Re: [galaxy-dev] NTLM auth not passing http_remote_user?

2012-07-17 Thread Assaf Gordon
Hello Russell,

Smithies, Russell wrote, On 07/17/2012 05:41 PM:
 It appears that NTLM isn't passing the HTTP_REMOTE_USER through for us.
 Anyone else struck this and found a solution?
 
 Our apache config looks like this:
 
 Location /
   AuthName Galaxy
   NTLMAuth on
   NTLMAuthHelper /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
   NTLMBasicAuthoritative on
   AuthType NTLM
   require valid-user
 
 # Take the $REMOTE_USER environment variable and set it as a header in 
 the proxy request.
   RewriteCond %{IS_SUBREQ} ^false$
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader set REMOTE_USER %{RU}e
 
 /Location

snip

 HTTP_REMOTE_USER
 '(null)'


One voodoo solution that worked for me (not with NTLM, but exactly with the 
same '(null)' symptom)
is to take the entire RewriteCond part outside of the Location block.
Put it in the global configuration file, after the Location part, but before 
the proxy statement.

Also, the exact incantation that worked for me (after many many trials and 
errors) is:
===
RewriteRule . - [E=RU:%{LA-U:REMOTE_USER}]
RequestHeader set REMOTE_USER %{RU}e
===

It's voodoo (to me) because it probably has something to do with deep apache 
internals, relating to execution order of the authentication module vs the 
mod_rewrite parts (and the LA-U [Look-ahead] thing sure doesn't help to 
make it clearer...).

-gordon


___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/


Re: [galaxy-dev] NTLM auth not passing http_remote_user?

2012-07-17 Thread Smithies, Russell
If I take the rewrite out of the location block then NTLM auth fails as the 
username is re-written and isn't a valid corporate username.
On the plus side, If I just set RequestHeader set REMOTE_USER smithiesr  then 
I get logged in as I should.

--Russell


-Original Message-
From: Assaf Gordon [mailto:gor...@cshl.edu] 
Sent: Wednesday, 18 July 2012 9:59 a.m.
To: Smithies, Russell
Cc: galaxy-dev@lists.bx.psu.edu
Subject: Re: [galaxy-dev] NTLM auth not passing http_remote_user?

Hello Russell,

Smithies, Russell wrote, On 07/17/2012 05:41 PM:
 It appears that NTLM isn't passing the HTTP_REMOTE_USER through for us.
 Anyone else struck this and found a solution?
 
 Our apache config looks like this:
 
 Location /
   AuthName Galaxy
   NTLMAuth on
   NTLMAuthHelper /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
   NTLMBasicAuthoritative on
   AuthType NTLM
   require valid-user
 
 # Take the $REMOTE_USER environment variable and set it as a header in 
 the proxy request.
   RewriteCond %{IS_SUBREQ} ^false$
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader set REMOTE_USER %{RU}e
 
 /Location

snip

 HTTP_REMOTE_USER
 '(null)'


One voodoo solution that worked for me (not with NTLM, but exactly with the 
same '(null)' symptom) is to take the entire RewriteCond part outside of the 
Location block.
Put it in the global configuration file, after the Location part, but before 
the proxy statement.

Also, the exact incantation that worked for me (after many many trials and 
errors) is:
===
RewriteRule . - [E=RU:%{LA-U:REMOTE_USER}] RequestHeader set REMOTE_USER %{RU}e 
===

It's voodoo (to me) because it probably has something to do with deep apache 
internals, relating to execution order of the authentication module vs the 
mod_rewrite parts (and the LA-U [Look-ahead] thing sure doesn't help to 
make it clearer...).

-gordon


===
Attention: The information contained in this message and/or attachments
from AgResearch Limited is intended only for the persons or entities
to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipients is prohibited by AgResearch
Limited. If you have received this message in error, please notify the
sender immediately.
===

___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/


Re: [galaxy-dev] NTLM auth not passing http_remote_user?

2012-07-17 Thread Smithies, Russell
Working now :- )
I blame lack of coffee - I hadn't set RewriteEngine on before I re-wrote the 
request header.
It appears it needs to be in the location section or your initial ntlm auth 
wil fail.

Location /
  AuthName Galaxy
  NTLMAuth on
  NTLMAuthHelper /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user

# Take the $REMOTE_USER environment variable, trim the realm and set it as 
a header in the proxy request.
  RewriteEngine on
  RewriteCond %{IS_SUBREQ} ^false$
  RewriteCond %{LA-U:REMOTE_USER} .+\\(.+)
  RewriteRule . - [E=RU:%1]
  RequestHeader set REMOTE_USER %{RU}e

/Location


--Russell

-Original Message-
From: galaxy-dev-boun...@lists.bx.psu.edu 
[mailto:galaxy-dev-boun...@lists.bx.psu.edu] On Behalf Of Smithies, Russell
Sent: Wednesday, 18 July 2012 10:52 a.m.
To: Assaf Gordon
Cc: galaxy-dev@lists.bx.psu.edu
Subject: Re: [galaxy-dev] NTLM auth not passing http_remote_user?

If I take the rewrite out of the location block then NTLM auth fails as the 
username is re-written and isn't a valid corporate username.
On the plus side, If I just set RequestHeader set REMOTE_USER smithiesr  then 
I get logged in as I should.

--Russell


-Original Message-
From: Assaf Gordon [mailto:gor...@cshl.edu]
Sent: Wednesday, 18 July 2012 9:59 a.m.
To: Smithies, Russell
Cc: galaxy-dev@lists.bx.psu.edu
Subject: Re: [galaxy-dev] NTLM auth not passing http_remote_user?

Hello Russell,

Smithies, Russell wrote, On 07/17/2012 05:41 PM:
 It appears that NTLM isn't passing the HTTP_REMOTE_USER through for us.
 Anyone else struck this and found a solution?
 
 Our apache config looks like this:
 
 Location /
   AuthName Galaxy
   NTLMAuth on
   NTLMAuthHelper /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
   NTLMBasicAuthoritative on
   AuthType NTLM
   require valid-user
 
 # Take the $REMOTE_USER environment variable and set it as a header in 
 the proxy request.
   RewriteCond %{IS_SUBREQ} ^false$
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader set REMOTE_USER %{RU}e
 
 /Location

snip

 HTTP_REMOTE_USER
 '(null)'


One voodoo solution that worked for me (not with NTLM, but exactly with the 
same '(null)' symptom) is to take the entire RewriteCond part outside of the 
Location block.
Put it in the global configuration file, after the Location part, but before 
the proxy statement.

Also, the exact incantation that worked for me (after many many trials and 
errors) is:
===
RewriteRule . - [E=RU:%{LA-U:REMOTE_USER}] RequestHeader set REMOTE_USER %{RU}e 
===

It's voodoo (to me) because it probably has something to do with deep apache 
internals, relating to execution order of the authentication module vs the 
mod_rewrite parts (and the LA-U [Look-ahead] thing sure doesn't help to 
make it clearer...).

-gordon


===
Attention: The information contained in this message and/or attachments from 
AgResearch Limited is intended only for the persons or entities to which it is 
addressed and may contain confidential and/or privileged material. Any review, 
retransmission, dissemination or other use of, or taking of any action in 
reliance upon, this information by persons or entities other than the intended 
recipients is prohibited by AgResearch Limited. If you have received this 
message in error, please notify the sender immediately.
===

___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this and other Galaxy 
lists, please use the interface at:

  http://lists.bx.psu.edu/

___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/