LDAP multiple group authentication

Thanks for developing shiny proxy it is really great tool.

Successfully did shiny proxy ldap setup to authenticate the application.
But would like to know is there a way to authenticate multiple groups.
My company ldap has all the users from different organisation level, I want to restrict application access based on certain application and then geographical group.

My current configuration
url: ldap:///dc=com
manager-dn: CN=admin_user
manager-password: test
user-search-filter: (sAMAccountName={0})
group-search-filter: (member={0})
group-search-base: CN=Users


  • name: swim_dev_us
    groups: [app_access_US]
  • name: swim_dev_nonus
    groups: [app_access_NonUS]

I was working out way to authenticate application access and then geographical access
[app1_access, app_access_US]
[app1_access, app_access_NonUS]
[app2_access, app_access_US]

In this way application2 access is available only to US group


You can use the syntax below:

  • name: app_name
    groups: >

Thanks for the suggestion.

I tried the following in application.yml
name: app1
groups: [app_access_US, app1_access]

Logged in with user who has the following group “app_access_US” and "app2_access"
Shinyproxy showed the app1 link.

shinyproxy verifies the group in OR fashion not AND.
I am looking for a solution to authenticate and provide access based to user who are in both groups, in the above example user with group “app_access_us” and “app1_access”

This can only be answered by the developer.
But if your application allow this, you can tried solutions below:

  1. Create ldap group which contains intersection “app_access_us” and “app1_access”
  2. In application yuo can get all groups for current user use: Sys.getenv(“SHINYPROXY_USERGROUPS”) and add to filter by groups

Hi @Jayaramm,

The group check is indeed OR, not AND.
See also here: Shiny Proxy Multi-Group Authentication

Feel free to log an issue to promote the implementation of this feature!

@fmichielssen - Thanks for the reply. I will help as much as I can to implement this.

I have another scenario Ex
authentication: ldap


  • name: test_app1
  • name: test_app2
    groups: [app2_access]

test_app1 do not have any restrictions it is open to all users
test_app2 have restriction and can access only if authenticated by LDAP

If i send test_app1 link to users they see the login screen, is there a way to bypass authentication to launch application which does not have any groups specified?