LDAP groups unset

andreas · June 26, 2018, 2:26pm

When I authenticate against LDAP I get correct authentication but no groups:

env=[SHINYPROXY_USERNAME=<username>, SHINYPROXY_USERGROUPS=]

I also get no ‘roles’:

Roles from search: []

Is this related? How can I debug this and ensure to get groups?

Here is the LDAP config:

ldap:
  url: ldaps://ldap.server.com:<port>/dc=<dc>,dc=com
  user-search-filter: (cn={0})
  group-search-base: ou=Customers
  group-search-filter: (uniqueMember={0})
  manager-dn: cn=<cn>,ou=<ou>,dc=<dc>,dc=com
  manager-password: <password>

Any help is highly appreciated!

fmichielssen · July 5, 2018, 8:36am

Hi @andreas,

First, make sure you are using at least ShinyProxy version 1.1.0: search LDAP subtree instead of one level

If you have an LDAP browser (or commandline ldapsearch), you can verify your settings:

Make sure that your groups are located under ou=Customers,dc=<dc>,dc=com
Make sure that your groups have a repeating attribute named uniqueMember which refers to the DN of the users that are in the group.

If (1) is not correct, adjust your group-search-base setting accordingly
If (2) is not correct, adjust your group-search-filter setting. Note that placeholder {0} maps to the user’s DN, {1} maps to the user’s login name, and {2} maps to the user’s CN.

brbecker0 · December 31, 2018, 12:52am

Hi @fmichielssen,

I’ve been struggling with the same issue of having no “roles” for hours now and am stuck. I can authenticate users but I really am hoping to get the group authorizations working correctly. I’m pretty new to LDAP as well.

Here’s the ldap portion of my application.yml file:

url: ldap://localhost:389/dc=xxx,dc=xxx,dc=com
    manager-dn: cn=admin,dc=xxx,dc=xxx,dc=com
    manager-password: "xxx"
    user-search-filter: uid={0}
    user-search-base: ou=People
    group-search-base: ou=group
    group-search-filter: (uniqueMember={0})

I exported my LDAP tree structure here as a text file:

# Search scope: sub
# Search filter: (objectClass=*)
# Total entries: 12
#
# Generated by LDAP Account Manager (http://www.ldap-account-manager.org) on December 31, 2018 12:44 am
# Version: 6.2

version: 1

# Entry 1: dc=xxx,dc=xxx,dc=com
dn: dc=xxx,dc=xxx,dc=com
dc: test
o: xxx
objectclass: top
objectclass: dcObject
objectclass: organization

# Entry 2: cn=admin,dc=xxx,dc=xxx,dc=com
dn: cn=admin,dc=xxx,dc=xxx,dc=com
cn: admin
description: LDAP administrator
objectclass: simpleSecurityObject
objectclass: organizationalRole
userpassword: {SSHA}oVaJmDmHSVEEP/j5hoLBZvA2bTf77xzd

# Entry 4: ou=group,dc=xxx,dc=xxx,dc=com
dn: ou=group,dc=xxx,dc=xxx,dc=com
objectclass: organizationalUnit
ou: group

# Entry 5: cn=admins,ou=group,dc=xxx,dc=xxx,dc=com
dn: cn=admins,ou=group,dc=xxx,dc=xxx,dc=com
cn: admins
description: want these to be admin users in shinyproxy
gidnumber: 10000
objectclass: posixGroup

# Entry 8: cn=tourguides,ou=group,dc=xxx,dc=xxx,dc=com
dn: cn=tourguides,ou=group,dc=xxx,dc=xxx,dc=com
cn: tourguides
description: want these to be my non admin users
gidnumber: 10001
objectclass: posixGroup

# Entry 9: ou=People,dc=xxx,dc=xxx,dc=com
dn: ou=People,dc=xxx,dc=xxx,dc=com
objectclass: organizationalUnit
ou: People

# Entry 10: uid=b3,ou=People,dc=xxx,dc=xxx,dc=com
dn: uid=b3,ou=People,dc=xxx,dc=xxx,dc=com
cn: b3
gidnumber: 10000
homedirectory: /home/b3
loginshell: /bin/bash
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
sn: brian3
uid: b3
uidnumber: 10004
userpassword: {SSHA}Amf0ZvdtgRzhrINABQr9ZBP5djZxcHF1

# Entry 11: uid=brbecker,ou=People,dc=xxx,dc=xxx,dc=com
dn: uid=brbecker,ou=People,dc=xxx,dc=xxx,dc=com
cn: Brian Becker
gidnumber: 10000
givenname: Brian
homedirectory: /home/brbecker
loginshell: /bin/bash
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
sn: Becker
uid: brbecker
uidnumber: 10005
userpassword: {SSHA}41opjog77lsi0pkJ2CEiXZyAKEBqUXQ1

# Entry 12: uid=tourguide,ou=People,dc=xxx,dc=xxx,dc=com
dn: uid=tourguide,ou=People,dc=xxx,dc=xxx,dc=com
cn: test tourguide
gidnumber: 10001
givenname: test
homedirectory: /home/tourguide
loginshell: /bin/bash
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
sn: tourguide
uid: tourguide
uidnumber: 10006
userpassword: {SSHA}K7Eu/fpWpWXllUb7wm3AglO/+FxXc0ZY

I would think I need to adjust the group-search-filter field in the application.yml file? Maybe my groups don’t have an attribute called uniqueMember?

I appreciate any help!!

fmichielssen · January 15, 2019, 9:14am

Hi @brbecker0,

Your LDAP export does not show group memberships.
Can you verify that your groups have attributes like this?

dn: cn=tourguides,ou=group,dc=xxx,dc=xxx,dc=com
uniqueMember: uid=tourguide,ou=People,dc=xxx,dc=xxx,dc=com
uniqueMember: uid=brbecker,ou=People,dc=xxx,dc=xxx,dc=com
...

brbecker0 · January 18, 2019, 12:10am

Hi @fmichielssen, I don’t have those attributes under my groups. I’m new to configuring an LDAP server, but my LDAP Account Manager app shows that I have 3 users with these GID numbers:

that I thought referred to the respective groups page here:

How might I make sure users properly belong to groups? I appreciate any help!!

brbecker0 · January 25, 2019, 10:34pm

Fixed this issue (obviously not related to shinyproxy, but ldap administration).

Leaving it up for people learning LDAP like me!