Hello, I'm trying to install galaxy on a apache server,and i have the same error message than David HOOVER when i tried to generate the authentification files. Thanks to David Hoover who gives me some helpful explanation. When i read the thread on gmod, it seems,that the problem is solved (http://gmod.827538.n3.nabble.com/trouble-with-authentication-through-Apache-... <http://gmod.827538.n3.nabble.com/trouble-with-authentication-through-Apache-td1809681.html>) but I did not find the solution in my case. I use LDAP authentification and Galaxy is implemented on a VM. Could you please explain me how to solve it. I really need help. I modified universe file ( in galaxy-dist) and i created .htaccess file in galaxy-dist/ : * in universe_wsgi.ini: use_remote_user = True remote_user_maildomain = example.org <http://example.org> * in .htaccess file in galaxy-dist/ Directory : 1 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_1> # Define Galaxy as a valid Proxy 2 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_2> <Proxy http://localhost:8080> 3 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_3> Order deny,allow 4 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_4> Allow from all 5 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_5> </Proxy> 6 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_6> #!highlight apache 7 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_7> <Location "/"> 8 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_8> AuthType Basic 9 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_9> AuthBasicProvider *ldap* 10 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_10> Auth*LDAP*URL "*ldap*://server:389/ou=People,dc=example,dc=org?uid?sub?(objectClass=person)" 11 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_11> Authz*LDAP*Authoritative off 12 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_12> Require valid-user 13 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_13> # Set the REMOTE_USER header to the contents of the *LDAP* query response's "uid" attribute 14 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_14> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e 15 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%29#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_15> </Location> with location, AuthBasicProvider and proxy competed But i have the error : Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. Thank you, and best regards Sarah Maman
Hi Sarah: I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation. Order allow,deny allow from all AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e -- Brad Langhorst New England Biolabs langhorst@neb.com On 1/19/12 8:59 AM, "Sarah Maman" <sarah.maman@toulouse.inra.fr> wrote:
Hello,
I'm trying to install galaxy on a apache server,and i have the same error message than David HOOVER when i tried to generate the authentification files. Thanks to David Hoover who gives me some helpful explanation.
When i read the thread on gmod, it seems,that the problem is solved (http://gmod.827538.n3.nabble.com/trouble-with-authentication-through-Apac he-td1809681.html <http://gmod.827538.n3.nabble.com/trouble-with-authentication-through-Apac he-td1809681.html>) but I did not find the solution in my case.
I use LDAP authentification and Galaxy is implemented on a VM.
Could you please explain me how to solve it. I really need help.
I modified universe file ( in galaxy-dist) and i created .htaccess file in galaxy-dist/ : * in universe_wsgi.ini:
use_remote_user = True remote_user_maildomain = example.org <http://example.org>
* in .htaccess file in galaxy-dist/ Directory :
1 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_1> # Define Galaxy as a valid Proxy 2 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_2> <Proxy http://localhost:8080> 3 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_3> Order deny,allow 4 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_4> Allow from all 5 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_5> </Proxy> 6 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_6> #!highlight apache 7 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_7> <Location "/"> 8 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_8> AuthType Basic 9 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_9> AuthBasicProvider *ldap* 10 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_10> Auth*LDAP*URL "*ldap*://server:389/ou=People,dc=example,dc=org?uid?sub?(objectClass=pers on)" 11 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_11> Authz*LDAP*Authoritative off 12 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_12> Require valid-user 13 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_13> # Set the REMOTE_USER header to the contents of the *LDAP* query response's "uid" attribute 14 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_14> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e 15 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_15> </Location>
with location, AuthBasicProvider and proxy competed
But i have the error :
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Thank you, and best regards
Sarah Maman
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
We also ran into this. Our local server configuration was case-sensitive and the LDAP uid key was converted to upper-case, so we used: RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e which fixed the problem. We found the solution by searching for 'AUTHENTICATE_uid', it appears to be a relatively common thing. Beyond that everything else was the same from the Galaxy wiki. chris On Jan 19, 2012, at 8:19 AM, Langhorst, Brad wrote:
Hi Sarah:
I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation.
Order allow,deny allow from all
AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user
RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
-- Brad Langhorst New England Biolabs langhorst@neb.com
On 1/19/12 8:59 AM, "Sarah Maman" <sarah.maman@toulouse.inra.fr> wrote:
Hello,
I'm trying to install galaxy on a apache server,and i have the same error message than David HOOVER when i tried to generate the authentification files. Thanks to David Hoover who gives me some helpful explanation.
When i read the thread on gmod, it seems,that the problem is solved (http://gmod.827538.n3.nabble.com/trouble-with-authentication-through-Apac he-td1809681.html <http://gmod.827538.n3.nabble.com/trouble-with-authentication-through-Apac he-td1809681.html>) but I did not find the solution in my case.
I use LDAP authentification and Galaxy is implemented on a VM.
Could you please explain me how to solve it. I really need help.
I modified universe file ( in galaxy-dist) and i created .htaccess file in galaxy-dist/ : * in universe_wsgi.ini:
use_remote_user = True remote_user_maildomain = example.org <http://example.org>
* in .htaccess file in galaxy-dist/ Directory :
1 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_1> # Define Galaxy as a valid Proxy 2 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_2> <Proxy http://localhost:8080> 3 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_3> Order deny,allow 4 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_4> Allow from all 5 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_5> </Proxy> 6 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_6> #!highlight apache 7 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_7> <Location "/"> 8 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_8> AuthType Basic 9 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_9> AuthBasicProvider *ldap* 10 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_10> Auth*LDAP*URL "*ldap*://server:389/ou=People,dc=example,dc=org?uid?sub?(objectClass=pers on)" 11 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_11> Authz*LDAP*Authoritative off 12 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_12> Require valid-user 13 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_13> # Set the REMOTE_USER header to the contents of the *LDAP* query response's "uid" attribute 14 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_14> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e 15 <http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy?highlight=%28Ldap%2 9#CA-e07a9dbbf4f816c0970d4995f4abb957a6683638_15> </Location>
with location, AuthBasicProvider and proxy competed
But i have the error :
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Thank you, and best regards
Sarah Maman
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Hi Brad, Hi Christopher, Thanks a lot. I'm talking to Open LDAP. I have changed RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e to RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e But I always have the same message /(Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/ This is my .conf file : <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteEngine on <Location "/"> AuthType Basic AuthName Galaxy AuthBasicProvider ldap AuthLDAPURL "ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u id?sub?(objectClass=person)" AuthzLDAPAuthoritative off Require valid-user # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. #RewriteCond %{IS_SUBREQ} ^false$ #RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteRule . - [E=RU:%1] #RequestHeader set REMOTE_USER %{RU}e RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e </Location> Thanks in advance, Sarah Langhorst, Brad a écrit :
Hi Sarah:
I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation.
Order allow,deny allow from all
AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user
RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
Why do you need to create a proxy? The way I have ours set up is within a virtual host: <VirtualHost> <Location "/"> AuthName "Helix Systems" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPUrl ldaps://helixdrive.nih.gov/ou=Users,ou=helix.nih.gov,o=scb?uid AuthLDAPBindDN "cn=maccount,ou=Special,o=scb" AuthLDAPBindPassword ******** Require valid-user RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e Options None Order Allow,Deny Allow from all </Location> RewriteRule ^/static/style/(.*) /data/galaxy/pro/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /data/galaxy/pro/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /data/galaxy/pro/static/$1 [L] RewriteRule ^/favicon.ico /data/galaxy/pro/static/favicon.ico [L] RewriteRule ^/robots.txt /data/galaxy/pro/static/robots.txt [L] RewriteRule ^(.*) http://helixweb4.cit.nih.gov:8080$1 [P] </VirtualHost> David On Jan 19, 2012, at 10:49 AM, Sarah Maman wrote:
Hi Brad, Hi Christopher,
Thanks a lot. I'm talking to Open LDAP. I have changed
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e to RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e
But I always have the same message /(Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/
This is my .conf file : <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName Galaxy AuthBasicProvider ldap AuthLDAPURL "ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u id?sub?(objectClass=person)" AuthzLDAPAuthoritative off Require valid-user # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. #RewriteCond %{IS_SUBREQ} ^false$ #RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteRule . - [E=RU:%1] #RequestHeader set REMOTE_USER %{RU}e RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e </Location>
Thanks in advance, Sarah
Langhorst, Brad a écrit :
Hi Sarah:
I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation.
Order allow,deny allow from all
AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
David, This is the approach recommended on the wiki for performance: http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy Would be nice if your alternative approach using virtual hosts were similarly documented. chris On Jan 19, 2012, at 10:01 AM, David Hoover wrote:
Why do you need to create a proxy? The way I have ours set up is within a virtual host:
<VirtualHost>
<Location "/"> AuthName "Helix Systems" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPUrl ldaps://helixdrive.nih.gov/ou=Users,ou=helix.nih.gov,o=scb?uid AuthLDAPBindDN "cn=maccount,ou=Special,o=scb" AuthLDAPBindPassword ******** Require valid-user RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e Options None Order Allow,Deny Allow from all </Location>
RewriteRule ^/static/style/(.*) /data/galaxy/pro/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /data/galaxy/pro/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /data/galaxy/pro/static/$1 [L] RewriteRule ^/favicon.ico /data/galaxy/pro/static/favicon.ico [L] RewriteRule ^/robots.txt /data/galaxy/pro/static/robots.txt [L] RewriteRule ^(.*) http://helixweb4.cit.nih.gov:8080$1 [P]
</VirtualHost>
David
On Jan 19, 2012, at 10:49 AM, Sarah Maman wrote:
Hi Brad, Hi Christopher,
Thanks a lot. I'm talking to Open LDAP. I have changed
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e to RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e
But I always have the same message /(Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/
This is my .conf file : <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName Galaxy AuthBasicProvider ldap AuthLDAPURL "ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u id?sub?(objectClass=person)" AuthzLDAPAuthoritative off Require valid-user # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. #RewriteCond %{IS_SUBREQ} ^false$ #RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteRule . - [E=RU:%1] #RequestHeader set REMOTE_USER %{RU}e RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e </Location>
Thanks in advance, Sarah
Langhorst, Brad a écrit :
Hi Sarah:
I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation.
Order allow,deny allow from all
AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Hello Sarah, Sarah Maman wrote, On 01/19/2012 10:49 AM:
I'm talking to Open LDAP. I have changed
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e to RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e
But I always have the same message /(Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/
If I may suggest further reading and testing: http://galaxy-users-list-archive.2308625.n4.nabble.com/Galaxy-Apache-Externa... This post details my configuration after I finally got galaxy to work with LDAP. I would highly recommend trying step 3 - adding two debug lines to galaxy and see which HTTP variables are actually transmitted from the apache server to the galaxy process. -gordon
On Jan 19, 2012, at 10:49 AM, Sarah Maman wrote:
Hi Brad, Hi Christopher,
Thanks a lot. I'm talking to Open LDAP. I have changed
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e to RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e
But I always have the same message /(Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/
Hi Sarah, This configuration will need to be in your Apache config (the location of which varies depending on your OS and/or how Apache is installed) rather than an .htaccess file. --nate
This is my .conf file : <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName Galaxy AuthBasicProvider ldap AuthLDAPURL "ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u id?sub?(objectClass=person)" AuthzLDAPAuthoritative off Require valid-user # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. #RewriteCond %{IS_SUBREQ} ^false$ #RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteRule . - [E=RU:%1] #RequestHeader set REMOTE_USER %{RU}e RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e </Location>
Thanks in advance, Sarah
Langhorst, Brad a écrit :
Hi Sarah:
I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation.
Order allow,deny allow from all
AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
Hi, Thanks to log messages from remoteuser.py in "./lib/galaxy/web/framework/middleware/remoteuser.py": print('affichage des variables d acces') print ('self domain : %s'%self.maildomain) print ('path info : %s'%path_info) print ('admin user : %s' %self.admin_users) http_remote_user = environ.get('HTTP_REMOTE_USER','') print ('http remote user : %s'%http_remote_user) remote_user = environ.get('REMOTE_USER', '') print ('remote user :%s' %remote_user) Galaxy prints every environment variable it receives, and I have seen that HTTP_REMOTE_USER variable is "(null)". Moreover, Galaxy is defined as a valid Proxy (reverse proxy ??) so galaxy.conf is : <VirtualHost localhost:port> # Define Galaxy as a valid Proxy <Proxy localhost:port> Order deny,allow Allow from all RewriteEngine on # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] # Set the REMOTE_USER header to the contents of the LDAP query response's "uid" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/static/style/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/images/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/images/$1 [L] RewriteRule ^/favicon.ico /usr/local/bioinfo/src/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/favicon.ico /var/www/html/favicon.ico [L] RewriteRule ^/robots.txt /usr/local/bioinfo/src/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) localhost:port$1 [P] </Proxy> <Location "/....." > AuthType Basic AuthBasicProvider ldap AuthName "Galaxy" AuthLDAPURL "ldap://serveur ..." AuthzLDAPAuthoritative on Require valid-user </Location> </VirtualHost> But, I didn't achieve, yet , to access REMOTE_USER value throught proxy. In universe_wsgi.ini, *use_remote_user = True* and *remote_user_maildomain = toulouse.inra.fr* Thanks in advance, Sarah Nate Coraor a écrit :
On Jan 19, 2012, at 10:49 AM, Sarah Maman wrote:
Hi Brad, Hi Christopher,
Thanks a lot. I'm talking to Open LDAP. I have changed
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e to RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e
But I always have the same message /(Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/
Hi Sarah,
This configuration will need to be in your Apache config (the location of which varies depending on your OS and/or how Apache is installed) rather than an .htaccess file.
--nate
This is my .conf file : <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName Galaxy AuthBasicProvider ldap AuthLDAPURL "ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u id?sub?(objectClass=person)" AuthzLDAPAuthoritative off Require valid-user # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. #RewriteCond %{IS_SUBREQ} ^false$ #RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteRule . - [E=RU:%1] #RequestHeader set REMOTE_USER %{RU}e RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e </Location>
Thanks in advance, Sarah
Langhorst, Brad a écrit :
Hi Sarah:
I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation.
Order allow,deny allow from all
AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
On Jan 31, 2012, at 11:45 AM, Sarah Maman wrote:
Hi,
Thanks to log messages from remoteuser.py in "./lib/galaxy/web/framework/middleware/remoteuser.py":
print('affichage des variables d acces')
print ('self domain : %s'%self.maildomain)
print ('path info : %s'%path_info)
print ('admin user : %s' %self.admin_users)
http_remote_user = environ.get('HTTP_REMOTE_USER','')
print ('http remote user : %s'%http_remote_user)
remote_user = environ.get('REMOTE_USER', '')
print ('remote user :%s' %remote_user)
Galaxy prints every environment variable it receives, and I have seen that HTTP_REMOTE_USER variable is "(null)".
Moreover, Galaxy is defined as a valid Proxy (reverse proxy ??) so galaxy.conf is :
<VirtualHost localhost:port> # Define Galaxy as a valid Proxy <Proxy localhost:port> Order deny,allow Allow from all
Hi Sarah, Please recheck the syntax in the documentation: http://wiki.g2.bx.psu.edu/Admin/Config/Apache%20Proxy The following directives should be in the <Location> block, not the <Proxy> block. --nate
RewriteEngine on # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] # Set the REMOTE_USER header to the contents of the LDAP query response's "uid" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/static/style/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/images/(.*) /usr/local/bioinfo/src/galaxy/galaxy-dist/static/images/$1 [L] RewriteRule ^/favicon.ico /usr/local/bioinfo/src/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/favicon.ico /var/www/html/favicon.ico [L] RewriteRule ^/robots.txt /usr/local/bioinfo/src/galaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) localhost:port$1 [P]
</Proxy>
<Location "/....." > AuthType Basic AuthBasicProvider ldap AuthName "Galaxy" AuthLDAPURL "ldap://serveur ..." AuthzLDAPAuthoritative on Require valid-user </Location>
</VirtualHost>
But, I didn't achieve, yet , to access REMOTE_USER value throught proxy.
In universe_wsgi.ini, *use_remote_user = True*
and *remote_user_maildomain = toulouse.inra.fr*
Thanks in advance, Sarah
Nate Coraor a écrit :
On Jan 19, 2012, at 10:49 AM, Sarah Maman wrote:
Hi Brad, Hi Christopher,
Thanks a lot. I'm talking to Open LDAP. I have changed
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e to RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e
But I always have the same message /(Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. )/
Hi Sarah,
This configuration will need to be in your Apache config (the location of which varies depending on your OS and/or how Apache is installed) rather than an .htaccess file.
--nate
This is my .conf file : <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy>
RewriteEngine on
<Location "/"> AuthType Basic AuthName Galaxy AuthBasicProvider ldap AuthLDAPURL "ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u id?sub?(objectClass=person)" AuthzLDAPAuthoritative off Require valid-user # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. #RewriteCond %{IS_SUBREQ} ^false$ #RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteRule . - [E=RU:%1] #RequestHeader set REMOTE_USER %{RU}e RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e </Location>
Thanks in advance, Sarah
Langhorst, Brad a écrit :
Hi Sarah:
I don't know what kind of LDAP you're talking to... I'm talking to Active Directory and this configuration works in that situation.
Order allow,deny allow from all
AuthType Basic AuthName "NEB Credentials" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN ccalookup@neb.com AuthLDAPBindPassword <password> AuthLDAPURL "ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName" require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
participants (6)
-
Assaf Gordon -
David Hoover -
Fields, Christopher J -
Langhorst, Brad -
Nate Coraor -
Sarah Maman