[galaxy-dev] ldap integration

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

[galaxy-dev] ldap integration

Davide Cittaro
Hi all, 
AFAIK one can put galaxy behind a http proxy and let this to manage the authentication binding do LDAP.
This morning I've been looking at the universe_wsgi.ini file and I've seen this:

# Use user provided in an upstream server's $REMOTE_USER variable
#use_remote_user = False

# If use_remote_user is enabled and your external authentication
# method just returns bare usernames, set a default mail domain
#remote_user_maildomain = example.org

I suppose I should set use_remote_user = True to enable proxied authentication... nevertheless the email passed to galaxy looks like a $REMOTE_USER + REMOVE_USER_MAILDOMAIN set in the unverse_wsgi.ini... does that mean that I will not able to authenticate as my ldap username is dcittaro and my email is [hidden email]?

thanks

d
/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Ry4an Brase-3
On Mon, May 24, 2010 at 12:42:43PM +0200, Davide Cittaro wrote:

> AFAIK one can put galaxy behind a http proxy and let this to manage
> the authentication binding do LDAP.  This morning I've been looking at
> the universe_wsgi.ini file and I've seen this:
>
> # Use user provided in an upstream server's $REMOTE_USER variable
> #use_remote_user = False
>
> # If use_remote_user is enabled and your external authentication
> # method just returns bare usernames, set a default mail domain
> #remote_user_maildomain = example.org
>
> I suppose I should set use_remote_user = True to enable proxied
> authentication... nevertheless the email passed to galaxy looks like a
> $REMOTE_USER + REMOVE_USER_MAILDOMAIN set in the unverse_wsgi.ini...
> does that mean that I will not able to authenticate as my ldap
> username is dcittaro and my email is
> [hidden email]?

When you say "nevertheless the email passed to galaxy looks like a
REMOTE_USER + REMOVE_USER_MAILDOMAIN" where are you seeing that?  and
was REMOVE a typo?

I'll take a quick stab at explaining our setup and maybe it will help:

We use LDAP for auth with Apache for our Galaxy installation, and here's
the key and value information for identity at every step along the way:

Step 1: HTTP Autentication over SSL:  Browser -> Apache
    Key: "Authorization" HTTP Header
    Value: base64 encoded username (no @domain.tld) and password

Step 2: LDAP Verificatio: Apache -> LDAP Server
    Key: uid component in LDAP URL
    Value: plaintext username (no @domain.tld) and password

Step 3: Local HTTP Request: Apache -> Galaxy
    Key: "REMOTE_USER" HTTP Header
    Value: Plaintext username (no @domain.tld) (no password)

Step 4: Galaxy Internal
    Value: plaintext username + $REMOTE_USER_MAILDOMAIN

So at every point on the wire there's no @msi.umn.edu on the username info.
Galaxy appends REMOTE_USER_MAILDOMAIN to the "REMOTE_USER" HTTP header
after reiceving it from the Apache proxy, and internally galaxy uses
[hidden email] as the username throughout.

The Apache config has a few interesting sections:

    # put REMOTE_USER into a header for Galaxy
    <Proxy http://localhost:8080>
        Order deny,allow
        Allow from all
    </Proxy>
    RewriteCond %{IS_SUBREQ} ^false$
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set REMOTE_USER %{RU}e
    RequestHeader unset Authorization

that hunk does a few interesting things which alter the content of Step
3 above:
    - Extracts the REMOTE_USER environment variable as set by the LDAP
      Apache module

    - Add a HTTP Header named "REMOTE_USER" to the proxy request that
      goes to Galaxy

    - Removes the "Authorization" HTTP Header that was copied from the
      original (Step 1) request on to the proxied request (Step 3).  We
      do that because that request has the password in essentially
      plaintext and we don't want that information to leave apache and
      to enter galaxy.

The other relevant bit of Apache config is:

    <Location "/">
        # Authentication
        AuthType Basic
        AuthBasicProvider ldap
        AuthName "Galaxy: MSI users only"
        AuthLDAPUrl ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC
        AuthLDAPRemoteUserAttribute uid
        Require ldap-filter objectClass=posixAccount
    </Location>

which says any URL should require that the user pass an LDAP filter
checking to make sure the item retrieved by their 'uid' is in fact a
user (and not, say, a printer), though LDAP schemas differ wildly by
site and that filter almost certainly doesn't apply in your case.

