Ldap configuration for Admin & Nonadmin groups

imre · August 15, 2018, 11:14am

Hi,
thanks for developing this great application!
We are almost there with our LDAP config, only some final hints needed. At least I hope so.

With the following config the admin users are able to login, also the admin button appears after login.
Only piece is missing to add the Nonadmin users. They’re in a different group: CN=spx_Nonadmins.

authentication: ldap
admin-groups: spx_Admins
ldap:
url: ldap://example.com:389/dc=example,dc=com
manager-dn: CN=spx_tech,OU=users,OU=accounts,OU=Department,DC=example,DC=com
manager-password: managerpass
group-search-base: OU=roles,OU=Department
group-search-filter: (CN=spx_Admins)
user-search-base:
user-search-filter: (sAMAccountName={0})

Can I add multiple groups to the group_search_filter? Or what would be the appropriate solution in this case?

Thanks in advance,
Imre

fmichielssen · August 15, 2018, 12:14pm

Hi @imre,

The group-search-filter setting is a regular LDAP query filter, so yes, you should be able to use OR statements. I believe the syntax is:

(|(CN=abc)(CN=def))

Alternatively, a wildcard can be used:

(CN=spx_*)

imre · August 15, 2018, 3:27pm

Superb, works perfectly!

imre · October 9, 2018, 9:01am

Hi @fmichielssen!

we realized that the LDAP filter (|(CN=abc)(CN=def)) will add both privileges (‘abc’ + ‘def’) to the user.
So, if somebody logs in from group ‘abc’ will get the privileges from group ‘def’ as well and vice versa.
In our case everybody will be admin even the nonadmin users.

Did I miss something? I’m curious that is there a way to handle separately the user groups!

This app is great!

Thanks,
Imre

fmichielssen · October 11, 2018, 9:31am

Hi @imre,

Can you clarify? I don’t fully understand your case.
The group-search-filter cannot grant privileges to users, it only specifies where groups can be found in the LDAP tree.

imre · October 11, 2018, 10:26am

Hi @fmichielssen!

sure, this is our full LDAP configuration in shinyproxy application.yml:
ldap:
url: ldap://12.345.678.91:389/dc=xy,dc=priv
manager-dn: CN=ldap_technical_user,OU=Service,OU=Accounts,OU=Company,DC=xy,DC=private
manager-password: manager-password
group-search-base: OU=Roles,OU=Company
group-search-filter: (|(CN=Admingroup)(CN=Nonadmingroup))
user-search-base:
user-search-filter: (sAMAccountName={0})

This enables both admin and non-admin users to login which is ok but everybody gets the admin+nonadmin privileges together. So, even nonadmin users can see the Admin button after login and so on.

Thanks,
Imre

fmichielssen · October 12, 2018, 8:49am

Hi @imre,

I see. Then I suspect there must be another problem. What is the value of this setting?

proxy:
  admin-groups: ...

This setting should list one or more groups, and only members of those groups will see the Admin button in ShinyProxy.

imre · October 12, 2018, 9:05am

Hi @fmichielssen,

in that attribute we set the admin group:

proxy:
admin-groups: Admingroup

Thanks,
Imre

imre · October 19, 2018, 8:53am

In the meantime we realized that with this config everybody - inside the organization - is allowed to enter, so the group filter does not work this way.
Highly appreciated any furhter advice.
Thanks, Imre

ilekuona · September 22, 2022, 12:01pm

Hi @imre

I am having the same problem you have described and I want no know if you get to solve it.

Thanks,