Thank you for your help - I finally got it working. Every user in the domain is automatically logged-in - it's beautiful. I should have done this a long time ago.
Interestingly, the "REMOTE_USER" rule didn't work for me - I'm using mod_authzldap and for some unknown reason using the rewrite rules from galaxy's wiki causes HTTP_REMOTE_USER to always be "(null)" when used with the proxy rules (the HTTP_REMOTE_USER was fine when passed to php scripts without proxy).
The apache configuration clause which works for me is:
ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <Location "/galaxy" > AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user
# mod_authzldap creates 'AUTHENTICATE_XXXX' environment variables # for the arguments in the LDAP URL. # Convert the authenticated user name into a HTTP_REMOTE_USER. RequestHeader add REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e </Location>
While trying to make sense of this mess (apache + mod_rewrite + mod_proxy + mod_authzldap + galaxy ), the following tricks helped:
--1-- Trying mod_rewrite and apache-proxy without authentication: RewriteEngine on ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P]
At first I got "HTTP-500 Server Error". The /var/log/httpd/error_log file showed the following error:
[error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (*) failed
This is caused by SELinux (installed by default on CentOS) that blocks the apache process from initiating network connections. The following command fixed it:
$ sudo /usr/sbin/setsebool httpd_can_network_connect 1
More info at http://www.techiegyan.com/?p=178
--2-- Checking the authentication clause without rewrite rules and without proxy.
<Directory "/var/www/html/protected" > AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user </Directory>
And inside "/var/www/html/protected", create a simple PHP script which shows the server variables: $ cat /var/www/html/protected/index.php <?php echo "<pre>\n"; print_r($_SERVER); echo "</pre>\n"; ?>
When you browse to http://%5Bserver%5D/protected, and login with the right username and password, you get a list of all the server variables (That's how I discovered the 'AUTHENTICATE_SAMACCOUNTNAME'):
Array ( [ ... many other variables not shown ... ] [SCRIPT_URL] => /protected/ [SCRIPT_URI] => http://XXXXXXX/protected [AUTHENTICATE_SAMACCOUNTNAME] => gordon [HTTP_HOST] => XXXXXX [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/protected/index.php [REMOTE_PORT] => 42695 [REMOTE_USER] => gordon [AUTH_TYPE] => Basic [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /protected/ [SCRIPT_NAME] => /protected/index.php [PHP_SELF] => /protected/index.php [PHP_AUTH_USER] => gordon [PHP_AUTH_PW] => XXXXXXXXXX [REQUEST_TIME] => 1235107649 )
Althought "REMOTE_USER" is listed as a valid server variable, I could not get it to work with the proxy, and had to look for another solution.
--3-- Add the following lines in "./lib/galaxy/web/framework/middleware/remoteuser.py", line 71: for k,v in environ.items(): sys.stderr.write ( "%s:\t%s\n" % ( k, v ) )
With these, galaxy prints every environment variable it receives, and debugging gets much easier. You can quickly see if there is an HTTP_REMOTE_USER variable, and whether it contains valid data or the string "(null)".
--4-- Add a fixed HTTP_REMOTE_USER value in the apache configuration. This tests the proxy connection between apache and galaxy:
ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <Location "/galaxy" > RequestHeader add REMOTE_USER gordon </Location>
If everything is setup correctly, galaxy should automatically login with the user 'gordon'. Together with step 3, you can easily see if external authentication works or not.
--5--
Try to get the authenticated user name from the authentication module to the HTTP_REMOTE_USER variable.
The Galaxy wiki (http://g2.trac.bx.psu.edu/wiki/HowToInstall/ApacheProxy) recommends putting the following statements: RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e
These didn't work for me. To debug it, I added the following statements: RewriteLog /tmp/rewrite.log RewriteLogLevel 9
And then "tail -f /var/rewrite.log". On my server, it always showed: ... RewriteCond: input='false' pattern='^false$' => matched RewriteCond: input='' pattern='(.+)' => not-matched ...
Which means the first condition (IS_SUBREQ) matched, but the second condition (LA-U:REMOTE_USER) never matched - because REMOTE_USER environment variable was empty or null.
As I've noted, the solution in my case was to use a different variable (AUTHENTICATE_SAMACCOUNTNAME). Maybe there's a way to get REMOTE_USER to work - but I don't know it.
Regards, Gordon.
Nate Coraor wrote, On 02/19/2009 12:33 PM:
Assaf Gordon wrote:
I'm trying to setup galaxy to run with apache and external authentication - and I can't get this to work. (This is a not a galaxy question per se, more of an apache question, but hopefully you can still help me).
Gordon,
The RewriteRules should work with a Location directive, but outside of it:
ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <Location /galaxy> AuthType Basic AuthName "Restricted Files" AuthUserFile /home/gordon/httpd_passwords Require user gordon
</Location>
I imagine the Alias directive would cause problems with the RewriteRules.
--nate