOTE_USER [user name]
also failed to pass REMOTE_USER to the remoteuser.py script.
I've included below an extract from the Apache configuration file that I've been trying. Any advice or assistance that people might be able to provide would be greatly appreciated, and please let me know if you'd need any additional information from me.
Sincerely, Harris Shapiro Genomic Health, Inc.
Extract from Apache configuration file: Note: I've also tried a variant where I replaced REMOTE_USER with AUTHENTICATE_SAMACCOUNTNAME in the various RewriteCond & RequestHeader directives. That variant produced the same error message.
<Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName "Please log in with your Windows account" AuthBasicProvider ldap AuthLDAPURL [Verified LDAP connection information] AuthzLDAPAuthoritative off AuthLDAPBindDN [Verified DN] AuthLDAPBindPassword [Verified password] Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/static/style/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /home/hshapiro/software/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /home/hshapiro/software/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P]
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: