Problem with Active Directory/LDAP authentication
Hello, I'm writing because I've been trying for the past few days to configure Galaxy to use Apache-based LDAP authentication, but have reached a point where I'm basically stuck. The system in a virtual machine running: - CentOS 5.8 - Apache 2.2.3 I'm trying to configure a Galaxy instance at "localhost:8080", with Active Directory authentication. I started with the admin page documentation: http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy and also worked through the troubleshooting examples found at: a) http://user.list.galaxyproject.org/Galaxy-Apache-External-Authentication-tt4... b) http://gmod.827538.n3.nabble.com/galaxy-dev-ldap-integration-td839409.html c) http://lists.bx.psu.edu/pipermail/galaxy-dev/2010-January/001676.html Following the debugging steps suggested by URL (a), I'm able to verify that: 1) The authentication clause I have works, without rewrite rules and without a proxy. 2) Without rewrite rules and a proxy, the Apache environment has the AUTHENTICATE_SAMACCOUNTNAME and REMOTE_USER environment variables set. Unfortunately, when I turn on the proxy (setting "use_remote_user" and "remote_user_maildomain" in universe_wsgi.ini accordingly), I get the following error message when I try accessing the "localhost:8080" URL, the following error message appears: "Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. Please contact your local Galaxy administrator." As suggested by URLs (a) and (c), I modified ./lib/galaxy/web/framework/middleware/remoteuser.py to print the environment seen by that script. None of the remote user information seems to be making to the script, either from AUTHENTICATE_SAMACCOUNTNAME or REMOTE_USER, no matter which of the suggested combinations of "RewriteCond", "RewriteRule", and "RequestHeader" options I tried. In addition, the troubleshooting suggestions to force a REMOTE_USER value to be set via a directive like: RequestHeader add REMOTE_USER [user name] also failed to pass REMOTE_USER to the remoteuser.py script. I've included below an extract from the Apache configuration file that I've been trying. Any advice or assistance that people might be able to provide would be greatly appreciated, and please let me know if you'd need any additional information from me. Sincerely, Harris Shapiro Genomic Health, Inc. Extract from Apache configuration file: Note: I've also tried a variant where I replaced REMOTE_USER with AUTHENTICATE_SAMACCOUNTNAME in the various RewriteCond & RequestHeader directives. That variant produced the same error message. <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteEngine on <Location "/"> AuthType Basic AuthName "Please log in with your Windows account" AuthBasicProvider ldap AuthLDAPURL [Verified LDAP connection information] AuthzLDAPAuthoritative off AuthLDAPBindDN [Verified DN] AuthLDAPBindPassword [Verified password] Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location> RewriteRule ^/static/style/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /home/hshapiro/software/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /home/hshapiro/software/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P]
On Nov 19, 2012, at 12:49 PM, Harris Shapiro wrote:
Hello,
I'm writing because I've been trying for the past few days to configure Galaxy to use Apache-based LDAP authentication, but have reached a point where I'm basically stuck. The system in a virtual machine running:
- CentOS 5.8 - Apache 2.2.3
I'm trying to configure a Galaxy instance at "localhost:8080", with Active Directory authentication.
I started with the admin page documentation:
http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
and also worked through the troubleshooting examples found at:
a) http://user.list.galaxyproject.org/Galaxy-Apache-External-Authentication-tt4... b) http://gmod.827538.n3.nabble.com/galaxy-dev-ldap-integration-td839409.html c) http://lists.bx.psu.edu/pipermail/galaxy-dev/2010-January/001676.html
Following the debugging steps suggested by URL (a), I'm able to verify that:
1) The authentication clause I have works, without rewrite rules and without a proxy. 2) Without rewrite rules and a proxy, the Apache environment has the AUTHENTICATE_SAMACCOUNTNAME and REMOTE_USER environment variables set.
Unfortunately, when I turn on the proxy (setting "use_remote_user" and "remote_user_maildomain" in universe_wsgi.ini accordingly), I get the following error message when I try accessing the "localhost:8080" URL, the following error message appears:
"Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator."
As suggested by URLs (a) and (c), I modified ./lib/galaxy/web/framework/middleware/remoteuser.py to print the environment seen by that script. None of the remote user information seems to be making to the script, either from AUTHENTICATE_SAMACCOUNTNAME or REMOTE_USER, no matter which of the suggested combinations of "RewriteCond", "RewriteRule", and "RequestHeader" options I tried. In addition, the troubleshooting suggestions to force a REMOTE_USER value to be set via a directive like:
RequestHeader add REMOTE_USER [user name]
also failed to pass REMOTE_USER to the remoteuser.py script.
I've included below an extract from the Apache configuration file that I've been trying. Any advice or assistance that people might be able to provide would be greatly appreciated, and please let me know if you'd need any additional information from me.
Hi Harris, Have you tried upping the logging level for mod_rewrite as suggested by Assaf in (a)? This should tell you exactly what is and is not being matched as Apache processes requests through those directives. --nate
Sincerely, Harris Shapiro Genomic Health, Inc.
Extract from Apache configuration file: Note: I've also tried a variant where I replaced REMOTE_USER with AUTHENTICATE_SAMACCOUNTNAME in the various RewriteCond & RequestHeader directives. That variant produced the same error message.
<Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName "Please log in with your Windows account" AuthBasicProvider ldap AuthLDAPURL [Verified LDAP connection information] AuthzLDAPAuthoritative off AuthLDAPBindDN [Verified DN] AuthLDAPBindPassword [Verified password] Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/static/style/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /home/hshapiro/software/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /home/hshapiro/software/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P]
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Hi Harris, I can't pin-point your issue exactly, to be honest I don't quite remember how I got to this working configuration. Still please take a look at this configuration as I'm using it in almost exactly the same enviroment, Centos 6/Apache 2.2.15/Active Directory... <VirtualHost *:80> ServerAdmin admin@local ServerName galaxy.local:80 <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteEngine on <Location "/"> AuthName "Galaxy BFX" AuthType Basic AuthBasicAuthoritative off AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL [LDAP_URL] AuthLDAPBindDN [DN] AuthLDAPBindPassword [PW] Require valid-user # Set the REMOTE_USER header to the contents of the LDAP query response's "uid" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e XSendFile on XSendFilePath / </Location> RewriteRule ^/static/style/(.*) /local/opt/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /local/opt/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /local/opt/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /local/opt/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /local/opt/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P] ErrorLog logs/galaxy.local-error_log CustomLog logs/galaxy.local-access_log common </VirtualHost> Cheers, Carlos On Mon, Nov 19, 2012 at 12:49 PM, Harris Shapiro <hjshapiro@gmail.com> wrote:
Hello,
I'm writing because I've been trying for the past few days to configure Galaxy to use Apache-based LDAP authentication, but have reached a point where I'm basically stuck. The system in a virtual machine running:
- CentOS 5.8 - Apache 2.2.3
I'm trying to configure a Galaxy instance at "localhost:8080", with Active Directory authentication.
I started with the admin page documentation:
http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
and also worked through the troubleshooting examples found at:
a) http://user.list.galaxyproject.org/Galaxy-Apache-External-Authentication-tt4... b) http://gmod.827538.n3.nabble.com/galaxy-dev-ldap-integration-td839409.html c) http://lists.bx.psu.edu/pipermail/galaxy-dev/2010-January/001676.html
Following the debugging steps suggested by URL (a), I'm able to verify that:
1) The authentication clause I have works, without rewrite rules and without a proxy. 2) Without rewrite rules and a proxy, the Apache environment has the AUTHENTICATE_SAMACCOUNTNAME and REMOTE_USER environment variables set.
Unfortunately, when I turn on the proxy (setting "use_remote_user" and "remote_user_maildomain" in universe_wsgi.ini accordingly), I get the following error message when I try accessing the "localhost:8080" URL, the following error message appears:
"Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator."
As suggested by URLs (a) and (c), I modified ./lib/galaxy/web/framework/middleware/remoteuser.py to print the environment seen by that script. None of the remote user information seems to be making to the script, either from AUTHENTICATE_SAMACCOUNTNAME or REMOTE_USER, no matter which of the suggested combinations of "RewriteCond", "RewriteRule", and "RequestHeader" options I tried. In addition, the troubleshooting suggestions to force a REMOTE_USER value to be set via a directive like:
RequestHeader add REMOTE_USER [user name]
also failed to pass REMOTE_USER to the remoteuser.py script.
I've included below an extract from the Apache configuration file that I've been trying. Any advice or assistance that people might be able to provide would be greatly appreciated, and please let me know if you'd need any additional information from me.
Sincerely, Harris Shapiro Genomic Health, Inc.
Extract from Apache configuration file: Note: I've also tried a variant where I replaced REMOTE_USER with AUTHENTICATE_SAMACCOUNTNAME in the various RewriteCond & RequestHeader directives. That variant produced the same error message.
<Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName "Please log in with your Windows account" AuthBasicProvider ldap AuthLDAPURL [Verified LDAP connection information] AuthzLDAPAuthoritative off AuthLDAPBindDN [Verified DN] AuthLDAPBindPassword [Verified password] Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/static/style/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /home/hshapiro/software/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /home/hshapiro/software/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P]
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Hello, Thanks to everyone for the feedback and suggestions. I was eventually able to puzzle out what was going awry. The remaining issues turned out to be: 1) When proxying was enabled, to trigger an authentication request with the default Galaxy set-up, I needed to use the “localhost” URL, instead of “localhost:8080”. I guess I might have missed the documentation for this... 2) Overly aggressive “Security-Enhanced Linux” settings, which were silently blocking some of the needed HTTP communication. I never did find any log messages for this; I just guessed it might be an issue and turned it off. Everything then happily started working... Anyway, thanks again for the responses and example configuration. Harris On 11/27/12 12:08 PM, Carlos Borroto wrote:
Hi Harris,
I can't pin-point your issue exactly, to be honest I don't quite remember how I got to this working configuration. Still please take a look at this configuration as I'm using it in almost exactly the same enviroment, Centos 6/Apache 2.2.15/Active Directory...
<VirtualHost *:80> ServerAdmin admin@local ServerName galaxy.local:80
<Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteEngine on <Location "/"> AuthName "Galaxy BFX" AuthType Basic AuthBasicAuthoritative off AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL [LDAP_URL] AuthLDAPBindDN [DN] AuthLDAPBindPassword [PW] Require valid-user # Set the REMOTE_USER header to the contents of the LDAP query response's "uid" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
XSendFile on XSendFilePath / </Location> RewriteRule ^/static/style/(.*) /local/opt/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /local/opt/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /local/opt/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /local/opt/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /local/opt/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P]
ErrorLog logs/galaxy.local-error_log CustomLog logs/galaxy.local-access_log common </VirtualHost>
Cheers, Carlos
On Mon, Nov 19, 2012 at 12:49 PM, Harris Shapiro <hjshapiro@gmail.com> wrote:
Hello,
I'm writing because I've been trying for the past few days to configure Galaxy to use Apache-based LDAP authentication, but have reached a point where I'm basically stuck. The system in a virtual machine running:
- CentOS 5.8 - Apache 2.2.3
I'm trying to configure a Galaxy instance at "localhost:8080", with Active Directory authentication.
I started with the admin page documentation:
http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
and also worked through the troubleshooting examples found at:
a) http://user.list.galaxyproject.org/Galaxy-Apache-External-Authentication-tt4... b) http://gmod.827538.n3.nabble.com/galaxy-dev-ldap-integration-td839409.html c) http://lists.bx.psu.edu/pipermail/galaxy-dev/2010-January/001676.html
Following the debugging steps suggested by URL (a), I'm able to verify that:
1) The authentication clause I have works, without rewrite rules and without a proxy. 2) Without rewrite rules and a proxy, the Apache environment has the AUTHENTICATE_SAMACCOUNTNAME and REMOTE_USER environment variables set.
Unfortunately, when I turn on the proxy (setting "use_remote_user" and "remote_user_maildomain" in universe_wsgi.ini accordingly), I get the following error message when I try accessing the "localhost:8080" URL, the following error message appears:
"Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator."
As suggested by URLs (a) and (c), I modified ./lib/galaxy/web/framework/middleware/remoteuser.py to print the environment seen by that script. None of the remote user information seems to be making to the script, either from AUTHENTICATE_SAMACCOUNTNAME or REMOTE_USER, no matter which of the suggested combinations of "RewriteCond", "RewriteRule", and "RequestHeader" options I tried. In addition, the troubleshooting suggestions to force a REMOTE_USER value to be set via a directive like:
RequestHeader add REMOTE_USER [user name]
also failed to pass REMOTE_USER to the remoteuser.py script.
I've included below an extract from the Apache configuration file that I've been trying. Any advice or assistance that people might be able to provide would be greatly appreciated, and please let me know if you'd need any additional information from me.
Sincerely, Harris Shapiro Genomic Health, Inc.
Extract from Apache configuration file: Note: I've also tried a variant where I replaced REMOTE_USER with AUTHENTICATE_SAMACCOUNTNAME in the various RewriteCond & RequestHeader directives. That variant produced the same error message.
<Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName "Please log in with your Windows account" AuthBasicProvider ldap AuthLDAPURL [Verified LDAP connection information] AuthzLDAPAuthoritative off AuthLDAPBindDN [Verified DN] AuthLDAPBindPassword [Verified password] Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/static/style/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /home/hshapiro/software/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /home/hshapiro/software/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /home/hshapiro/software/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P]
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
On 28/11/12 06:12, Harris Shapiro wrote:
2) Overly aggressive “Security-Enhanced Linux” settings, which were silently blocking some of the needed HTTP communication. I never did find any log messages for this; I just guessed it might be an issue and turned it off. Everything then happily started working...
Take a look at the following page for some help around Apache and SELinux: http://selinuxproject.org/page/ApacheRecipes Paul
participants (4)
-
Carlos Borroto -
Harris Shapiro -
Nate Coraor -
Paul Boddie