Problem with logout when using apache and LDAP with remote-users for authentication

rbatorsky · October 11, 2019, 8:26pm

Hello,

I’ve set up a galaxy server that users apache and remote user authentication.
When a user is logged in, pressing “logout” presents two problems:

User is directed to the galaxy “login” page, that is not relevant for us because apache is passing credentials. I.e. the LDAP credentials do not work in the galaxy “login” page.
If the user then presses the back button on the browser, the browser has cached credentials and the user is still logged in.

This has already been addressed in a galaxy help thread here from 2014 but I think the response is out of date:
https://galaxyproject.org/blog/2014-01-ldap-remote-user-logout/

I’m wondering if anyone has more updated experience with this?

For example, the following line in galaxy.yml does not appear to do anything in my installation. Adding a destination or removing the line entirely gives the same logout behavior.

remote_user_logout_href =

EDIT thanks to comment below, the syntax for yml that I am using is, e.g.:

remote_user_logout_href: 'https://log:out@example.com/'

I would appreciate any insight into how to properly log out users from Galaxy that are logged in as remote users from apache. One possibility that I’ve considered is to just solve #1, that is, to have the “logout” button go to a page that explains that the user must close the browser in order to log out but I’m not sure how to do that.

Thank you,
Rebecca

innovate-invent · October 11, 2019, 8:29pm

The syntax you provided for remote_user_logout_href is ini and not yml.
Make sure you aren’t mixing them up.

rbatorsky · October 11, 2019, 8:59pm

Thank you @innovate-invent, I copied the syntax incorrectly in my post but I believe it’s correct in my galaxy.yml. I’ve edited it above. I’ve just put a dummy test link there to see if it works and it does not change the logout behavior.

innovate-invent · October 11, 2019, 9:16pm

I was tinkering with the remote_user functionality a few months back and found that it is badly underdeveloped. Talking to the devs I got the impression that nobody uses it. I think galaxy can authenticate against an ldap server internally if that is what you are after. Check out https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/config/sample/auth_conf.xml.sample

rbatorsky · October 17, 2019, 3:34pm

Thank you, this helps.
Yes, that’s what I’m looking to do as well as provide SSL encryption.
It’s all working fine with apache except the logout.
Would you recommend using galaxy itself for both of those?
I’m working through the config file you sent and it does appear to support SSL.
Thank you again.
Best,
Rebecca

rbatorsky · October 18, 2019, 2:17pm

OK, just to close this out: I was able to get authentication working with PAM auth in Galaxy and the login/logout behavior is much better. I’m still using Apache as the web gateway. Thanks for your help.

Topic		Replies	Views
Apache Redirect at logout apache , cluster	4	842	January 28, 2020
local login issue: cycles back to homepage usegalaxy.org support server-admin , galaxy-local	4	826	February 5, 2021
Auto-generate API key for remote users server-admin , api , proxy , gxadmin	6	891	December 9, 2019
Remote User problem with Apache2 server-admin , apache , gxadmin	6	881	September 24, 2019
Sophos UTM Local Galaxy installation: When is error 403001 (API authentication required for this request) triggered? server-admin , galaxy-local	1	971	March 22, 2020

Problem with logout when using apache and LDAP with remote-users for authentication

Related Topics