My Microsoft Active Directory LDAP Experience

ShinyProxy
#1

I spent quite a bit of time today configuring MS Active Directory LDAP in ShinyProxy, I used existing forum posts to get info and had to learn some things on my own. I’m not familiar with this software and I’m barely more familiar with Linux, so I hope this is helpful for other people.

  • ShinyProxyLDAP is the is the name of the AD LDAP account created for authentication
  • AD_Shiny_Admins and AD_Shiny_Users are AD security groups created to give users specific permissions

This is the relevant info from my application.yml config with confidential info removed:

shiny:
  proxy:
    authentication: ldap
    admin-groups: AD_Shiny_Admins

    ldap:
      url: ldap://domaincontrollerIP:389/dc=domain,dc=com
      manager-dn: CN=ShinyProxyLDAP,OU=Service Accounts,DC=domain,DC=com
      manager-password: **************
      user-search-base:
      user-search-filter: (sAMAccountName={0})
      group-search-base: OU=Groups,OU=More_Groups
      group-search-filter: (member={0})
      
  apps:
  - name: 01_hello
    groups: AD_Shiny_Users, AD_Shiny_Admins
  - name: 06_tabsets
    groups: AD_Shiny_Users

In order from top-down, these are my deductions:

  • With LDAP enabled, all groups are now Active Directory groups, hence the admin-groups and groups AD_ parameters.
  • Since your domain name is in the url parameter (<domaincontrollerIP>/dc=domain,dc=com), your domain name is assumed in the user-search-base and group-search-base parameters. DO NOT place your domain name in the user or group search-base fields, your domain is automatically appended. Placing the DC info in those fields may lead to an application 500 error when logging in.
  • The manager-dn parameter is the only place you will specify ‘DC=domain,DC=com’ outside of the url parameter.
  • The user-search-base parameter is able to navigate from the root of your domain and up, leave it blank since your domain name is assumed from the LDAP URL.
  • This software cannot search an Active Directory group starting from the root of your domain, you must specify the exact location of the groups; remember to exclude the root domain. My groups are located in domain.com/Groups/More_Groups, so I was required to specify group-search-base: OU=Groups,OU=More_Groups so that it could locate the AD groups.
  • The apps groups parameters are just there as an example of how I configured them.
2 Likes
Shiny Proxy - Active Directory auth problem
How to set up group-search-base for several OUs in LDAP
#2

Hi @djoye,

Thanks for sharing this!
We will make an effort to improve the configuration docs to cover AD more completely.

#3

Hi you both, and thank you!

Just to make it clear: So now the only two sources of info about ShinyProxy and AD is this post, and this little mention on the configuration docs: https://www.shinyproxy.io/configuration/#example-active-directory isn’t it?

Just to know, thank you! I will have to connect both systems in the following months and I would like as much info as possible, I come from a Linux-only background so AD kind of scares me.

1 Like
#4

Hi,

with your example, I’m able to login with “all” users from our AD to shinyproxy but cannot control with RShiny_Prod_ABS Group who is permitted or denied to login. I believe that group search filters are not working. Thy exist to filter members in groups but how can I control access to shinyproxy with seperate AD Groups? Cannot get it to work

Admin User groups are in root OU=SLK_Admins,DC=slk,DC=lokal
Normal Users are in OU=SLK_Ressource,OU=SLK_Users

shinyproxy Group that should control who is able to login or not are in
CN=RShiny_Prod_ABS,OU=RShiny,OU=SLK_Ressource,OU=SLK_Users,DC=slk,DC=lokal

It doesn’t matter who I add to the RShiny_Prod_ABS group, anyone can log in and that is not what I want.

application.yml

admin-groups: AD_Shiny_Admins
ldap:
url: ldap://172.16.0.1:389/dc=slk,dc=lokal
manager-dn: slk_ldap@atg.lokal
manager-password: **********
user-search-base:
user-search-filter: (sAMAccountName={0})
group-search-base: OU=RShiny,OU=SLK_Ressource,OU=SLK_Users
group-search-filter: (member={0})

docker:
internal-networking: true
specs:

  • id: 01_hello
    display-name: Hello Application
    groups: AD_Shiny_Admins,RShiny_Prod_ABS
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: [“R”, “-e”, “shinyproxy::run_01_hello()”]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net
  • id: 06_tabsets
    display-name: tabsets Application
    description: Application which demonstrates tabsets
    groups: AD_Shiny_Admins
    container-cmd: [“R”, “-e”, “shinyproxy::run_06_tabsets()”]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net

who can help me to set applications