--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro
Hi Ry4an

On May 24, 2010, at 3:32 PM, Ry4an Brase wrote:


When you say "nevertheless the email passed to galaxy looks like a
REMOTE_USER + REMOVE_USER_MAILDOMAIN" where are you seeing that?  and
was REMOVE a typo?


Yes, it's a typo and I'm just guessing that the $userEmail (passed to galaxy) is built on those  values...

I'll take a quick stab at explaining our setup and maybe it will help:

We use LDAP for auth with Apache for our Galaxy installation, and here's
the key and value information for identity at every step along the way:

Step 1: HTTP Autentication over SSL:  Browser -> Apache
   Key: "Authorization" HTTP Header
   Value: base64 encoded username (no @domain.tld) and password

Step 2: LDAP Verificatio: Apache -> LDAP Server
   Key: uid component in LDAP URL
   Value: plaintext username (no @domain.tld) and password

Step 3: Local HTTP Request: Apache -> Galaxy
   Key: "REMOTE_USER" HTTP Header
   Value: Plaintext username (no @domain.tld) (no password)

Step 4: Galaxy Internal
   Value: plaintext username + $REMOTE_USER_MAILDOMAIN

So at every point on the wire there's no @msi.umn.edu on the username info.
Galaxy appends REMOTE_USER_MAILDOMAIN to the "REMOTE_USER" HTTP header
after reiceving it from the Apache proxy, and internally galaxy uses
[hidden email] as the username throughout.


That's exactly what I've tried to ask :-) 
Also, that means that my galaxy user will be [hidden email] . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)... 

Thanks

d

The Apache config has a few interesting sections:

   # put REMOTE_USER into a header for Galaxy
   <Proxy http://localhost:8080>
       Order deny,allow
       Allow from all
   </Proxy>
   RewriteCond %{IS_SUBREQ} ^false$
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader set REMOTE_USER %{RU}e
   RequestHeader unset Authorization

that hunk does a few interesting things which alter the content of Step
3 above:
   - Extracts the REMOTE_USER environment variable as set by the LDAP
     Apache module

   - Add a HTTP Header named "REMOTE_USER" to the proxy request that
     goes to Galaxy

   - Removes the "Authorization" HTTP Header that was copied from the
     original (Step 1) request on to the proxied request (Step 3).  We
     do that because that request has the password in essentially
     plaintext and we don't want that information to leave apache and
     to enter galaxy.

The other relevant bit of Apache config is:

   <Location "/">
       # Authentication
       AuthType Basic
       AuthBasicProvider ldap
       AuthName "Galaxy: MSI users only"
       AuthLDAPUrl <a href="ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC">ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC
       AuthLDAPRemoteUserAttribute uid
       Require ldap-filter objectClass=posixAccount
   </Location>

which says any URL should require that the user pass an LDAP filter
checking to make sure the item retrieved by their 'uid' is in fact a
user (and not, say, a printer), though LDAP schemas differ wildly by
site and that filter almost certainly doesn't apply in your case.

--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Ry4an Brase-3
On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:
>
> That's exactly what I've tried to ask :-)
>
> Also, that means that my galaxy user will be
> [hidden email] . The problem is that email address
> doesn't exist, as usernames defined in LDAP are not the usernames for
> mail addresses... I guess I'll have to study LDAP search syntax and
> instruct it to query with my username (dcittaro) and return the email
> address stripping the domain (davide.cittaro)...

Glad it helped.  Here are some Apache Directives that will probably
help:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuserattribute

which can only legally be one of the attributes included in your:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl

That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'.
If the email comes back from LDAP with the @domain.tld already appended
then don't set REMOTE_USER_DOMAIN to anything.



--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro
Hi again, 
I'm almost done with the whole stuff...
I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:

Access to Galaxy is denied

Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.

Please contact your local Galaxy administrator.


