On Feb 13, 2012, at 7:38 AM, Sarah Maman wrote:

> Hello,
> 
> I managed to connect to Galaxy to LDAP ;-)
> Three points were blocking for me:
> * Being root of my virtual machine can carry out tests
> * I confused login / password of two LDAP, so I thought that my 
> authentication method was not good while I was using the wrong password ...
> * It is better not to go through a proxy

Hi Sarah,

Thanks very much for reporting back with your findings.  This should be very 
helpful for people who stumble on to similar problems in the future.

> 
> 1 - Set configuration file of Galaxy: universe_wsgi.ini to delegate user 
> authentication to an upstream proxy Apache:
> Users and Security
> use_remote_user = True
> remote_user_maildomain = toulouse.inra.fr
> 
> 2 - Create a file type "htaccess" file named galaxy.conf (in / etc / httpd / 
> conf.d /):
> For reasons of performance and safety, it is advisable not to use a. htaccess 
> but a galaxy.conf file in the main server configuration (Apache), because the 
> latter will be charged a once when the server starts. With an .htaccess file, 
> this file will be charged at each access.
> 
> RewriteEngine on
> <Location "/galaxy">
> # Define the authentication method
> AuthType Basic
> AuthName "Galaxy"
> AuthBasicProvider ldap
> AuthLDAPURL "ldap :/ / server URL: 389/..."
> AuthzLDAPAuthoritative off
> Require valid-user
> RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
> </ Location>
> RewriteRule ^ / $ galaxy / galaxy / [R]
> RewriteRule ^ / galaxy / static / style / (. *) / 
> var/www/html/galaxy/static/june_2007_style/blue / $ 1 [L]
> RewriteRule ^ / galaxy / static / scripts / (. *) /vVar / www / html / galaxy 
> / static / scripts / packed / $ 1 [L]
> RewriteRule ^ / galaxy / static / (. *) / var / www / html / galaxy / static 
> / $ 1 [L]
> RewriteRule ^ / galaxy / favicon.ico / var / www / html / galaxy / static / 
> favicon.ico [L]
> RewriteRule ^ / galaxy / robots.txt / var / www / html / galaxy / static / 
> robots.txt [L]
> RewriteRule ^ / galaxy (. *) http://ip:port $ 1 [P]
> 
> 
> 
> As Galaxy is not installed in root directory but in a galaxy directory (var / 
> www / html / galaxy /), so following changes are needed:

This is probably not a good idea.  From the documentation:

   Please note that Galaxy should never be located on disk inside Apache's 
DocumentRoot. By default, this would expose all of Galaxy (including datasets) 
to anyone on the web.

Galaxy is a proxied application and as such, only the static content like 
javascript and images are served directly by Apache (and this is set up with 
the RewriteRules), everything else is passed through to the Galaxy application 
via a proxied http connection.  Right now I could presumably use the URL 
http://server/galaxy/galaxy-dist/database/files/000/dataset_1.dat to view a 
dataset directly.

> 1 - Add a RewriteRule
> 
> 2 - Do not go through a proxy

Can you clarify this?  I'm a bit confused, since if you are connecting to 
Apache to access Galaxy, you are going through a proxy.

> 3 - REMOTE_USER variable is AUTHENTICATE_uid ( AUTHENTICATE_ sAMAccountName 
> for Windows AD)

I've added this to the wiki page, thanks!

--nate

> 
> 4 - To generate dynamic URLs, it is necessary to configure prefix in 
> universe_wsgi.ini :
> [Filter: proxy-prefix]
> use = egg: # prefix PasteDeploy
> prefix = / galaxy
> [App: main]
> filter-with = proxy-prefix
> cookie_path = / galaxy
> 
> If you are not root on the virtual machine, create a symlink from / etc / 
> httpd / conf.d / to galaxy.conf
> 
> 
> 3 - Some useful checks
> 
> Verify Apache version and Apache modules because each directive must have an 
> associated module:
> 
> Directive → Related module (which mod_ldap)
> AuthType → mod_auth_basic.so
> AuthBasicProvider → mod_authnz_ldap and mod_authz_ldap
> Rewrite (for proxy) → mod_rewrite.so
> RequestHeader→ mod_headers
> 
> 
> Check that the galaxy is installed on ldap using this command: ldapsearch-x-h 
> LDAP URL : port-b "dc"
> 
> When you make a modification in galaxy.conf, restart Apache (or graful).
> 
> In httpd.conf, so that access management is authorized by the file. #
> # AccessFileName: The name of the file to look for in EACH directory
> # For additional configuration directives. See also the AllowOverride
> # Directive.
> #
> AccessFileName. Htaccess
> 
> Check: Chmod 777 galaxy.conf
> 
> 
> 4 - Finally, restart run.sh (sh run.sh &)
> 
> 
> Thanks A LOT for your help,
> Sarah


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to