LDAP multiple group authentication


#1

Thanks for developing shiny proxy it is really great tool.

Successfully did shiny proxy ldap setup to authenticate the application.
But would like to know is there a way to authenticate multiple groups.
My company ldap has all the users from different organisation level, I want to restrict application access based on certain application and then geographical group.

My current configuration
ldap:
url: ldap:///dc=com
manager-dn: CN=admin_user
manager-password: test
user-search-filter: (sAMAccountName={0})
group-search-filter: (member={0})
group-search-base: CN=Users

apps:

  • name: swim_dev_us
    .
    .
    groups: [app_access_US]
  • name: swim_dev_nonus
    .
    .
    groups: [app_access_NonUS]

I was working out way to authenticate application access and then geographical access
[app1_access, app_access_US]
[app1_access, app_access_NonUS]
[app2_access, app_access_US]

In this way application2 access is available only to US group

Regards,
Jay


#2

Hi.
You can use the syntax below:

  • name: app_name
    .
    .
    groups: >
    group_name1,
    group_name2,
    group_name3

#3

Thanks for the suggestion.

I tried the following in application.yml
name: app1
.
.
groups: [app_access_US, app1_access]

Logged in with user who has the following group “app_access_US” and "app2_access"
Shinyproxy showed the app1 link.

shinyproxy verifies the group in OR fashion not AND.
I am looking for a solution to authenticate and provide access based to user who are in both groups, in the above example user with group “app_access_us” and “app1_access”


#4

This can only be answered by the developer.
But if your application allow this, you can tried solutions below:

  1. Create ldap group which contains intersection “app_access_us” and “app1_access”
  2. In application yuo can get all groups for current user use: Sys.getenv(“SHINYPROXY_USERGROUPS”) and add to filter by groups

#5

Hi @Jayaramm,

The group check is indeed OR, not AND.
See also here: Shiny Proxy Multi-Group Authentication

Feel free to log an issue to promote the implementation of this feature!


#6

@fmichielssen - Thanks for the reply. I will help as much as I can to implement this.

I have another scenario Ex
authentication: ldap

app:

  • name: test_app1
    .
    .
  • name: test_app2
    .
    groups: [app2_access]

test_app1 do not have any restrictions it is open to all users
test_app2 have restriction and can access only if authenticated by LDAP

If i send test_app1 link to users they see the login screen, is there a way to bypass authentication to launch application which does not have any groups specified?

Regards,
Jay