The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work...
Some configurations:

$ cat /etc/apache2/mods-enabled/proxy.conf 
<IfModule mod_proxy.c>

        ProxyRequests Off

        ProxyVia Off
#       <Proxy <a href="balancer://galaxy">balancer://galaxy>
#               BalancerMember http://localhost:8080
#               BalancerMember http://localhost:8081
#       </Proxy>
   RewriteCond %{IS_SUBREQ} ^false$
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader set REMOTE_USER %{RU}e
   RequestHeader unset Authorization

</IfModule>


$ cat /etc/apache2/sites-enabled/000-default 
[…]
  Order deny,allow
  AuthName "Galaxy Login"
  AuthType Basic
  AuthBasicProvider ldap
  AuthLDAPURL "<a href="ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)">ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
  AuthLDAPRemoteUserAttribute mail
  Require ldap-filter objectClass=posixAccount

[…]
RewriteEngine on
RewriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L]
RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L]
RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L]
RewriteRule ^/galaxy(.*) <a href="http://127.0.0.1:8080$1">http://127.0.0.1:8080$1 [P]

Any hint?

d



On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:

On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:

That's exactly what I've tried to ask :-)

Also, that means that my galaxy user will be
[hidden email] . The problem is that email address
doesn't exist, as usernames defined in LDAP are not the usernames for
mail addresses... I guess I'll have to study LDAP search syntax and
instruct it to query with my username (dcittaro) and return the email
address stripping the domain (davide.cittaro)...

Glad it helped.  Here are some Apache Directives that will probably
help:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuserattribute

which can only legally be one of the attributes included in your:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl

That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'.
If the email comes back from LDAP with the @domain.tld already appended
then don't set REMOTE_USER_DOMAIN to anything.



--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro
Whoa, sorry to bother you so much... I think I'm getting to the end step by step.
As my apache still needs to serve some directories without authentication I've decided to setup a virtualhost listening to 8080 which is now proxy galaxy (listening to 8081).
I've tried to follow your instructions but I believe most of the rewritecond and requestheader directive can be skipped. In principle I'm querying LDAP with this:


                AuthLDAPURL "<a href="ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)">ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
                AuthLDAPRemoteUserAttribute mail

I've checked this with a cgi script which prints evnironmental variables and I have:

REMOTE_USER = [hidden email]

That given, galaxy should simply read the variable, shouldn't it? Unfortunately what happens is that I'm asked to login (by apache) but after that I get the Galaxy error 


Access to Galaxy is denied

Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.

Please contact your local Galaxy administrator.


Here's the apache config file for the galaxy virtualhost:

NameVirtualHost *:8080
<VirtualHost *:8080>
        ServerAdmin [hidden email]
        
#        DocumentRoot /data/galaxy_dist/static

       RewriteEngine on
       RewriteRule ^(.*) <a href="http://localhost:8081$1">http://localhost:8081$1 [P]
       RewriteRule ^/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L]
       RewriteRule ^/static/(.*) /data/galaxy_dist/static/$1 [L]
       RewriteRule ^/images/(.*) /data/galaxy_dist/static/images/$1 [L]
       RewriteRule ^/favicon.ico /data/galaxy_dist/static/favicon.ico [L]
       RewriteRule ^/robots.txt /data/galaxy_dist/static/robots.txt [L]

#       RewriteCond %{IS_SUBREQ} ^false$
#       RewriteCond %{LA-U:REMOTE_USER} (.+)
#       RewriteRule . - [E=RU:%1]
#       RequestHeader set REMOTE_USER %{RU}e
#       RequestHeader unset Authorization


        <Location />
#               Options +Indexes
#               IndexOptions FancyIndexing
#               AllowOverride None
                AuthType Basic
                AuthName Galaxy
                Order deny,allow
                AuthBasicProvider ldap
                AuthLDAPURL "<a href="ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)">ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
                AuthLDAPRemoteUserAttribute mail
                Require ldap-filter objectClass=posixAccount
        </Location>
#       Alias / /data/galaxy_dist/static/

        ErrorLog /var/log/apache2/galaxy-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel debug

        CustomLog /var/log/apache2/galaxy-access.log combined
        ServerSignature On

        <Location /root/display_as>
            Satisfy Any
            Order deny,allow
            Deny from all
            Allow from genome.ifom-ieo-campus.it
        </Location>

# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
#        <Directory "/usr/lib/cgi-bin">
#                AllowOverride None
#                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
#                Order allow,deny
#                Allow from all
#        </Directory>

</VirtualHost>


d
/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Ry4an Brase-3
In reply to this post by Davide Cittaro
On Tue, May 25, 2010 at 02:54:12PM +0200, Davide Cittaro wrote:
> Hi again,
> I'm almost done with the whole stuff...
> I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:
>
> Access to Galaxy is denied

Hrm, just for sanity-check sake you do have 'use_remote_user' enabled in
your universe_wsgi.ini, right?

Are you certain the 'email' field in your LDAP entries contain the
@domain.tld portion of the email address?  If not you should be setting
remote_user_domain to '@domain.tld'.

What about, and this is just a guess, moving the RewriteConds,
RewriteRule, and RequestHeader lines out of
/etc/apache2/mods-enabled/proxy.conf and into
/etc/apache2/sites-enabled/000-default

Those are vhost specific, so putting them in the general server config
context in which the proxy.conf is interpreted might not see them loaded
in the vhost where your galaxy config lives.

If that doesn't do it I'd be moving on to debugging using either
tcpdump/etheral, which will let you view the network traffic between
apache and galaxy, or by setting a RewriteLog and RewriteLogLevel 5 and
watching to make sure my rewrite cond/rule setup is infact adding the
variable.

> The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work...
> Some configurations:
>
> $ cat /etc/apache2/mods-enabled/proxy.conf
> <IfModule mod_proxy.c>
>
>         ProxyRequests Off
>
>         ProxyVia Off
> #       <Proxy balancer://galaxy>
> #               BalancerMember http://localhost:8080
> #               BalancerMember http://localhost:8081
> #       </Proxy>
>    RewriteCond %{IS_SUBREQ} ^false$
>    RewriteCond %{LA-U:REMOTE_USER} (.+)
>    RewriteRule . - [E=RU:%1]
>    RequestHeader set REMOTE_USER %{RU}e
>    RequestHeader unset Authorization
>
> </IfModule>
>
>
> $ cat /etc/apache2/sites-enabled/000-default
> […]
>   Order deny,allow
>   AuthName "Galaxy Login"
>   AuthType Basic
>   AuthBasicProvider ldap
>   AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
>   AuthLDAPRemoteUserAttribute mail
>   Require ldap-filter objectClass=posixAccount
>
> […]
> RewriteEngine on
> RewriteRule ^/galaxy$ /galaxy/ [R]
> RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L]
> RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L]
> RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L]
> RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L]
> RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L]
> RewriteRule ^/galaxy(.*) <a href="http://127.0.0.1:8080$1">http://127.0.0.1:8080$1 [P]
>
> Any hint?
>
> d
>
>
>
> On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:
>
> > On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:
> >>
> >> That's exactly what I've tried to ask :-)
> >>
> >> Also, that means that my galaxy user will be
> >> [hidden email] . The problem is that email address
> >> doesn't exist, as usernames defined in LDAP are not the usernames for
> >> mail addresses... I guess I'll have to study LDAP search syntax and
> >> instruct it to query with my username (dcittaro) and return the email
> >> address stripping the domain (davide.cittaro)...
> >
> > Glad it helped.  Here are some Apache Directives that will probably
> > help:
> >
> > http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuserattribute
> >
> > which can only legally be one of the attributes included in your:
> >
> > http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
> >
> > That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'.
> > If the email comes back from LDAP with the @domain.tld already appended
> > then don't set REMOTE_USER_DOMAIN to anything.
> >
> >
> >
> > --
> > Ry4an Brase                                         612-626-6575
> > University of Minnesota Supercomputing Institute
> > for Advanced Computational Research                 http://www.msi.umn.edu
> > _______________________________________________
> > galaxy-dev mailing list
> > [hidden email]
> > http://lists.bx.psu.edu/listinfo/galaxy-dev
>
> /*
> Davide Cittaro
>
> Cogentech - Consortium for Genomic Technologies
> via adamello, 16
> 20139 Milano
> Italy
>
> tel.: +39(02)574303007
> e-mail: [hidden email]
> */
>
>
>

--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro

On May 25, 2010, at 4:04 PM, Ry4an Brase wrote:

On Tue, May 25, 2010 at 02:54:12PM +0200, Davide Cittaro wrote:
Hi again,
I'm almost done with the whole stuff...
I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:

Access to Galaxy is denied

Hrm, just for sanity-check sake you do have 'use_remote_user' enabled in
your universe_wsgi.ini, right?


:-) Yes, it is (Besides, shoud I set to False any other field, such as allow_users_creation?)

Are you certain the 'email' field in your LDAP entries contain the
@domain.tld portion of the email address?  If not you should be setting
remote_user_domain to [hidden email]'.

Yes, the mail field in LDAP contains the domain. I've commented the remote_user_maildomain in universe_wsgi.ini


What about, and this is just a guess, moving the RewriteConds,
RewriteRule, and RequestHeader lines out of
/etc/apache2/mods-enabled/proxy.conf and into
/etc/apache2/sites-enabled/000-default

Those are vhost specific, so putting them in the general server config
context in which the proxy.conf is interpreted might not see them loaded
in the vhost where your galaxy config lives.


