Integrating Shiny Proxy with Active Directory


#1

Hi

Has anyone successfully configured integration of Shiny Proxy with Active Directory.

We want to manage users via Active Directory Groups to access the different Apps.

We have setup 2 AD groups fr-shiny-admins and fr-shiny-fi-london-analysts

We have setup this configuration

ldap:
url: ldap://dc01.dummycompany.corp:389/dc=dummycompany,dc=corp
user-dn-pattern: uid=%username%
user-search-filter: (sAMAccountName={0})
group-search-base: dc=dummycompany,dc=corp
group-search-filter: (uniqueMember={0})
manager-dn: CN=svc-shinyproxy,OU=Shiny_Proxy_App,OU=Admin,DC=dummycompany,DC=corp
manager-password: SomeRandomPassword

apps:
ldap-groups: [fr-shiny-admins, fr-shiny-fi-london-analysts]

I would like advise on what settings should be used for the following 2 lines:
user-dn-pattern: uid=%username%
user-search-filter: (sAMAccountName={0})

In Active Directory the user accounts are located on different OUs (Organizational Units).

Thanks


#2

Hi @ltfong,

ShinyProxy LDAP authentication supports two methods to resolve user names:
a) Using user-dn-pattern you can resolve a user’s uid or short name into a full dn.
b) Using user-search-filter you can resolve a user using any attribute, such as sAMAccountName.

Our example config uses approach (a) to connect to ldap.forumsys.com.
Method (b) is usually used in an Active Directory environment. So in your case, you can leave user-dn-pattern empty, and use user-search-filter: (sAMAccountName={0})
You may also want to use user-search-base to limit the scope of the search.

Regards,
Frederick