NTLM auth not passing http_remote_user?
It appears that NTLM isn't passing the HTTP_REMOTE_USER through for us. Anyone else struck this and found a solution? Our apache config looks like this: <Location "/"> AuthName "Galaxy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location> thanx, --Russell CONTENT_LENGTH '0' HTTP_ACCEPT '*/*' HTTP_ACCEPT_ENCODING 'gzip, deflate' HTTP_ACCEPT_LANGUAGE 'en-NZ' HTTP_AUTHORIZATION 'NTLM bla bla bla' HTTP_CONNECTION 'Keep-Alive' HTTP_COOKIE '__utmc=89232139; __utma=89232139.1132753487.1341174446.1342136886.1342560287.3; __utmz=89232139.1342560287.3.3.utmcsr=gw.agresearch.co.nz|utmccn=(referral)|utmcmd=referral|utmcct=/Pages/Default.aspx; __utmb=89232139.4.10.1342560287; galaxysession=c6ca0dd bla bla bla' bla bla bla' bla bla bla' bla bla bla' bla bla bla' bla bla bla' bla bla bla' bla bla bla' bla bla bla' HTTP_HOST 'galaxy-dev.agresearch.co.nz' HTTP_REMOTE_USER '(null)' HTTP_USER_AGENT 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.3)' HTTP_X_FORWARDED_FOR '147.158.129.160' HTTP_X_FORWARDED_HOST 'galaxy-dev.agresearch.co.nz' HTTP_X_FORWARDED_SERVER 'galaxy.agresearch.co.nz' ORGINAL_HTTP_HOST 'localhost:8080' ORGINAL_REMOTE_ADDR '127.0.0.1' PATH_INFO '/' REMOTE_ADDR '147.158.129.160' REQUEST_METHOD 'GET' SERVER_NAME '127.0.0.1' SERVER_PORT '8080' SERVER_PROTOCOL 'HTTP/1.1' ======================================================================= Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. =======================================================================
Hello Russell, Smithies, Russell wrote, On 07/17/2012 05:41 PM:
It appears that NTLM isn't passing the HTTP_REMOTE_USER through for us. Anyone else struck this and found a solution?
Our apache config looks like this:
<Location "/"> AuthName "Galaxy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user
# Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e
</Location>
<snip>
HTTP_REMOTE_USER '(null)'
One voodoo solution that worked for me (not with NTLM, but exactly with the same '(null)' symptom) is to take the entire "RewriteCond" part outside of the <Location> block. Put it in the global configuration file, after the <Location> part, but before the proxy statement. Also, the exact incantation that worked for me (after many many trials and errors) is: === RewriteRule . - [E=RU:%{LA-U:REMOTE_USER}] RequestHeader set REMOTE_USER %{RU}e === It's voodoo (to me) because it probably has something to do with deep apache internals, relating to execution order of the authentication module vs the "mod_rewrite" parts (and the "LA-U" [Look-ahead] thing sure doesn't help to make it clearer...). -gordon
If I take the rewrite out of the <location> block then NTLM auth fails as the username is re-written and isn't a valid corporate username. On the plus side, If I just set "RequestHeader set REMOTE_USER smithiesr" then I get logged in as I should. --Russell -----Original Message----- From: Assaf Gordon [mailto:gordon@cshl.edu] Sent: Wednesday, 18 July 2012 9:59 a.m. To: Smithies, Russell Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] NTLM auth not passing http_remote_user? Hello Russell, Smithies, Russell wrote, On 07/17/2012 05:41 PM:
It appears that NTLM isn't passing the HTTP_REMOTE_USER through for us. Anyone else struck this and found a solution?
Our apache config looks like this:
<Location "/"> AuthName "Galaxy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user
# Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e
</Location>
<snip>
HTTP_REMOTE_USER '(null)'
One voodoo solution that worked for me (not with NTLM, but exactly with the same '(null)' symptom) is to take the entire "RewriteCond" part outside of the <Location> block. Put it in the global configuration file, after the <Location> part, but before the proxy statement. Also, the exact incantation that worked for me (after many many trials and errors) is: === RewriteRule . - [E=RU:%{LA-U:REMOTE_USER}] RequestHeader set REMOTE_USER %{RU}e === It's voodoo (to me) because it probably has something to do with deep apache internals, relating to execution order of the authentication module vs the "mod_rewrite" parts (and the "LA-U" [Look-ahead] thing sure doesn't help to make it clearer...). -gordon ======================================================================= Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. =======================================================================
Working now :- ) I blame lack of coffee - I hadn't set "RewriteEngine on" before I re-wrote the request header. It appears it needs to be in the <location> section or your initial ntlm auth wil fail. <Location "/"> AuthName "Galaxy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user # Take the $REMOTE_USER environment variable, trim the realm and set it as a header in the proxy request. RewriteEngine on RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} .+\\(.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location> --Russell -----Original Message----- From: galaxy-dev-bounces@lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Smithies, Russell Sent: Wednesday, 18 July 2012 10:52 a.m. To: Assaf Gordon Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] NTLM auth not passing http_remote_user? If I take the rewrite out of the <location> block then NTLM auth fails as the username is re-written and isn't a valid corporate username. On the plus side, If I just set "RequestHeader set REMOTE_USER smithiesr" then I get logged in as I should. --Russell -----Original Message----- From: Assaf Gordon [mailto:gordon@cshl.edu] Sent: Wednesday, 18 July 2012 9:59 a.m. To: Smithies, Russell Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] NTLM auth not passing http_remote_user? Hello Russell, Smithies, Russell wrote, On 07/17/2012 05:41 PM:
It appears that NTLM isn't passing the HTTP_REMOTE_USER through for us. Anyone else struck this and found a solution?
Our apache config looks like this:
<Location "/"> AuthName "Galaxy" NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType NTLM require valid-user
# Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e
</Location>
<snip>
HTTP_REMOTE_USER '(null)'
One voodoo solution that worked for me (not with NTLM, but exactly with the same '(null)' symptom) is to take the entire "RewriteCond" part outside of the <Location> block. Put it in the global configuration file, after the <Location> part, but before the proxy statement. Also, the exact incantation that worked for me (after many many trials and errors) is: === RewriteRule . - [E=RU:%{LA-U:REMOTE_USER}] RequestHeader set REMOTE_USER %{RU}e === It's voodoo (to me) because it probably has something to do with deep apache internals, relating to execution order of the authentication module vs the "mod_rewrite" parts (and the "LA-U" [Look-ahead] thing sure doesn't help to make it clearer...). -gordon ======================================================================= Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. ======================================================================= ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
participants (2)
-
Assaf Gordon -
Smithies, Russell