I've moved them into the specific vhost file (which is now 001-galaxy, a separated entry with 8080 binding only)

If that doesn't do it I'd be moving on to debugging using either
tcpdump/etheral, which will let you view the network traffic between
apache and galaxy, or by setting a RewriteLog and RewriteLogLevel 5 and
watching to make sure my rewrite cond/rule setup is infact adding the
variable.


I'm right now testing your suggestion (and the ones on galaxy wiki). I've seen that this rule

RequestHeader set REMOTE_USER %{RU}e 

doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER, I've made this test:

RequestHeader set REMOTE_USER "foo"

and I have these two values:

HTTP_REMOTE_USER = "foo"
REMOTE_USER = [hidden email]

I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set to (null) if no RequestHeader is specified... I'm now going to test this

d

The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work...
Some configurations:

$ cat /etc/apache2/mods-enabled/proxy.conf
<IfModule mod_proxy.c>

       ProxyRequests Off

       ProxyVia Off
#       <Proxy <a href="balancer://galaxy">balancer://galaxy>
#               BalancerMember http://localhost:8080
#               BalancerMember http://localhost:8081
#       </Proxy>
  RewriteCond %{IS_SUBREQ} ^false$
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1]
  RequestHeader set REMOTE_USER %{RU}e
  RequestHeader unset Authorization

</IfModule>


$ cat /etc/apache2/sites-enabled/000-default
[…]
 Order deny,allow
 AuthName "Galaxy Login"
 AuthType Basic
 AuthBasicProvider ldap
 AuthLDAPURL "<a href="ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)">ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
 AuthLDAPRemoteUserAttribute mail
 Require ldap-filter objectClass=posixAccount

[…]
RewriteEngine on
RewriteRule ^/galaxy$ /galaxy/ [R]
RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L]
RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L]
RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L]
RewriteRule ^/galaxy(.*) <a href="http://127.0.0.1:8080$1">http://127.0.0.1:8080$1 [P]

Any hint?

d



On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:

On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:

That's exactly what I've tried to ask :-)

Also, that means that my galaxy user will be
[hidden email] . The problem is that email address
doesn't exist, as usernames defined in LDAP are not the usernames for
mail addresses... I guess I'll have to study LDAP search syntax and
instruct it to query with my username (dcittaro) and return the email
address stripping the domain (davide.cittaro)...

Glad it helped.  Here are some Apache Directives that will probably
help:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuserattribute

which can only legally be one of the attributes included in your:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl

That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'.
If the email comes back from LDAP with the @domain.tld already appended
then don't set REMOTE_USER_DOMAIN to anything.



--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
e-mail: [hidden email]
*/




--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Ry4an Brase-3
In reply to this post by Davide Cittaro
On Tue, May 25, 2010 at 04:03:12PM +0200, Davide Cittaro wrote:

> Whoa, sorry to bother you so much... I think I'm getting to the end step by step.
> As my apache still needs to serve some directories without authentication I've decided to setup a virtualhost listening to 8080 which is now proxy galaxy (listening to 8081).
> I've tried to follow your instructions but I believe most of the rewritecond and requestheader directive can be skipped. In principle I'm querying LDAP with this:
>
>
>                 AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
>                 AuthLDAPRemoteUserAttribute mail
>
> I've checked this with a cgi script which prints evnironmental variables and I have:
>
> REMOTE_USER = [hidden email]
>
> That given, galaxy should simply read the variable, shouldn't it?
> Unfortunately what happens is that I'm asked to login (by apache) but
> after that I get the Galaxy error

Unfortunately, that's insufficient.  Your CGI is a UNIX process launched
by apache itself, so it inherits the environment variables from apache,
and thus gets that REMOTE_USER variable.

However, If I'm understanding your setup correctly, you're using Apache
to proxy that content to galaxy, which is a local network connection,
not a process invocation, and the environment doesn't make it across.

That Rewrite stuff takes the (eventual) value of the REMOTE_USER
environment variable, and stashes it in a HTTP header on the request to
galaxy, which (unlike environment variables) are send to the downstream
application (in this case galaxy).

Galaxy insists on a username and you really want to allow unauthenticated
access to it you can do something like I did:

    # put REMOTE_USER into a header for Galaxy
    <Proxy http://localhost:8080>
        Order deny,allow
        Allow from all
        RequestHeader set REMOTE_USER "displayonly"
    </Proxy>

There I'm stuffing 'displayonly' into the REMOTE_USER header, which
galaxy will turn into [hidden email].

