My Microsoft Active Directory LDAP Experience


#1

I spent quite a bit of time today configuring MS Active Directory LDAP in ShinyProxy, I used existing forum posts to get info and had to learn some things on my own. I’m not familiar with this software and I’m barely more familiar with Linux, so I hope this is helpful for other people.

  • ShinyProxyLDAP is the is the name of the AD LDAP account created for authentication
  • AD_Shiny_Admins and AD_Shiny_Users are AD security groups created to give users specific permissions

This is the relevant info from my application.yml config with confidential info removed:

shiny:
  proxy:
    authentication: ldap
    admin-groups: AD_Shiny_Admins

    ldap:
      url: ldap://domaincontrollerIP:389/dc=domain,dc=com
      manager-dn: CN=ShinyProxyLDAP,OU=Service Accounts,DC=domain,DC=com
      manager-password: **************
      user-search-base:
      user-search-filter: (sAMAccountName={0})
      group-search-base: OU=Groups,OU=More_Groups
      group-search-filter: (member={0})
      
  apps:
  - name: 01_hello
    groups: AD_Shiny_Users, AD_Shiny_Admins
  - name: 06_tabsets
    groups: AD_Shiny_Users

In order from top-down, these are my deductions:

  • With LDAP enabled, all groups are now Active Directory groups, hence the admin-groups and groups AD_ parameters.
  • Since your domain name is in the url parameter (<domaincontrollerIP>/dc=domain,dc=com), your domain name is assumed in the user-search-base and group-search-base parameters. DO NOT place your domain name in the user or group search-base fields, your domain is automatically appended. Placing the DC info in those fields may lead to an application 500 error when logging in.
  • The manager-dn parameter is the only place you will specify ‘DC=domain,DC=com’ outside of the url parameter.
  • The user-search-base parameter is able to navigate from the root of your domain and up, leave it blank since your domain name is assumed from the LDAP URL.
  • This software cannot search an Active Directory group starting from the root of your domain, you must specify the exact location of the groups; remember to exclude the root domain. My groups are located in domain.com/Groups/More_Groups, so I was required to specify group-search-base: OU=Groups,OU=More_Groups so that it could locate the AD groups.
  • The apps groups parameters are just there as an example of how I configured them.

Shiny Proxy - Active Directory auth problem
#2

Hi @djoye,

Thanks for sharing this!
We will make an effort to improve the configuration docs to cover AD more completely.