Ldap configuration for Admin & Nonadmin groups


#1

Hi,
thanks for developing this great application!
We are almost there with our LDAP config, only some final hints needed. At least I hope so.

With the following config the admin users are able to login, also the admin button appears after login.
Only piece is missing to add the Nonadmin users. They’re in a different group: CN=spx_Nonadmins.

authentication: ldap
admin-groups: spx_Admins
ldap:
url: ldap://example.com:389/dc=example,dc=com
manager-dn: CN=spx_tech,OU=users,OU=accounts,OU=Department,DC=example,DC=com
manager-password: managerpass
group-search-base: OU=roles,OU=Department
group-search-filter: (CN=spx_Admins)
user-search-base:
user-search-filter: (sAMAccountName={0})

Can I add multiple groups to the group_search_filter? Or what would be the appropriate solution in this case?

Thanks in advance,
Imre


#2

Hi @imre,

The group-search-filter setting is a regular LDAP query filter, so yes, you should be able to use OR statements. I believe the syntax is:

(|(CN=abc)(CN=def))

Alternatively, a wildcard can be used:

(CN=spx_*)


#3

Superb, works perfectly!


#4

Hi @fmichielssen!

we realized that the LDAP filter (|(CN=abc)(CN=def)) will add both privileges (‘abc’ + ‘def’) to the user.
So, if somebody logs in from group ‘abc’ will get the privileges from group ‘def’ as well and vice versa.
In our case everybody will be admin even the nonadmin users.

Did I miss something? I’m curious that is there a way to handle separately the user groups!

This app is great!

Thanks,
Imre


#5

Hi @imre,

Can you clarify? I don’t fully understand your case.
The group-search-filter cannot grant privileges to users, it only specifies where groups can be found in the LDAP tree.


#6

Hi @fmichielssen!

sure, this is our full LDAP configuration in shinyproxy application.yml:
ldap:
url: ldap://12.345.678.91:389/dc=xy,dc=priv
manager-dn: CN=ldap_technical_user,OU=Service,OU=Accounts,OU=Company,DC=xy,DC=private
manager-password: manager-password
group-search-base: OU=Roles,OU=Company
group-search-filter: (|(CN=Admingroup)(CN=Nonadmingroup))
user-search-base:
user-search-filter: (sAMAccountName={0})

This enables both admin and non-admin users to login which is ok but everybody gets the admin+nonadmin privileges together. So, even nonadmin users can see the Admin button after login and so on.

Thanks,
Imre


#7

Hi @imre,

I see. Then I suspect there must be another problem. What is the value of this setting?

proxy:
  admin-groups: ...

This setting should list one or more groups, and only members of those groups will see the Admin button in ShinyProxy.


#8

Hi @fmichielssen,

in that attribute we set the admin group:

proxy:
admin-groups: Admingroup

Thanks,
Imre


#9

In the meantime we realized that with this config everybody - inside the organization - is allowed to enter, so the group filter does not work this way.
Highly appreciated any furhter advice.
Thanks, Imre