Re: [galaxy-dev] LDAP authentification

Tue, 31 Jan 2012 08:46:36 -0800 

Hi,
Thanks to log messages from remoteuser.py in "./lib/galaxy/web/framework/middleware/remoteuser.py": 

           print('affichage des variables d acces')

           print ('self domain : %s'%self.maildomain)

           print ('path info : %s'%path_info)

           print ('admin user : %s' %self.admin_users)

           http_remote_user = environ.get('HTTP_REMOTE_USER','')

           print ('http remote user : %s'%http_remote_user)

           remote_user = environ.get('REMOTE_USER', '')

           print ('remote user :%s' %remote_user)



Galaxy prints every environment variable it receives, and I have seen  
that  HTTP_REMOTE_USER variable is "(null)".



Moreover, Galaxy is defined as a valid Proxy (reverse proxy ??) so 
galaxy.conf is :


<VirtualHost localhost:port>
       # Define Galaxy as a valid Proxy
      <Proxy localhost:port>
          Order deny,allow
          Allow from all
          RewriteEngine on

# Take the $REMOTE_USER environment variable and set it as a header in 
the proxy request.

          RewriteCond %{IS_SUBREQ} ^false$
          RewriteCond %{LA-U:REMOTE_USER} (.+)
          RewriteRule . - [E=RU:%1]

# Set the REMOTE_USER header to the contents of the LDAP query 
response's "uid" attribute                       
          RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e



          RewriteRule ^/galaxy$ /galaxy/ [R]

          RewriteRule ^/static/style/(.*) 
/usr/local/bioinfo/src/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
          RewriteRule ^/static/(.*) 
/usr/local/bioinfo/src/galaxy/galaxy-dist/static/$1 [L]
          RewriteRule ^/images/(.*) 
/usr/local/bioinfo/src/galaxy/galaxy-dist/static/images/$1 [L]
          RewriteRule ^/favicon.ico 
/usr/local/bioinfo/src/galaxy/galaxy-dist/static/favicon.ico [L]

          RewriteRule ^/favicon.ico /var/www/html/favicon.ico [L]

          RewriteRule ^/robots.txt 
/usr/local/bioinfo/src/galaxy/galaxy-dist/static/robots.txt [L]

          RewriteRule ^(.*) localhost:port$1 [P]

      </Proxy>


<Location "/....." >
               AuthType Basic
               AuthBasicProvider ldap
               AuthName "Galaxy"
               AuthLDAPURL "ldap://serveur ..."
               AuthzLDAPAuthoritative on

             
               Require valid-user

</Location>

</VirtualHost>

But, I didn't achieve, yet , to access REMOTE_USER value throught proxy.


In universe_wsgi.ini, 


*use_remote_user = True*


and 


*remote_user_maildomain = toulouse.inra.fr*



Thanks in advance,
Sarah


Nate Coraor a écrit :

On Jan 19, 2012, at 10:49 AM, Sarah Maman wrote:


  

Hi Brad, Hi Christopher,

Thanks a lot.
I'm talking to Open LDAP. I have changed

RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
to
RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e

But I always have the same message /(Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP 
authentication in Apache), but a username was not provided by the upstream 
(proxy) server. This is generally due to a misconfiguration in the upstream 
server. )/

    


Hi Sarah,

This configuration will need to be in your Apache config (the location of which 
varies depending on your OS and/or how Apache is installed) rather than an 
.htaccess file.

--nate


  

This is my .conf file :
 <Proxy http://localhost:8080>
          Order deny,allow
          Allow from all
      </Proxy>

      RewriteEngine on

      <Location "/">
              AuthType Basic
              AuthName Galaxy
              AuthBasicProvider ldap
              AuthLDAPURL 
"ldap://server/ou=People,ou=genopole,ou=toulouse,o=inra,c=fr?u
id?sub?(objectClass=person)"
              AuthzLDAPAuthoritative off
              Require valid-user
              # Take the $REMOTE_USER environment variable and set it as a 
header in the proxy request.
              #RewriteCond %{IS_SUBREQ} ^false$
              #RewriteCond %{LA-U:REMOTE_USER} (.+)
              #RewriteRule . - [E=RU:%1]
              #RequestHeader set REMOTE_USER %{RU}e
              RequestHeader set REMOTE_USER %{AUTHENTICATE_UID}e
      </Location>


Thanks in advance,
Sarah




Langhorst, Brad a écrit :

    

Hi Sarah:

I don't know what kind of LDAP you're talking to... I'm talking to Active
Directory and this configuration works in that situation.

Order allow,deny
               allow from all

               AuthType Basic
               AuthName "NEB Credentials"
               AuthBasicProvider ldap
               AuthzLDAPAuthoritative off
               AuthLDAPBindDN ccaloo...@neb.com
               AuthLDAPBindPassword <password>
               AuthLDAPURL
"ldap://<ldap.domain.com>:389/dc=domain,dc=com?sAMAccountName"
               require valid-user
                               RewriteCond %{IS_SUBREQ} ^false$
               RewriteCond %{LA-U:REMOTE_USER} (.+)
               RewriteRule . - [E=RU:%1]
               RequestHeader set REMOTE_USER
%{AUTHENTICATE_sAMAccountName}e



 
      

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

http://lists.bx.psu.edu/


    



  


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

 http://lists.bx.psu.edu/






















					Reply via email to