Please note that I was very careful about what URLs are available to
that no-user proxy path as I don't want someone called
[hidden email] kicking off jobs and building histories.

Another way to go about that is something like this:

    RewriteRule ^(/root/display_as.*) <a href="http://localhost:8080$1">http://localhost:8080$1 [E=REMOTE_USER:viewonly,P,L]

That (in pseudocode) says:

    if (the URL starts with /root/display_as) {
        Set the REMOTE_USER environment variable equal to "viewonly"
        And Proxy it to http://localhost:8080
        And don't consider any further RewriteRules
    }
   
By putting that in my Galaxy config I'm able to take a specific URL path and
make sure that that requests for that path can continue
un-authenticated, whereas anything that doesn't match hits this rule
further on:

    RewriteRule ^/(.*) https://galaxy.msi.umn.edu/$1 [R]

which sends everything that didn't match the exception above on to the
authenticated https: site where our LDAP barrier is.

Now's about the time I should mention that none of this is endorsed by
the galaxy people as a sane setup; it's just what I happened to do
locally.

> Here's the apache config file for the galaxy virtualhost:

I see one oddity below.  RewriteRules are processed in order, and you
have the catch-all rule at the top.  This one:

RewriteRule ^(.*) <a href="http://localhost:8081$1">http://localhost:8081$1 [P]

Says anything (.*) should be proxied to localhost:8081.   Try moving
that after all the more specific RewriteRules (which themselves have a
[L] for Last, which prevents further rule processing).

> NameVirtualHost *:8080
> <VirtualHost *:8080>
>         ServerAdmin [hidden email]
>        
> #        DocumentRoot /data/galaxy_dist/static
>
>        RewriteEngine on
>        RewriteRule ^(.*) <a href="http://localhost:8081$1">http://localhost:8081$1 [P]
>        RewriteRule ^/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L]
>        RewriteRule ^/static/(.*) /data/galaxy_dist/static/$1 [L]
>        RewriteRule ^/images/(.*) /data/galaxy_dist/static/images/$1 [L]
>        RewriteRule ^/favicon.ico /data/galaxy_dist/static/favicon.ico [L]
>        RewriteRule ^/robots.txt /data/galaxy_dist/static/robots.txt [L]
>
> #       RewriteCond %{IS_SUBREQ} ^false$
> #       RewriteCond %{LA-U:REMOTE_USER} (.+)
> #       RewriteRule . - [E=RU:%1]
> #       RequestHeader set REMOTE_USER %{RU}e
> #       RequestHeader unset Authorization
>
>
>         <Location />
> #               Options +Indexes
> #               IndexOptions FancyIndexing
> #               AllowOverride None
>                 AuthType Basic
>                 AuthName Galaxy
>                 Order deny,allow
>                 AuthBasicProvider ldap
>                 AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)"
>                 AuthLDAPRemoteUserAttribute mail
>                 Require ldap-filter objectClass=posixAccount
>         </Location>
> #       Alias / /data/galaxy_dist/static/
>
>         ErrorLog /var/log/apache2/galaxy-error.log
>
>         # Possible values include: debug, info, notice, warn, error, crit,
>         # alert, emerg.
>         LogLevel debug
>
>         CustomLog /var/log/apache2/galaxy-access.log combined
>         ServerSignature On
>
>         <Location /root/display_as>
>             Satisfy Any
>             Order deny,allow
>             Deny from all
>             Allow from genome.ifom-ieo-campus.it
>         </Location>
>
> # ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
> #        <Directory "/usr/lib/cgi-bin">
> #                AllowOverride None
> #                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
> #                Order allow,deny
> #                Allow from all
> #        </Directory>
>
> </VirtualHost>
>
>
> d
> /*
> Davide Cittaro
>
> Cogentech - Consortium for Genomic Technologies
> via adamello, 16
> 20139 Milano
> Italy
>
> tel.: +39(02)574303007
> e-mail: [hidden email]
> */
>
>
>

--
Ry4an Brase                                         612-626-6575
University of Minnesota Supercomputing Institute
for Advanced Computational Research                 http://www.msi.umn.edu
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Nate Coraor (nate@bx.psu.edu)
In reply to this post by Davide Cittaro
Hi Davide,

Sorry I haven't kept up with this thread.  I'll try to add any
information I can to help.

