Manager-dn account permissions for Active Directory


#1

Hi,

I’m trying to configure shinyproxy on Active Directory, and I don’t know what permissions need to “read-only-admin” account.
When I use my account I see Error: “LDAP: error code 49”.
When I use “domain-admin” account, I successfully authorized on my Shiny Server.
But I cannot use “domain-admin” account because it is not safe.
What rights does the account “read-only-admin” have?


Users do not have LDAP groups using Active Directory
#2

Hi @skar,

ShinyProxy LDAP authentication uses Spring Security, configured to do the following:

  1. bind with admin account
  2. when a user logs in, search for the user’s DN using either user-dn-pattern or user-search-filter
  3. when the DN is found, bind with the user DN and password
  4. search for the user’s group memberships (under the admin’s bind context)

So the admin account needs the following privileges:

  • It must be able to bind
  • It must be able to search and find all the users and groups you want to use in ShinyProxy.

Beyond that, I am not aware of any other privileges that the account should have.


#3

Thank you very much! It works.