Integration with MS Active Directory

Muks · June 24, 2016, 3:13pm

I have a MS Active Directory that hold the following key attributes.

Distinguished Name: CN=LName\, FName,OU=Division,OU=Deptt,DC=company,DC=com ObjectClass: person ObjectClass: user memberOf: CN=AWS-Admin,CN=Users,DC=company,DC=com memberOf: CN=DC-Admin,CN=Users,DC=company,DC=com sAMAccountName: ab1234567
I want the authentication to be performed on ‘ab1234567’ and ‘password’. What should the configuration look like for achieving this? Here’s what I have and the error I am getting.

`ldap:
url: ldap://ad.company.com:389/dc=company,dc=com
user-dn-pattern: cn={0},ou=Division,OU=Deptt
group-search-base: dc=company,dc=com
group-search-filter: (uniqueMember={0})
manager-dn: cn=ad-admin,dc=company,dc=com
manager-password: password
apps:

name: 01_hello
docker-cmd: [“R”, “-e shinyproxy::run_01_hello()”]
docker-image: openanalytics/shinyproxy-demo
ldap-groups: [AWS-Admin, DC-Admin]
`

Error
Status code: 500

Message: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

fmichielssen · July 4, 2016, 7:55am

Hi Muks,

Since there is no direct mapping from sAMAccountName to DN, you will have to use another approach.
Try adding this to your ldap config:

user-search-filter: (sAMAccountName={0})

Regards,
Frederick

Babacar_Diouf · January 19, 2017, 8:47pm

@fmichielssen, I have two questions"

1.How or What tool do you recommend I use to check the LDAP configuration on Windows?I want to understand how to get the information like Muks

2. Where do I filter which user account has access to particular apps, through my Windows LDAP settings?
-I know there is a group filter in the ShinyProxy application.yml file however. Is this group filtering to a particular account done in the .yml file or in the LDAP.

Thanks,
Babacar Diouf

fmichielssen · January 19, 2017, 9:36pm

Hi Babacar,

Personally, I use the Apache Directory Studio, which can be downloaded either as a standalone application or as an Eclipse plugin.

You need to define groups in LDAP and put users in these groups.
This is usually done by adding uniqueMember=<userName> attributes to the LDAP group. The group-search-filter attribute in Shinyproxy is used to identify these LDAP attributes, and thus to find out who the members of the group are.

Then, in Shinyproxy’s configuration, you can grant groups access to apps, using the ldap-groups attribute of the app.
So that’s important to note: you grant access to groups, not to individual users.

Shinyproxy’s sample configuration uses the forumsys public test LDAP server, which you can read more about here:

Regards,
Frederick