Thank you for your help - I finally got it working.
Every user in the domain is automatically logged-in - it's beautiful.
I should have done this a long time ago.
Interestingly, the "REMOTE_USER" rule didn't work for me -
I'm using mod_authzldap and for some unknown reason using the rewrite
rules from galaxy's wiki causes HTTP_REMOTE_USER to always be "(null)"
when used with the proxy rules (the HTTP_REMOTE_USER was fine when
passed to php scripts without proxy).
The apache configuration clause which works for me is:
ReWriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy(.*)
http://localhost:8080$1 [P]
<Location "/galaxy" >
AuthName "Please login with your CSHL account"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL
"ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN [LDAP-User-account]
AuthLDAPBindPassword [LDAP-User-Password]
Require valid-user
# mod_authzldap creates 'AUTHENTICATE_XXXX' environment variables
# for the arguments in the LDAP URL.
# Convert the authenticated user name into a HTTP_REMOTE_USER.
RequestHeader add REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e
</Location>
While trying to make sense of this mess (apache + mod_rewrite +
mod_proxy + mod_authzldap + galaxy ), the following tricks helped:
--1--
Trying mod_rewrite and apache-proxy without authentication:
RewriteEngine on
ReWriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy(.*)
http://localhost:8080$1 [P]
At first I got "HTTP-500 Server Error". The /var/log/httpd/error_log
file showed the following error:
[error] (13)Permission denied: proxy: HTTP: attempt to connect to
127.0.0.1:8080 (*) failed
This is caused by SELinux (installed by default on CentOS) that blocks
the apache process from initiating network connections.
The following command fixed it:
$ sudo /usr/sbin/setsebool httpd_can_network_connect 1
More info at
http://www.techiegyan.com/?p=178
--2--
Checking the authentication clause without rewrite rules and without proxy.
<Directory "/var/www/html/protected" >
AuthName "Please login with your CSHL account"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL
"ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN [LDAP-User-account]
AuthLDAPBindPassword [LDAP-User-Password]
Require valid-user
</Directory>
And inside "/var/www/html/protected", create a simple PHP script which
shows the server variables:
$ cat /var/www/html/protected/index.php
<?php
echo "<pre>\n";
print_r($_SERVER);
echo "</pre>\n";
?>
When you browse to
http://[server]/protected, and login with the right
username and password, you get a list of all the server variables
(That's how I discovered the 'AUTHENTICATE_SAMACCOUNTNAME'):
Array
(
[ ... many other variables not shown ... ]
[SCRIPT_URL] => /protected/
[SCRIPT_URI] =>
http://XXXXXXX/protected
[AUTHENTICATE_SAMACCOUNTNAME] => gordon
[HTTP_HOST] => XXXXXX
[PATH] => /sbin:/usr/sbin:/bin:/usr/bin
[SERVER_ADMIN] => root@localhost
[SCRIPT_FILENAME] => /var/www/html/protected/index.php
[REMOTE_PORT] => 42695
[REMOTE_USER] => gordon
[AUTH_TYPE] => Basic
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /protected/
[SCRIPT_NAME] => /protected/index.php
[PHP_SELF] => /protected/index.php
[PHP_AUTH_USER] => gordon
[PHP_AUTH_PW] => XXXXXXXXXX
[REQUEST_TIME] => 1235107649
)
Althought "REMOTE_USER" is listed as a valid server variable, I could
not get it to work with the proxy, and had to look for another solution.
--3--
Add the following lines in
"./lib/galaxy/web/framework/middleware/remoteuser.py", line 71:
for k,v in environ.items():
sys.stderr.write ( "%s:\t%s\n" % ( k, v ) )
With these, galaxy prints every environment variable it receives, and
debugging gets much easier.
You can quickly see if there is an HTTP_REMOTE_USER variable, and
whether it contains valid data or the string "(null)".
--4--
Add a fixed HTTP_REMOTE_USER value in the apache configuration.
This tests the proxy connection between apache and galaxy:
ReWriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy(.*)
http://localhost:8080$1 [P]
<Location "/galaxy" >
RequestHeader add REMOTE_USER gordon
</Location>
If everything is setup correctly, galaxy should automatically login with
the user 'gordon'. Together with step 3, you can easily see if external
authentication works or not.
--5--
Try to get the authenticated user name from the authentication module to
the HTTP_REMOTE_USER variable.
The Galaxy wiki
(
http://g2.trac.bx.psu.edu/wiki/HowToInstall/ApacheProxy) recommends
putting the following statements:
RewriteCond %{IS_SUBREQ} ^false$
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
These didn't work for me. To debug it, I added the following statements:
RewriteLog /tmp/rewrite.log
RewriteLogLevel 9
And then "tail -f /var/rewrite.log". On my server, it always showed:
...
RewriteCond: input='false' pattern='^false$' => matched
RewriteCond: input='' pattern='(.+)' => not-matched
...
Which means the first condition (IS_SUBREQ) matched, but the second
condition (LA-U:REMOTE_USER) never matched - because REMOTE_USER
environment variable was empty or null.
As I've noted, the solution in my case was to use a different variable
(AUTHENTICATE_SAMACCOUNTNAME). Maybe there's a way to get REMOTE_USER to
work - but I don't know it.
Regards,
Gordon.
Nate Coraor wrote, On 02/19/2009 12:33 PM:
Assaf Gordon wrote:
> I'm trying to setup galaxy to run with apache and external
> authentication - and I can't get this to work.
> (This is a not a galaxy question per se, more of an apache question,
> but hopefully you can still help me).
Gordon,
The RewriteRules should work with a Location directive, but outside of it:
ReWriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy(.*)
http://localhost:8080$1 [P]
<Location /galaxy>
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/gordon/httpd_passwords
Require user gordon
</Location>
I imagine the Alias directive would cause problems with the RewriteRules.
--nate