Re: [galaxy-dev] re-writing username for login or stripping domain from remote_user?

2012-07-18 Thread Nate Coraor 

On Jul 16, 2012, at 6:42 PM, Smithies, Russell wrote:

 I have a situation I’m sure others have faced but I can’t see how to solve it 
 without hacking the src and I’d rather not do that just yet as it complicates 
 upgrades.
  
 We’re using Apache with NTLM and “require valid user” so it’s a corporate 
 domain and only authorized users are allowed access.
 If I set “use_remote_user = True” on universe_wsgi.ini then users are denied 
 as Apache is passing the domain and username e.g. REMOTE_USER = 
 DOMAIN\\username
 I can’t use a rewrite rule to fix it from Apache because then it’s an invalid 
 username and the user can’t log into the web, and if it’s passing 
 DOMAIN\\username to Galaxy it doesn’t match up with the Galaxy username so I 
 get a 403 error.
 Is there a hidden option to strip the domain from the login or am I going to 
 have to start hacking?

Hi Russell,

In the Apache configuration, you should be able to modify the regex here:

RewriteCond %{LA-U:REMOTE_USER} (.+)

To strip your domain, e.g.:

RewriteCond %{LA-U:REMOTE_USER} DOMAIN\\(.+)

--nate

  
 Thanx,
  
 Russell Smithies
 Infrastructure Technician
 Invermay Agricultural Centre
 Puddle Alley, Private Bag 50034, Mosgiel 9053, New Zealand
 T  +64 3 489 3809  F  +64 3 489 3739  www.agresearch.co.nz
  
  
  
  
 
 
 Attention: The information contained in this message and/or attachments from 
 AgResearch Limited is intended only for the persons or entities to which it 
 is addressed and may contain confidential and/or privileged material. Any 
 review, retransmission, dissemination or other use of, or taking of any 
 action in reliance upon, this information by persons or entities other than 
 the intended recipients is prohibited by AgResearch Limited. If you have 
 received this message in error, please notify the sender immediately.
 
 
 
  
 ___
 Please keep all replies on the list by using reply all
 in your mail client.  To manage your subscriptions to this
 and other Galaxy lists, please use the interface at:
 
  http://lists.bx.psu.edu/


___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Re: [galaxy-dev] re-writing username for login or stripping domain from remote_user?

2012-07-18 Thread Paul Gordon 
IANAAG, but the following should be secure and effective as well (at least
it works for me), setting REMOTE_USER with an Apache authentication module
in conjunction with ProxyPass

RequestHeader set REMOTE_USER %{REMOTE_USER}s
RequestHeader edit REMOTE_USER ^.*(.+?) $1



Cheers,

Paul

On 12-07-18 9:08 AM, Nate Coraor n...@bx.psu.edu wrote:


On Jul 16, 2012, at 6:42 PM, Smithies, Russell wrote:

 I have a situation I¹m sure others have faced but I can¹t see how to
solve it without hacking the src and I¹d rather not do that just yet as
it complicates upgrades.
  
 We¹re using Apache with NTLM and ³require valid user² so it¹s a
corporate domain and only authorized users are allowed access.
 If I set ³use_remote_user = True² on universe_wsgi.ini then users are
denied as Apache is passing the domain and username e.g. REMOTE_USER =
DOMAIN\\username
 I can¹t use a rewrite rule to fix it from Apache because then it¹s an
invalid username and the user can¹t log into the web, and if it¹s
passing DOMAIN\\username to Galaxy it doesn¹t match up with the Galaxy
username so I get a 403 error.
 Is there a hidden option to strip the domain from the login or am I
going to have to start hacking?

Hi Russell,

In the Apache configuration, you should be able to modify the regex here:

RewriteCond %{LA-U:REMOTE_USER} (.+)

To strip your domain, e.g.:

RewriteCond %{LA-U:REMOTE_USER} DOMAIN\\(.+)

--nate

  
 Thanx,
  
 Russell Smithies
 Infrastructure Technician
 Invermay Agricultural Centre
 Puddle Alley, Private Bag 50034, Mosgiel 9053, New Zealand
 T  +64 3 489 3809  F  +64 3 489 3739  www.agresearch.co.nz
  
  
  
  
 
 
 Attention: The information contained in this message and/or attachments
from AgResearch Limited is intended only for the persons or entities to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipients is prohibited by AgResearch
Limited. If you have received this message in error, please notify the
sender immediately.
 
 
 
  
 ___
 Please keep all replies on the list by using reply all
 in your mail client.  To manage your subscriptions to this
 and other Galaxy lists, please use the interface at:
 
  http://lists.bx.psu.edu/


___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/





___
Please keep all replies on the list by using reply all
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/