Davide Cittaro wrote:

> :-) Yes, it is (Besides, shoud I set to False any other field, such as
> allow_users_creation?)

These options won't really have an effect anyway, since user options are
hidden when you enable use_remote_user.

> I'm right now testing your suggestion (and the ones on galaxy wiki).
> I've seen that this rule
>
> RequestHeader set REMOTE_USER %{RU}e
>
> doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER,
> I've made this test:
>
> RequestHeader set REMOTE_USER "foo"
>
> and I have these two values:
>
> HTTP_REMOTE_USER = "foo"
> REMOTE_USER = [hidden email]
> <mailto:[hidden email]>
>
> I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set
> to (null) if no RequestHeader is specified... I'm now going to test this

This is what it does - because Galaxy is a proxied application and does
not run in Apache's environment, the only way to pass REMOTE_USER
upstream is as a header.

In detail:

RewriteCond %{LA-U:REMOTE_USER} (.+)

   - Match the REMOTE_USER server variable and store it in a regex backref.

RewriteRule . - [E=RU:%1]

   - Store the previously matched backref in the RU env variable.

RequestHeader set REMOTE_USER %{RU}e

   - Set the REMOTE_USER header in the proxied request to the value of RU.

The application sees it as HTTP_REMOTE_USER since all of the HTTP
headers are stored in the wsgi environment with HTTP_ prepended.

--nate
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro

On May 25, 2010, at 4:21 PM, Nate Coraor wrote:

Hi Davide,

Sorry I haven't kept up with this thread.  I'll try to add any information I can to help.


Solved. 
Given that I'm asking mail address to LDAP I get it back as AUTHENTICATE_MAIL variable. Now I only need this

RequestHeader set REMOTE_USER %{AUTHENTICATE_MAIL}e

to set the HTTP_REMOTE_USER properly...

thanks all

d



Davide Cittaro wrote:

:-) Yes, it is (Besides, shoud I set to False any other field, such as allow_users_creation?)

These options won't really have an effect anyway, since user options are hidden when you enable use_remote_user.

I'm right now testing your suggestion (and the ones on galaxy wiki). I've seen that this rule
RequestHeader set REMOTE_USER %{RU}e doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER, I've made this test:
RequestHeader set REMOTE_USER "foo"
and I have these two values:
HTTP_REMOTE_USER = "foo"
REMOTE_USER = [hidden email] <[hidden email]>
I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set to (null) if no RequestHeader is specified... I'm now going to test this

This is what it does - because Galaxy is a proxied application and does not run in Apache's environment, the only way to pass REMOTE_USER upstream is as a header.

In detail:

RewriteCond %{LA-U:REMOTE_USER} (.+)

 - Match the REMOTE_USER server variable and store it in a regex backref.

RewriteRule . - [E=RU:%1]

 - Store the previously matched backref in the RU env variable.

RequestHeader set REMOTE_USER %{RU}e

 - Set the REMOTE_USER header in the proxied request to the value of RU.

The application sees it as HTTP_REMOTE_USER since all of the HTTP headers are stored in the wsgi environment with HTTP_ prepended.

--nate

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro

On May 25, 2010, at 4:27 PM, Davide Cittaro wrote:


On May 25, 2010, at 4:21 PM, Nate Coraor wrote:

Hi Davide,

Sorry I haven't kept up with this thread.  I'll try to add any information I can to help.


Solved. 

Still I have to fix the display on external ucsc mirrors, according to your wiki page I should set:

        <Location /root/display_as>
            Satisfy Any
            Order deny,allow
            Deny from all
            Allow from genome.ifom-ieo-campus.it
            Allow from host036.2b11.ifom-ieo-campus.it
        </Location>

The first is our local mirror, the second is a test workstation... I'm getting 401 errors... Mmmm....



/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Nate Coraor (nate@bx.psu.edu)
Davide Cittaro wrote:

> Still I have to fix the display on external ucsc mirrors, according to
> your wiki page I should set:
>
>         <Location /root/display_as>
>             Satisfy Any
>             Order deny,allow
>             Deny from all
>             Allow from genome.ifom-ieo-campus.it
> <http://genome.ifom-ieo-campus.it>
>             Allow from host036.2b11.ifom-ieo-campus.it
> <http://host036.2b11.ifom-ieo-campus.it>
>         </Location>
>
> The first is our local mirror, the second is a test workstation... I'm
> getting 401 errors... Mmmm....

