I'm writing because I've been trying for the past few days to configure
Galaxy to use Apache-based LDAP authentication, but have reached a point
where I'm basically stuck.  The system in a virtual machine running:

- CentOS 5.8
- Apache 2.2.3

I'm trying to configure a Galaxy instance at "localhost:8080", with Active
Directory authentication.

I started with the admin page documentation:


and also worked through the troubleshooting examples found at:

c) http://lists.bx.psu.edu/pipermail/galaxy-dev/2010-January/001676.html

Following the debugging steps suggested by URL (a), I'm able to verify that:

1) The authentication clause I have works, without rewrite rules and
without a proxy.
2) Without rewrite rules and a proxy, the Apache environment has the

Unfortunately, when I turn on the proxy (setting "use_remote_user" and
"remote_user_maildomain" in universe_wsgi.ini accordingly), I get the
following error message when I try accessing the "localhost:8080" URL, the
following error message appears:

"Access to Galaxy is denied

Galaxy is configured to authenticate users via an external method (such as
HTTP authentication in Apache), but a username was not provided by the
upstream (proxy) server. This is generally due to a misconfiguration in the
upstream server.

Please contact your local Galaxy administrator."

As suggested by URLs (a) and (c), I modified
./lib/galaxy/web/framework/middleware/remoteuser.py to print the
environment seen by that script.  None of the remote user information seems
to be making to the script, either from AUTHENTICATE_SAMACCOUNTNAME or
REMOTE_USER, no matter which of the suggested combinations of
"RewriteCond", "RewriteRule", and "RequestHeader" options I tried.  In
addition, the troubleshooting suggestions to force a REMOTE_USER value to
be set via a directive like:

RequestHeader add REMOTE_USER [user name]

also failed to pass REMOTE_USER to the remoteuser.py script.

I've included below an extract from the Apache configuration file that I've
been trying.  Any advice or assistance that people might be able to provide
would be greatly appreciated, and please let me know if you'd need any
additional information from me.

Harris Shapiro
Genomic Health, Inc.

Extract from Apache configuration file:
Note: I've also tried a variant where I replaced REMOTE_USER with
AUTHENTICATE_SAMACCOUNTNAME in the various RewriteCond & RequestHeader
directives.  That variant produced the same error message.

<Proxy http://localhost:8080>
        Order deny,allow
        Allow from all

RewriteEngine on

<Location "/">
        AuthType Basic
        AuthName "Please log in with your Windows account"
        AuthBasicProvider ldap
        AuthLDAPURL [Verified LDAP connection information]
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN [Verified DN]
        AuthLDAPBindPassword [Verified password]
        Require valid-user
       RewriteCond %{IS_SUBREQ} ^false$
       RewriteCond %{LA-U:REMOTE_USER} (.+)
       RewriteRule . - [E=RU:%1]
       RequestHeader set REMOTE_USER %{RU}e

RewriteRule ^/static/style/(.*)
RewriteRule ^/static/scripts/(.*)
/home/hshapiro/software/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*)
/home/hshapiro/software/galaxy/galaxy-dist/static/$1 [L]
RewriteRule ^/favicon.ico
/home/hshapiro/software/galaxy/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/robots.txt
/home/hshapiro/software/galaxy/galaxy-dist/static/robots.txt [L]
RewriteRule ^(.*) http://localhost:8080$1 [P]
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:


Reply via email to