Easy to run demo setup of openldap, apache2 reverse proxy and cellxgene{.-gateway}.
Openldap container is optional, one can use an existing instance of LDAP for example.
Assuming that docker and docker compose are installed, the following options are available:
- Execute the command
make prepareor simplymaketo download a demo file into the directory/tmp/cellxgene_dataand initiate all containers. - To run the container in the background, utilize the command "make run".
- If the above steps were successful, the user should be able to access the proxy interface by navigating to the URL https://localhost:443
- The user authentication is managed through LDAP, Initially 5 users are available: user1, user2, user3, sysadm and sysop. Their passwords are set as "test1". Both user1 and user2 have access to the directories /group1 and /group2 correspondignly.
- Sysadm and sysop can access all resources, user3 has no access permissions.
- To stop the container, enter the command
make stop.make cleanwill stop and remove containers altogether. - The file named "group_mapping.txt" contains a mapping between a group and the corresponding host and port of a cellxgene-gateway instances.
Openldap is based on https://github.com/osixia/docker-openldap See the docker-compose.yaml file for the environment vars and other config options
Remote access to the config ldapvi --tls never -h ldaps://localhost:636 -b cn=config -D cn=admin,cn=config
password config , is set as docker-compose env var.
Dumping ldap db:
docker exec -it openldap-local slapcat
Access to the working db:
ldapvi --tls never -h ldaps://localhost:636 -b dc=blackmesa,dc=gov -D cn=admin,dc=blackmesa,dc=gov
Anonymous access: LDAPTLS_REQCERT=never ldapsearch -LLL -x -H ldaps://localhost:636 -b dc=blackmesa,dc=gov
Based on https://salsa.debian.org/jgoerzen/docker-debian-base-apache
scripts for generating apache configs are located in cellxgene directory, modified fork of the initial example: https://github.com/mestia/cellxgene-gateway-proxy-example
See the docker-compose for more details.
Through a management host:
ssh -L 4443:<remote_machine with docker>:443 me@my_machine
Directly: ssh -L 4443:localhost:443 root@server
Navigating on https://localhost:4443 suppose to bring the proxy interface. Of course one would need to accept the self-signed snakeoil cert.
See the Docker file for the details. Added logout option for the better integration
Due to the utilization of session cookies, a situation can arise where a valid user enters a correct user/password combination belonging to a group that lacks access permissions to the resource due to the ldap configuration. Despite this, the session cookie is still established, leading to subsequent unsuccessful login attempts by the correct user. If this occurs, the recommended course of action is to navigate to the root of the site and select the "Logout from All Sessions" option. Following this, logging in with the correct user will function as expected.