Re: [galaxy-user] Galaxy + Apache + External Authentication (long)

Thank you for your help - I finally got it working. Every user in the domain is automatically logged-in - it's beautiful. I should have done this a long time ago. Interestingly, the "REMOTE_USER" rule didn't work for me - I'm using mod_authzldap and for some unknown reason using the rewrite rules from galaxy's wiki causes HTTP_REMOTE_USER to always be "(null)" when used with the proxy rules (the HTTP_REMOTE_USER was fine when passed to php scripts without proxy). The apache configuration clause which works for me is: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <Location "/galaxy" > AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user # mod_authzldap creates 'AUTHENTICATE_XXXX' environment variables # for the arguments in the LDAP URL. # Convert the authenticated user name into a HTTP_REMOTE_USER. RequestHeader add REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e </Location> While trying to make sense of this mess (apache + mod_rewrite + mod_proxy + mod_authzldap + galaxy ), the following tricks helped: --1-- Trying mod_rewrite and apache-proxy without authentication: RewriteEngine on ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] At first I got "HTTP-500 Server Error". The /var/log/httpd/error_log file showed the following error: [error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (*) failed This is caused by SELinux (installed by default on CentOS) that blocks the apache process from initiating network connections. The following command fixed it: $ sudo /usr/sbin/setsebool httpd_can_network_connect 1 More info at http://www.techiegyan.com/?p=178 --2-- Checking the authentication clause without rewrite rules and without proxy. <Directory "/var/www/html/protected" > AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user </Directory> And inside "/var/www/html/protected", create a simple PHP script which shows the server variables: $ cat /var/www/html/protected/index.php <?php echo "<pre>\n"; print_r($_SERVER); echo "</pre>\n"; ?> When you browse to http://[server]/protected, and login with the right username and password, you get a list of all the server variables (That's how I discovered the 'AUTHENTICATE_SAMACCOUNTNAME'): Array ( [ ... many other variables not shown ... ] [SCRIPT_URL] => /protected/ [SCRIPT_URI] => http://XXXXXXX/protected [AUTHENTICATE_SAMACCOUNTNAME] => gordon [HTTP_HOST] => XXXXXX [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/protected/index.php [REMOTE_PORT] => 42695 [REMOTE_USER] => gordon [AUTH_TYPE] => Basic [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /protected/ [SCRIPT_NAME] => /protected/index.php [PHP_SELF] => /protected/index.php [PHP_AUTH_USER] => gordon [PHP_AUTH_PW] => XXXXXXXXXX [REQUEST_TIME] => 1235107649 ) Althought "REMOTE_USER" is listed as a valid server variable, I could not get it to work with the proxy, and had to look for another solution. --3-- Add the following lines in "./lib/galaxy/web/framework/middleware/remoteuser.py", line 71: for k,v in environ.items(): sys.stderr.write ( "%s:\t%s\n" % ( k, v ) ) With these, galaxy prints every environment variable it receives, and debugging gets much easier. You can quickly see if there is an HTTP_REMOTE_USER variable, and whether it contains valid data or the string "(null)". --4-- Add a fixed HTTP_REMOTE_USER value in the apache configuration. This tests the proxy connection between apache and galaxy: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <Location "/galaxy" > RequestHeader add REMOTE_USER gordon </Location> If everything is setup correctly, galaxy should automatically login with the user 'gordon'. Together with step 3, you can easily see if external authentication works or not. --5-- Try to get the authenticated user name from the authentication module to the HTTP_REMOTE_USER variable. The Galaxy wiki (http://g2.trac.bx.psu.edu/wiki/HowToInstall/ApacheProxy) recommends putting the following statements: RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e These didn't work for me. To debug it, I added the following statements: RewriteLog /tmp/rewrite.log RewriteLogLevel 9 And then "tail -f /var/rewrite.log". On my server, it always showed: ... RewriteCond: input='false' pattern='^false$' => matched RewriteCond: input='' pattern='(.+)' => not-matched ... Which means the first condition (IS_SUBREQ) matched, but the second condition (LA-U:REMOTE_USER) never matched - because REMOTE_USER environment variable was empty or null. As I've noted, the solution in my case was to use a different variable (AUTHENTICATE_SAMACCOUNTNAME). Maybe there's a way to get REMOTE_USER to work - but I don't know it. Regards, Gordon. Nate Coraor wrote, On 02/19/2009 12:33 PM: