IANAAG, but the following should be secure and effective as well (at least
it works for me), setting REMOTE_USER with an Apache authentication module
in conjunction with ProxyPass
RequestHeader set REMOTE_USER %{REMOTE_USER}s
RequestHeader edit REMOTE_USER ^.*\\\\(.+?) $1
Cheers,
Paul
On 12-07-18 9:08 AM, "Nate Coraor" <n...@bx.psu.edu> wrote:
>
>On Jul 16, 2012, at 6:42 PM, Smithies, Russell wrote:
>
>> I have a situation I¹m sure others have faced but I can¹t see how to
>>solve it without hacking the src and I¹d rather not do that just yet as
>>it complicates upgrades.
>>
>> We¹re using Apache with NTLM and ³require valid user² so it¹s a
>>corporate domain and only authorized users are allowed access.
>> If I set ³use_remote_user = True² on universe_wsgi.ini then users are
>>denied as Apache is passing the domain and username e.g. REMOTE_USER =
>>DOMAIN\\username
>> I can¹t use a rewrite rule to fix it from Apache because then it¹s an
>>invalid username and the user can¹t log into the web, and if it¹s
>>passing DOMAIN\\username to Galaxy it doesn¹t match up with the Galaxy
>>username so I get a 403 error.
>> Is there a hidden option to strip the domain from the login or am I
>>going to have to start hacking?
>
>Hi Russell,
>
>In the Apache configuration, you should be able to modify the regex here:
>
> RewriteCond %{LA-U:REMOTE_USER} (.+)
>
>To strip your domain, e.g.:
>
> RewriteCond %{LA-U:REMOTE_USER} DOMAIN\\(.+)
>
>--nate
>
>>
>> Thanx,
>>
>> Russell Smithies
>> Infrastructure Technician
>> Invermay Agricultural Centre
>> Puddle Alley, Private Bag 50034, Mosgiel 9053, New Zealand
>> T +64 3 489 3809 F +64 3 489 3739 www.agresearch.co.nz
>>
>>
>>
>>
>>
>>
>> Attention: The information contained in this message and/or attachments
>>from AgResearch Limited is intended only for the persons or entities to
>>which it is addressed and may contain confidential and/or privileged
>>material. Any review, retransmission, dissemination or other use of, or
>>taking of any action in reliance upon, this information by persons or
>>entities other than the intended recipients is prohibited by AgResearch
>>Limited. If you have received this message in error, please notify the
>>sender immediately.
>>
>>
>>
>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client. To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>
>> http://lists.bx.psu.edu/
>
>
>___________________________________________________________
>Please keep all replies on the list by using "reply all"
>in your mail client. To manage your subscriptions to this
>and other Galaxy lists, please use the interface at:
>
> http://lists.bx.psu.edu/
>
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
