Manager-dn account permissions for Active Directory

skar · January 10, 2018, 2:40am

Hi,

I’m trying to configure shinyproxy on Active Directory, and I don’t know what permissions need to “read-only-admin” account.
When I use my account I see Error: “LDAP: error code 49”.
When I use “domain-admin” account, I successfully authorized on my Shiny Server.
But I cannot use “domain-admin” account because it is not safe.
What rights does the account “read-only-admin” have?

fmichielssen · January 16, 2018, 7:31am

Hi @skar,

ShinyProxy LDAP authentication uses Spring Security, configured to do the following:

bind with admin account
when a user logs in, search for the user’s DN using either user-dn-pattern or user-search-filter
when the DN is found, bind with the user DN and password
search for the user’s group memberships (under the admin’s bind context)

So the admin account needs the following privileges:

It must be able to bind
It must be able to search and find all the users and groups you want to use in ShinyProxy.

Beyond that, I am not aware of any other privileges that the account should have.

skar · January 17, 2018, 4:33am

Thank you very much! It works.