Re: [galaxy-dev] LDAP authentification
Hello, I managed to connect to Galaxy to LDAP ;-) Three points were blocking for me: * Being root of my virtual machine can carry out tests * I confused login / password of two LDAP, so I thought that my authentication method was not good while I was using the wrong password ... * It is better not to go through a proxy 1 - Set configuration file of Galaxy: universe_wsgi.ini to delegate user authentication to an upstream proxy Apache: Users and Security use_remote_user = True remote_user_maildomain = toulouse.inra.fr 2 - Create a file type "htaccess" file named galaxy.conf (in / etc / httpd / conf.d /): For reasons of performance and safety, it is advisable not to use a. htaccess but a galaxy.conf file in the main server configuration (Apache), because the latter will be charged a once when the server starts. With an .htaccess file, this file will be charged at each access. RewriteEngine on <Location "/galaxy"> # Define the authentication method AuthType Basic AuthName "Galaxy" AuthBasicProvider ldap AuthLDAPURL "ldap :/ / server URL: 389/..." AuthzLDAPAuthoritative off Require valid-user RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e </ Location> RewriteRule ^ / $ galaxy / galaxy / [R] RewriteRule ^ / galaxy / static / style / (. *) / var/www/html/galaxy/static/june_2007_style/blue / $ 1 [L] RewriteRule ^ / galaxy / static / scripts / (. *) /vVar / www / html / galaxy / static / scripts / packed / $ 1 [L] RewriteRule ^ / galaxy / static / (. *) / var / www / html / galaxy / static / $ 1 [L] RewriteRule ^ / galaxy / favicon.ico / var / www / html / galaxy / static / favicon.ico [L] RewriteRule ^ / galaxy / robots.txt / var / www / html / galaxy / static / robots.txt [L] RewriteRule ^ / galaxy (. *) http://ip:port $ 1 [P] As Galaxy is not installed in root directory but in a galaxy directory (var / www / html / galaxy /), so following changes are needed: 1 - Add a RewriteRule 2 - Do not go through a proxy 3 - REMOTE_USER variable is AUTHENTICATE_uid ( AUTHENTICATE_ sAMAccountName for Windows AD) 4 - To generate dynamic URLs, it is necessary to configure prefix in universe_wsgi.ini : [Filter: proxy-prefix] use = egg: # prefix PasteDeploy prefix = / galaxy [App: main] filter-with = proxy-prefix cookie_path = / galaxy If you are not root on the virtual machine, create a symlink from / etc / httpd / conf.d / to galaxy.conf 3 - Some useful checks Verify Apache version and Apache modules because each directive must have an associated module: Directive → Related module (which mod_ldap) AuthType → mod_auth_basic.so AuthBasicProvider → mod_authnz_ldap and mod_authz_ldap Rewrite (for proxy) → mod_rewrite.so RequestHeader→ mod_headers Check that the galaxy is installed on ldap using this command: ldapsearch-x-h LDAP URL : port-b "dc" When you make a modification in galaxy.conf, restart Apache (or graful). In httpd.conf, so that access management is authorized by the file. # # AccessFileName: The name of the file to look for in EACH directory # For additional configuration directives. See also the AllowOverride # Directive. # AccessFileName. Htaccess Check: Chmod 777 galaxy.conf 4 - Finally, restart run.sh (sh run.sh &) Thanks A LOT for your help, Sarah
On Feb 13, 2012, at 7:38 AM, Sarah Maman wrote:
Hello,
I managed to connect to Galaxy to LDAP ;-) Three points were blocking for me: * Being root of my virtual machine can carry out tests * I confused login / password of two LDAP, so I thought that my authentication method was not good while I was using the wrong password ... * It is better not to go through a proxy
Hi Sarah, Thanks very much for reporting back with your findings. This should be very helpful for people who stumble on to similar problems in the future.
1 - Set configuration file of Galaxy: universe_wsgi.ini to delegate user authentication to an upstream proxy Apache: Users and Security use_remote_user = True remote_user_maildomain = toulouse.inra.fr
2 - Create a file type "htaccess" file named galaxy.conf (in / etc / httpd / conf.d /): For reasons of performance and safety, it is advisable not to use a. htaccess but a galaxy.conf file in the main server configuration (Apache), because the latter will be charged a once when the server starts. With an .htaccess file, this file will be charged at each access.