Hi Davide,

I just tested this config in Apache and it still works for me.  Anything
helpful in the Apache error log?

--nate
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro

On May 25, 2010, at 9:23 PM, Nate Coraor wrote:

Davide Cittaro wrote:

Still I have to fix the display on external ucsc mirrors, according to your wiki page I should set:
       <Location /root/display_as>
           Satisfy Any
           Order deny,allow
           Deny from all
           Allow from genome.ifom-ieo-campus.it <http://genome.ifom-ieo-campus.it>
           Allow from host036.2b11.ifom-ieo-campus.it <http://host036.2b11.ifom-ieo-campus.it>
       </Location>
The first is our local mirror, the second is a test workstation... I'm getting 401 errors... Mmmm....

Hi Davide,

I just tested this config in Apache and it still works for me.  Anything helpful in the Apache error log?


I'll check tomorrow, but I believe I may be missing mod_authz_host :-(

d

--nate
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev

/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Davide Cittaro
In reply to this post by Nate Coraor (nate@bx.psu.edu)
Hi Nate, hi galaxy devlps

On May 25, 2010, at 9:23 PM, Nate Coraor wrote:

Davide Cittaro wrote:

Still I have to fix the display on external ucsc mirrors, according to your wiki page I should set:
       <Location /root/display_as>
           Satisfy Any
           Order deny,allow
           Deny from all
           Allow from genome.ifom-ieo-campus.it <http://genome.ifom-ieo-campus.it>
           Allow from host036.2b11.ifom-ieo-campus.it <http://host036.2b11.ifom-ieo-campus.it>
       </Location>
The first is our local mirror, the second is a test workstation... I'm getting 401 errors... Mmmm....

Hi Davide,

I just tested this config in Apache and it still works for me.  Anything helpful in the Apache error log?


I found what was wrong, essentially this galaxy instance is not public to the world, hence I cannot use UCSC sites from cse.edu. I have to link to our local mirror (which is behind our main proxy too).
I thought I only had to enable it in the universe_wsgi.ini file:

ucsc_display_sites = main,campus

and

$ grep campus tool-data/shared/ucsc/ucsc_build_sites.txt
campus  http://genome.ifom-ieo-campus.it/cgi-bin/hgTracks?      hg19,hg18,hg17,mm9,mm8,rn4,danRer6,danRer5,ci2,ce6,ce4,cb3,dm3,sacCer2,sacCer1

Unfortunately this is not enough, as UCSC sites are hardcoded in galaxy. Some greps and debugs led me to this diff:

$ diff -u remoteuser.here.py remoteuser.py 
--- remoteuser.here.py  2010-05-26 12:19:30.349424733 +0200
+++ remoteuser.py       2010-05-26 12:19:51.968985808 +0200
@@ -44,7 +44,6 @@
     'hgw6.cse.ucsc.edu',
     'hgw7.cse.ucsc.edu',
     'hgw8.cse.ucsc.edu',
-    'genome.ifom-ieo-campus.it',
 )
 UCSC_ARCHAEA_SERVERS = (
     'lowepub.cse.ucsc.edu',
@@ -56,7 +55,7 @@
         self.maildomain = maildomain
         self.allow_ucsc_main = False
         self.allow_ucsc_archaea = False
-        if 'main' in ucsc_display_sites or 'test' in ucsc_display_sites  or 'campus' in ucsc_display_sites:
+        if 'main' in ucsc_display_sites or 'test' in ucsc_display_sites:
             self.allow_ucsc_main = True
         if 'archaea' in ucsc_display_sites:
             self.allow_ucsc_archaea = True

Now I can link our local mirror (at least for intervals, still have to try with BAM files). I'm only afraid that I will lose these changes in the next repository upgrade... Should I open a bug request to remove hardcoded links or you are already working on this?

cheers

d
/*
Davide Cittaro

Cogentech - Consortium for Genomic Technologies
via adamello, 16
20139 Milano
Italy

tel.: +39(02)574303007
*/




_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] ldap integration

Nate Coraor (nate@bx.psu.edu)
Davide Cittaro wrote:

> Now I can link our local mirror (at least for intervals, still have to
> try with BAM files). I'm only afraid that I will lose these changes in
> the next repository upgrade... Should I open a bug request to remove
> hardcoded links or you are already working on this?

A bug would be good.  I know they need to be fixed but I'm not working
on them now.
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev