My Microsoft Active Directory LDAP Experience

djoye · March 2, 2018, 9:11pm

I spent quite a bit of time today configuring MS Active Directory LDAP in ShinyProxy, I used existing forum posts to get info and had to learn some things on my own. I’m not familiar with this software and I’m barely more familiar with Linux, so I hope this is helpful for other people.

ShinyProxyLDAP is the is the name of the AD LDAP account created for authentication
AD_Shiny_Admins and AD_Shiny_Users are AD security groups created to give users specific permissions

This is the relevant info from my application.yml config with confidential info removed:

shiny:
  proxy:
    authentication: ldap
    admin-groups: AD_Shiny_Admins

    ldap:
      url: ldap://domaincontrollerIP:389/dc=domain,dc=com
      manager-dn: CN=ShinyProxyLDAP,OU=Service Accounts,DC=domain,DC=com
      manager-password: **************
      user-search-base:
      user-search-filter: (sAMAccountName={0})
      group-search-base: OU=Groups,OU=More_Groups
      group-search-filter: (member={0})
      
  apps:
  - name: 01_hello
    groups: AD_Shiny_Users, AD_Shiny_Admins
  - name: 06_tabsets
    groups: AD_Shiny_Users

In order from top-down, these are my deductions:

With LDAP enabled, all groups are now Active Directory groups, hence the admin-groups and groups AD_ parameters.
Since your domain name is in the url parameter (<domaincontrollerIP>/dc=domain,dc=com), your domain name is assumed in the user-search-base and group-search-base parameters. DO NOT place your domain name in the user or group search-base fields, your domain is automatically appended. Placing the DC info in those fields may lead to an application 500 error when logging in.
The manager-dn parameter is the only place you will specify ‘DC=domain,DC=com’ outside of the url parameter.
The user-search-base parameter is able to navigate from the root of your domain and up, leave it blank since your domain name is assumed from the LDAP URL.
This software cannot search an Active Directory group starting from the root of your domain, you must specify the exact location of the groups; remember to exclude the root domain. My groups are located in domain.com/Groups/More_Groups, so I was required to specify group-search-base: OU=Groups,OU=More_Groups so that it could locate the AD groups.
The apps groups parameters are just there as an example of how I configured them.

fmichielssen · March 12, 2018, 2:28pm

Hi @djoye,

Thanks for sharing this!
We will make an effort to improve the configuration docs to cover AD more completely.

DrumSergio · March 20, 2019, 5:26pm

Hi you both, and thank you!

Just to make it clear: So now the only two sources of info about ShinyProxy and AD is this post, and this little mention on the configuration docs: https://www.shinyproxy.io/configuration/#example-active-directory isn’t it?

Just to know, thank you! I will have to connect both systems in the following months and I would like as much info as possible, I come from a Linux-only background so AD kind of scares me.

Frank · April 6, 2022, 6:35am

Hi,

with your example, I’m able to login with “all” users from our AD to shinyproxy but cannot control with RShiny_Prod_ABS Group who is permitted or denied to login. I believe that group search filters are not working. Thy exist to filter members in groups but how can I control access to shinyproxy with seperate AD Groups? Cannot get it to work

Admin User groups are in root OU=SLK_Admins,DC=slk,DC=lokal
Normal Users are in OU=SLK_Ressource,OU=SLK_Users

shinyproxy Group that should control who is able to login or not are in
CN=RShiny_Prod_ABS,OU=RShiny,OU=SLK_Ressource,OU=SLK_Users,DC=slk,DC=lokal

It doesn’t matter who I add to the RShiny_Prod_ABS group, anyone can log in and that is not what I want.

application.yml

admin-groups: AD_Shiny_Admins
ldap:
url: ldap://172.16.0.1:389/dc=slk,dc=lokal
manager-dn: slk_ldap@atg.lokal
manager-password: **********
user-search-base:
user-search-filter: (sAMAccountName={0})
group-search-base: OU=RShiny,OU=SLK_Ressource,OU=SLK_Users
group-search-filter: (member={0})

docker:
internal-networking: true
specs:

id: 01_hello
display-name: Hello Application
groups: AD_Shiny_Admins,RShiny_Prod_ABS
description: Application which demonstrates the basics of a Shiny app
container-cmd: [“R”, “-e”, “shinyproxy::run_01_hello()”]
container-image: openanalytics/shinyproxy-demo
container-network: sp-example-net
id: 06_tabsets
display-name: tabsets Application
description: Application which demonstrates tabsets
groups: AD_Shiny_Admins
container-cmd: [“R”, “-e”, “shinyproxy::run_06_tabsets()”]
container-image: openanalytics/shinyproxy-demo
container-network: sp-example-net

who can help me to set applications