RewriteEngine on <Location "/galaxy"> # Define the authentication method AuthType Basic AuthName "Galaxy" AuthBasicProvider ldap AuthLDAPURL "ldap :/ / server URL: 389/..." AuthzLDAPAuthoritative off Require valid-user RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e </ Location> RewriteRule ^ / $ galaxy / galaxy / [R] RewriteRule ^ / galaxy / static / style / (. *) / var/www/html/galaxy/static/june_2007_style/blue / $ 1 [L] RewriteRule ^ / galaxy / static / scripts / (. *) /vVar / www / html / galaxy / static / scripts / packed / $ 1 [L] RewriteRule ^ / galaxy / static / (. *) / var / www / html / galaxy / static / $ 1 [L] RewriteRule ^ / galaxy / favicon.ico / var / www / html / galaxy / static / favicon.ico [L] RewriteRule ^ / galaxy / robots.txt / var / www / html / galaxy / static / robots.txt [L] RewriteRule ^ / galaxy (. *) http://ip:port $ 1 [P]
As Galaxy is not installed in root directory but in a galaxy directory (var / www / html / galaxy /), so following changes are needed:
This is probably not a good idea. From the documentation: Please note that Galaxy should never be located on disk inside Apache's DocumentRoot. By default, this would expose all of Galaxy (including datasets) to anyone on the web. Galaxy is a proxied application and as such, only the static content like javascript and images are served directly by Apache (and this is set up with the RewriteRules), everything else is passed through to the Galaxy application via a proxied http connection. Right now I could presumably use the URL http://server/galaxy/galaxy-dist/database/files/000/dataset_1.dat to view a dataset directly.
1 - Add a RewriteRule
2 - Do not go through a proxy
Can you clarify this? I'm a bit confused, since if you are connecting to Apache to access Galaxy, you are going through a proxy.
3 - REMOTE_USER variable is AUTHENTICATE_uid ( AUTHENTICATE_ sAMAccountName for Windows AD)
I've added this to the wiki page, thanks! --nate
4 - To generate dynamic URLs, it is necessary to configure prefix in universe_wsgi.ini : [Filter: proxy-prefix] use = egg: # prefix PasteDeploy prefix = / galaxy [App: main] filter-with = proxy-prefix cookie_path = / galaxy
If you are not root on the virtual machine, create a symlink from / etc / httpd / conf.d / to galaxy.conf
3 - Some useful checks
Verify Apache version and Apache modules because each directive must have an associated module:
Directive → Related module (which mod_ldap) AuthType → mod_auth_basic.so AuthBasicProvider → mod_authnz_ldap and mod_authz_ldap Rewrite (for proxy) → mod_rewrite.so RequestHeader→ mod_headers
Check that the galaxy is installed on ldap using this command: ldapsearch-x-h LDAP URL : port-b "dc"
When you make a modification in galaxy.conf, restart Apache (or graful).
In httpd.conf, so that access management is authorized by the file. # # AccessFileName: The name of the file to look for in EACH directory # For additional configuration directives. See also the AllowOverride # Directive. # AccessFileName. Htaccess
Check: Chmod 777 galaxy.conf
4 - Finally, restart run.sh (sh run.sh &)
Thanks A LOT for your help, Sarah
Thanks nate, I just would like to share others informations : * I have added a VirtualHost, proxy and a DocumentRoot * Consequently, RewriteRule have been modified : Remplace RewriteRule ^ galaxy/ (. *) http://ip:port $ 1 [P] by RewriteRule ^ / (. *) http://ip:port/ $ 1 [P] It should be better for security. Faithfully, Sarah Maman Nate Coraor a écrit :
On Feb 13, 2012, at 7:38 AM, Sarah Maman wrote:
Hello,
I managed to connect to Galaxy to LDAP ;-) Three points were blocking for me: * Being root of my virtual machine can carry out tests * I confused login / password of two LDAP, so I thought that my authentication method was not good while I was using the wrong password ... * It is better not to go through a proxy
Hi Sarah,
Thanks very much for reporting back with your findings. This should be very helpful for people who stumble on to similar problems in the future.
