I think I am nearly there with the auth_ldap, but when I attempt to
access the site I get the following message:

"Access to Galaxy is denied

Galaxy is configured to authenticate users via an external method (such as
HTTP authentication in Apache), but a username was not provided by the
upstream (proxy) server.  This is generally due to a misconfiguration in
the upstream server.

Please contact your local Galaxy administrator."

        I am using a service account in the configuration and wonder if this
could be a permissions issue.

Thanks,
Iry


On 9/18/13 10:10 AM, "Maddhi, Srinivas" <srinivas-mad...@uiowa.edu> wrote:

>Another galaxy + nginx + LDAP user here.
>
>
>Iry,
>
>I have it working as well with help from Galaxy Wiki docs and mailing list
>archives. The configure options that were used to compile nginx:
>"--add-module=../nginx-auth-ldap.20130823
>--add-module=../nginx-upload-module-2.2 --with-pcre=../pcre-8.33
>--with-http_ssl_module --conf-path=/usr/local/etc/nginx/nginx.conf
>--pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log
>--http-log-path=/var/log/nginx/access.log --user=galaxy-qa
>--group=galaxy-qa --with-debug"
>
>I also supplied the "proxy_set_header X-URL-SCHEME https;" directive in
>the "/" and "/api" location blocks.
>
>Good luck!
>
>
>John,
>
>Thanks for the detailed response to Iry's question, and docs for this
>setup.
>
>Related question: Are you aware of a mechanism that would transmit LDAP
>attributes, say "mail" for example, to downstream apps ?  I have that
>question in to the author of that module and haven't heard back.
>
>The need for that: in my use case, the email address associated with
>remote_user is not "remote_u...@example.com" but rather
>"first_name-last_n...@example.com".  As such, I am stuck, less than
>ideally, with requiring users to use "first_name-last_n...@example.com" as
>their username instead of just "short_name". Our previous solution to this
>was to hack galaxy-dist/lib/galaxy/web/framework/__init__.py which I would
>like to avoid for ease of maintainability purposes.
>
>Thank you.
>
>
>-----Original Message-----
>From: John Chilton <chil...@msi.umn.edu>
>Date: Wednesday, September 18, 2013 7:49 AM
>To: Iry Witham <iry.wit...@jax.org>
>Cc: "galaxy-dev@lists.bx.psu.edu" <galaxy-dev@lists.bx.psu.edu>
>Subject: Re: [galaxy-dev] configuring auth_ldap for galaxy
>
>>You have to compile nginx with the auth-ldap module. Have you done
>>this? I am doing using CloudBioLinux and here is how it is being done
>>in that context, but it would probably be easier just doing it by
>>hand:
>>
>>https://github.com/chapmanb/cloudbiolinux/blob/master/cloudbio/galaxy/__i
>>n
>>it__.py
>>
>>I have posted my information on configuring CloudMan's nginx for LDAP
>>auth, but you can ignore the CloudMan stuff:
>>
>>https://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readt
>>h
>>edocs.org/en/latest/#configuring-nginx-conf
>>
>>http {
>>
>>    auth_ldap_url
>>ldap://ldap.example.com/dc=example,dc=com?uid?sub?(objectClass=person);
>>    #auth_ldap_binddn cn=nginx,ou=service,dc=example,dc=com;
>>    #auth_ldap_binddn_passwd mYsUperPas55W0Rd
>>    #auth_ldap_group_attribute uniquemember; # default 'member'
>>    #auth_ldap_group_attribute_is_dn on; # default on
>>
>>    ...
>>
>>}
>>
>>location / {
>>    auth_ldap_require valid_user;
>>    auth_ldap "LDAP Auth Source Description";
>>    proxy_set_header REMOTE_USER $remote_user;
>>
>>
>>    proxy_pass  http://galaxy_app;
>>    proxy_set_header   X-Forwarded-Host $host;
>>    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>>    proxy_set_header   X-URL-SCHEME https;
>>
>>  ...
>>}
>>
>># For API access, set REMOTE_USER if available so Galaxy
>># session based requests are let through, if REMOTE_USER is not
>># available pass the request through and let Galaxy determine
>># if a key is present and valid.
>>location  /api {
>>    proxy_set_header REMOTE_USER $remote_user;
>>    proxy_pass  http://galaxy_app;
>>    proxy_set_header   X-Forwarded-Host $host;
>>    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>>}
>>
>>-John
>>
>>On Wed, Sep 18, 2013 at 7:37 AM, Iry Witham <iry.wit...@jax.org> wrote:
>>> Hi Team,
>>>
>>> Has anyone had any experience with setting up auth_ldap for nginx?  I
>>>am
>>> attempting to make this work, but nginx fails to start with the
>>>following
>>> message:
>>>
>>> Starting nginx nginx: [emerg] unknown directive "auth_ldap_url" in
>>> /usr/local/nginx/conf/nginx.conf:48
>>> startproc:  exit status of parent of /usr/local/nginx/sbin/nginx: 1
>>>
>>> failed
>>>
>>> Any help would be appreciated.
>>>
>>> Thanks,
>>>
>>> Iry Witham
>>>
>>> The information in this email, including attachments, may be
>>>confidential
>>> and is intended solely for the addressee(s). If you believe you
>>>received
>>> this email by mistake, please notify the sender by return email as soon
>>>as
>>> possible.
>>>
>>>
>>> ___________________________________________________________
>>> Please keep all replies on the list by using "reply all"
>>> in your mail client.  To manage your subscriptions to this
>>> and other Galaxy lists, please use the interface at:
>>>   http://lists.bx.psu.edu/
>>>
>>> To search Galaxy mailing lists use the unified search at:
>>>   http://galaxyproject.org/search/mailinglists/
>>___________________________________________________________
>>Please keep all replies on the list by using "reply all"
>>in your mail client.  To manage your subscriptions to this
>>and other Galaxy lists, please use the interface at:
>>  http://lists.bx.psu.edu/
>>
>>To search Galaxy mailing lists use the unified search at:
>>  http://galaxyproject.org/search/mailinglists/
>


The information in this email, including attachments, may be confidential and 
is intended solely for the addressee(s). If you believe you received this email 
by mistake, please notify the sender by return email as soon as possible.

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to