On Nov 19, 2012, at 12:49 PM, Harris Shapiro wrote:

> Hello,
> 
> I'm writing because I've been trying for the past few days to configure 
> Galaxy to use Apache-based LDAP authentication, but have reached a point 
> where I'm basically stuck.  The system in a virtual machine running:
> 
> - CentOS 5.8
> - Apache 2.2.3
> 
> I'm trying to configure a Galaxy instance at "localhost:8080", with Active 
> Directory authentication.
> 
> I started with the admin page documentation:
> 
> http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
> 
> and also worked through the troubleshooting examples found at:
> 
> a) 
> http://user.list.galaxyproject.org/Galaxy-Apache-External-Authentication-tt4131493.html#a4131495
> b) http://gmod.827538.n3.nabble.com/galaxy-dev-ldap-integration-td839409.html
> c) http://lists.bx.psu.edu/pipermail/galaxy-dev/2010-January/001676.html
> 
> Following the debugging steps suggested by URL (a), I'm able to verify that:
> 
> 1) The authentication clause I have works, without rewrite rules and without 
> a proxy.
> 2) Without rewrite rules and a proxy, the Apache environment has the 
> AUTHENTICATE_SAMACCOUNTNAME and REMOTE_USER environment variables set.
> 
> Unfortunately, when I turn on the proxy (setting "use_remote_user" and 
> "remote_user_maildomain" in universe_wsgi.ini accordingly), I get the 
> following error message when I try accessing the "localhost:8080" URL, the 
> following error message appears:
> 
> "Access to Galaxy is denied
> 
> Galaxy is configured to authenticate users via an external method (such as 
> HTTP authentication in Apache), but a username was not provided by the 
> upstream (proxy) server. This is generally due to a misconfiguration in the 
> upstream server.
> 
> Please contact your local Galaxy administrator."
> 
> As suggested by URLs (a) and (c), I modified 
> ./lib/galaxy/web/framework/middleware/remoteuser.py to print the environment 
> seen by that script.  None of the remote user information seems to be making 
> to the script, either from AUTHENTICATE_SAMACCOUNTNAME or REMOTE_USER, no 
> matter which of the suggested combinations of "RewriteCond", "RewriteRule", 
> and "RequestHeader" options I tried.  In addition, the troubleshooting 
> suggestions to force a REMOTE_USER value to be set via a directive like:
> 
> RequestHeader add REMOTE_USER [user name]
> 
> also failed to pass REMOTE_USER to the remoteuser.py script.
> 
> I've included below an extract from the Apache configuration file that I've 
> been trying.  Any advice or assistance that people might be able to provide 
> would be greatly appreciated, and please let me know if you'd need any 
> additional information from me.

Hi Harris,

Have you tried upping the logging level for mod_rewrite as suggested by Assaf 
in (a)?  This should tell you exactly what is and is not being matched as 
Apache processes requests through those directives.

--nate

> 
> Sincerely,
> Harris Shapiro
> Genomic Health, Inc.
> 
> 
> 
> 
> Extract from Apache configuration file:
> Note: I've also tried a variant where I replaced REMOTE_USER with 
> AUTHENTICATE_SAMACCOUNTNAME in the various RewriteCond & RequestHeader 
> directives.  That variant produced the same error message.
> 
> <Proxy http://localhost:8080>
>         Order deny,allow
>         Allow from all
> </Proxy>
> 
> RewriteEngine on
> 
> <Location "/">
>         AuthType Basic
>         AuthName "Please log in with your Windows account"
>         AuthBasicProvider ldap
>         AuthLDAPURL [Verified LDAP connection information]
>         AuthzLDAPAuthoritative off
>         AuthLDAPBindDN [Verified DN]
>         AuthLDAPBindPassword [Verified password]
>         Require valid-user
>        RewriteCond %{IS_SUBREQ} ^false$
>        RewriteCond %{LA-U:REMOTE_USER} (.+)
>        RewriteRule . - [E=RU:%1]
>        RequestHeader set REMOTE_USER %{RU}e
> </Location>
> 
> 
> RewriteRule ^/static/style/(.*) 
> /home/hshapiro/software/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
> RewriteRule ^/static/scripts/(.*) 
> /home/hshapiro/software/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
> RewriteRule ^/static/(.*) 
> /home/hshapiro/software/galaxy/galaxy-dist/static/$1 [L]
> RewriteRule ^/favicon.ico 
> /home/hshapiro/software/galaxy/galaxy-dist/static/favicon.ico [L]
> RewriteRule ^/robots.txt 
> /home/hshapiro/software/galaxy/galaxy-dist/static/robots.txt [L]
> RewriteRule ^(.*) http://localhost:8080$1 [P]
> 
> 
> 
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> 
>  http://lists.bx.psu.edu/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to