Specifically, the Galaxy Web server is a popular Python based bioinformatics package. It uses Paster to serve up the Web pages, but expects you to put a user authentication proxy in front of it if you want to use CAS, LDAP, etc. to manage the portal's user accounts. Galaxy's Paster process then just blindly accepts the REMOTE_USER variable sent along by the proxy with each HTTP request. Ideally, the REMOTE_USER is a fully qualified e-mail address so that Galaxy can send e-mail notifications for features that have that capability e.g., notify a user when their analysis is complete. Kind of like this:
The keys to getting this to work are Apache's AuthLDAPInitialBindPattern and AuthLDAPRemoteUserAttribute directives. Feast your eyes on the following Apache config, that:
- takes a user name like "work_group_name\user_login_name"
- authenticates against an Active Directory with a long, complex binding DN like "CN=user_login_name,OU=work_group_name,OU=Users,OU=Accounts,DC=..."
- queries the user information in the directory for an e-mail address containing attribute (here userPrincipalName)
- forwards the e-mail address on to the paster Web server in the REMOTE_USER variable
# If the LDAP server cert is not chained with any of your root certs on the box and you can't import it
LDAPVerifyServerCert off
<VirtualHost my_proxy_site:443>
ServerName my_proxy_site
# Require SSL since the users will be entering their org credentials so we shouldn't accept them as plain-text
SSLEngine on
SSLCertificateFile /etc/ssl/certs/my_proxy_site.crt
SSLCertificateKeyFile /etc/ssl/certs/my_proxy_site.key
RewriteEngine On
# Serve up static content directly rather than proxying, for efficiency
RewriteRule ^/static/style/(.*) /opt/gls/galaxy/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*) /opt/galaxy/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /opt/galaxy/static/$1 [L]
RewriteRule ^/favicon.ico /opt/galaxy/static/favicon.ico [L]
RewriteRule ^/robots.txt /opt/galaxy/static/robots.txt [L]
# Send everything else through the proxy
RewriteRule ^(.*) "http://the_web_server_expecting_remote_user_set:8080/$1" [P]
<location "/">
Order deny,allow
Deny from all
# We're picking specific subnets that are allowed to connect and authenticate
Allow from 192.168.
Allow from 10.0.0.
# Authenticate against the org's Active Directory (one of three in this case)
AuthName "Please login using your Organization_Name_Here credentials"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://ldap_server_name1 ldap_server_name2 ldap_server_name3/DC=my_suborg,DC=my_org,DC=my_tld?sAMAccountName,userPrincipalName?sub"
AuthLDAPInitialBindAsUser on
AuthLDAPInitialBindPattern (.+)\\(.+) CN=$2,OU=$1,OU=Users,OU=Accounts,DC=my_suborg,DC=my_org,DC=my_tld
AuthLDAPRemoteUserAttribute userPrincipalName
Require valid-user
# Pass the LDAP account name we just authenticated on to the final destination (the Web server process at the_web_server_expecting_remote_user_set:8080) with the REMOTE_USER header set
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
</location>
</VirtualHost>
Actually Galaxy don't need Apache or nginx to perform the LDAP authentication, see https://galaxyproject.org/admin/config/external-user-auth/
ReplyDelete