1 - Set configuration file of Galaxy: universe_wsgi.ini to delegate user authentication to an upstream proxy Apache: Users and Security use_remote_user = True remote_user_maildomain = toulouse.inra.fr
2 - Create a file type "htaccess" file named galaxy.conf (in / etc / httpd / conf.d /): For reasons of performance and safety, it is advisable not to use a. htaccess but a galaxy.conf file in the main server configuration (Apache), because the latter will be charged a once when the server starts. With an .htaccess file, this file will be charged at each access.
RewriteEngine on <Location "/galaxy"> # Define the authentication method AuthType Basic AuthName "Galaxy" AuthBasicProvider ldap AuthLDAPURL "ldap :/ / server URL: 389/..." AuthzLDAPAuthoritative off Require valid-user RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e </ Location> RewriteRule ^ / $ galaxy / galaxy / [R] RewriteRule ^ / galaxy / static / style / (. *) / var/www/html/galaxy/static/june_2007_style/blue / $ 1 [L] RewriteRule ^ / galaxy / static / scripts / (. *) /vVar / www / html / galaxy / static / scripts / packed / $ 1 [L] RewriteRule ^ / galaxy / static / (. *) / var / www / html / galaxy / static / $ 1 [L] RewriteRule ^ / galaxy / favicon.ico / var / www / html / galaxy / static / favicon.ico [L] RewriteRule ^ / galaxy / robots.txt / var / www / html / galaxy / static / robots.txt [L] RewriteRule ^ / galaxy (. *) http://ip:port $ 1 [P]
As Galaxy is not installed in root directory but in a galaxy directory (var / www / html / galaxy /), so following changes are needed:
This is probably not a good idea. From the documentation:
Please note that Galaxy should never be located on disk inside Apache's DocumentRoot. By default, this would expose all of Galaxy (including datasets) to anyone on the web.
Galaxy is a proxied application and as such, only the static content like javascript and images are served directly by Apache (and this is set up with the RewriteRules), everything else is passed through to the Galaxy application via a proxied http connection. Right now I could presumably use the URL http://server/galaxy/galaxy-dist/database/files/000/dataset_1.dat to view a dataset directly.
1 - Add a RewriteRule
2 - Do not go through a proxy
Can you clarify this? I'm a bit confused, since if you are connecting to Apache to access Galaxy, you are going through a proxy.
3 - REMOTE_USER variable is AUTHENTICATE_uid ( AUTHENTICATE_ sAMAccountName for Windows AD)
I've added this to the wiki page, thanks!
--nate
4 - To generate dynamic URLs, it is necessary to configure prefix in universe_wsgi.ini : [Filter: proxy-prefix] use = egg: # prefix PasteDeploy prefix = / galaxy [App: main] filter-with = proxy-prefix cookie_path = / galaxy
If you are not root on the virtual machine, create a symlink from / etc / httpd / conf.d / to galaxy.conf
3 - Some useful checks
Verify Apache version and Apache modules because each directive must have an associated module:
Directive → Related module (which mod_ldap) AuthType → mod_auth_basic.so AuthBasicProvider → mod_authnz_ldap and mod_authz_ldap Rewrite (for proxy) → mod_rewrite.so RequestHeader→ mod_headers
Check that the galaxy is installed on ldap using this command: ldapsearch-x-h LDAP URL : port-b "dc"
When you make a modification in galaxy.conf, restart Apache (or graful).
In httpd.conf, so that access management is authorized by the file. # # AccessFileName: The name of the file to look for in EACH directory # For additional configuration directives. See also the AllowOverride # Directive. # AccessFileName. Htaccess
Check: Chmod 777 galaxy.conf
4 - Finally, restart run.sh (sh run.sh &)
Thanks A LOT for your help, Sarah
participants (2)
-
Nate Coraor -
Sarah Maman