re-writing username for login or stripping domain from remote_user?
I have a situation I'm sure others have faced but I can't see how to solve it without hacking the src and I'd rather not do that just yet as it complicates upgrades. We're using Apache with NTLM and "require valid user" so it's a corporate domain and only authorized users are allowed access. If I set "use_remote_user = True" on universe_wsgi.ini then users are denied as Apache is passing the domain and username e.g. REMOTE_USER = DOMAIN\\username I can't use a rewrite rule to fix it from Apache because then it's an invalid username and the user can't log into the web, and if it's passing DOMAIN\\username to Galaxy it doesn't match up with the Galaxy username so I get a 403 error. Is there a hidden option to strip the domain from the login or am I going to have to start hacking? Thanx, Russell Smithies Infrastructure Technician Invermay Agricultural Centre Puddle Alley, Private Bag 50034, Mosgiel 9053, New Zealand T +64 3 489 3809 F +64 3 489 3739 www.agresearch.co.nz<http://www.agresearch.co.nz/> ======================================================================= Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately. =======================================================================
On Jul 16, 2012, at 6:42 PM, Smithies, Russell wrote:
I have a situation I’m sure others have faced but I can’t see how to solve it without hacking the src and I’d rather not do that just yet as it complicates upgrades.
We’re using Apache with NTLM and “require valid user” so it’s a corporate domain and only authorized users are allowed access. If I set “use_remote_user = True” on universe_wsgi.ini then users are denied as Apache is passing the domain and username e.g. REMOTE_USER = DOMAIN\\username I can’t use a rewrite rule to fix it from Apache because then it’s an invalid username and the user can’t log into the web, and if it’s passing DOMAIN\\username to Galaxy it doesn’t match up with the Galaxy username so I get a 403 error. Is there a hidden option to strip the domain from the login or am I going to have to start hacking?
Hi Russell, In the Apache configuration, you should be able to modify the regex here: RewriteCond %{LA-U:REMOTE_USER} (.+) To strip your domain, e.g.: RewriteCond %{LA-U:REMOTE_USER} DOMAIN\\(.+) --nate
Thanx,
Russell Smithies Infrastructure Technician Invermay Agricultural Centre Puddle Alley, Private Bag 50034, Mosgiel 9053, New Zealand T +64 3 489 3809 F +64 3 489 3739 www.agresearch.co.nz
Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately.
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
IANAAG, but the following should be secure and effective as well (at least it works for me), setting REMOTE_USER with an Apache authentication module in conjunction with ProxyPass RequestHeader set REMOTE_USER %{REMOTE_USER}s RequestHeader edit REMOTE_USER ^.*\\\\(.+?) $1 Cheers, Paul On 12-07-18 9:08 AM, "Nate Coraor" <nate@bx.psu.edu> wrote:
On Jul 16, 2012, at 6:42 PM, Smithies, Russell wrote:
I have a situation I¹m sure others have faced but I can¹t see how to solve it without hacking the src and I¹d rather not do that just yet as it complicates upgrades.
We¹re using Apache with NTLM and ³require valid user² so it¹s a corporate domain and only authorized users are allowed access. If I set ³use_remote_user = True² on universe_wsgi.ini then users are denied as Apache is passing the domain and username e.g. REMOTE_USER = DOMAIN\\username I can¹t use a rewrite rule to fix it from Apache because then it¹s an invalid username and the user can¹t log into the web, and if it¹s passing DOMAIN\\username to Galaxy it doesn¹t match up with the Galaxy username so I get a 403 error. Is there a hidden option to strip the domain from the login or am I going to have to start hacking?
Hi Russell,
In the Apache configuration, you should be able to modify the regex here:
RewriteCond %{LA-U:REMOTE_USER} (.+)
To strip your domain, e.g.:
RewriteCond %{LA-U:REMOTE_USER} DOMAIN\\(.+)
--nate
Thanx,
Russell Smithies Infrastructure Technician Invermay Agricultural Centre Puddle Alley, Private Bag 50034, Mosgiel 9053, New Zealand T +64 3 489 3809 F +64 3 489 3739 www.agresearch.co.nz
Attention: The information contained in this message and/or attachments from AgResearch Limited is intended only for the persons or entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipients is prohibited by AgResearch Limited. If you have received this message in error, please notify the sender immediately.
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
participants (3)
-
Nate Coraor -
Paul Gordon -
Smithies, Russell