Shiny Proxy - Active Directory auth problem


#1

Hello,
I did check all the posts about AD auth with SP but I did not find solution that could work in my environment.

My AD tree looks like this:

  • ldap-url: ldap://ad.company.pl/DC=ad,DC=company,DC=pl
  • tech account for dn-manager: tech_shinyProxy, and its in: OU=Tech Accounts, OU=Servers, OU=CompanyName, DC=ad, DC=company, dc=pl
  • accounts for logging into shinyproxy are grouped in: OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl
  • for ex. shinyproxy admin account for user John Smith is here:
    CN=John Smith, CN=RshinyLocalAdmin, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl
  • for ex.2 shinyproxy user account for user Eva Sweet is here:
    CN=Eva Sweet, CN=RshinyApp1, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl

To AD we’re logging with user name like jsmith for John Smith and esweet for Eva Sweet

My config looks like this:

shiny:
proxy:
authentication: ldap
admin-groups: RshinyLocalAdmin
ldap:
url: ldap://ad.company.pl/DC=ad,DC=company,DC=pl
manager-dn: CN=tech_shinyProxy,OU=Tech Accounts, OU=Servers, OU=CompanyName, DC=ad, DC=company, dc=pl
manager-password: password
group-search-base: OU=RShiny,OU=Groups
group-search-filter: (member={0})
user-dn-pattern: uid={0}

When I’m trying to log in i get message like:

2018-03-12 12:01:07.201 DEBUG 21976 --- [XNIO-2 task-11] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-12 12:01:07.203 DEBUG 21976 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Attempting to bind as uid=jsmith,dc=ad,dc=comany,dc=pl
2018-03-12 12:01:07.207 DEBUG 21976 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Failed to bind as uid=jsmith: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]
2018-03-12 12:01:07.208  INFO 21976 --- [XNIO-2 task-11] eu.openanalytics.services.UserService    : Authentication failure [user: jsmith] [error: Niepoprawne dane uwierzytelniajÄ…ce]

[error: Niepoprawne dane uwierzytelniajÄ…ce] means [error: Auth data not valid] (but in polish lang).

How should I set up ldap configuration?
If I understand right there is no problem with manager-dn connection for CN=tech_shinyProxy ?
Is it a problem that my user accounts (CN=John Smith) is in group CN=RshinyLocalAdmin ?

thx in advance…


#2

Hi @velblu,

You manager bind is indeed working ok. The problem is the bind of the person logging in.
As you can see in the log, it is trying this (incorrect) DN:

Attempting to bind as uid=jsmith,dc=ad,dc=comany,dc=pl

While the correct DN is:

CN=John Smith, CN=RshinyLocalAdmin, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl

ShinyProxy supports two ways to find a correct DN:

  1. Map the login name to a DN using the user-dn-pattern setting. This is happening in your case, but it will only work if all your users are in the same fixed AD location.
  2. Search for the DN using a query. This is more flexible, and should work for you, by setting these properties:

user-search-base:
user-search-filter: (sAMAccountName={0})

See here for more information:


#3

Thanks for quick replay. I tried this settings before and i did not log in. An error message:

2018-03-13 09:35:48.200 DEBUG 11096 --- [XNIO-2 task-4] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-13 09:35:48.204 ERROR 11096 --- [XNIO-2 task-4] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

error 52e means invalid credentials

but if I try to log in with non-existing user (like efsaf) i get this same error message…

2018-03-13 09:47:55.575 DEBUG 11480 --- [XNIO-2 task-3] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: efsaf
2018-03-13 09:47:55.607 ERROR 11480 --- [XNIO-2 task-3] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

I have error message as well if I log in with full user name (like John Smith)…

Any ideas why ?


#4

We check if there are any connections to AD for my tech user and:

  • if I used ldapsearch query was logged
  • if I used shinyproxy query was not logged…

Do and how can I investigate is shinyproxy is connecting to AD? Now I’m using

logging:
  level:
    org.springframework.security.ldap.authentication: DEBUG
    org.springframework.security.ldap.userdetails: DEBUG
  file:
    shinyproxy.log

#5

Hi @velblu,

Those logging settings look correct to me.
Can you confirm that with these settings:

user-dn-pattern:
user-search-filter: (sAMAccountName={0})

You see this debug line in your log file?

Attempting to bind as CN=John Smith, CN=RshinyLocalAdmin, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl


#6

Hi @fmichielssen

I do not have lines like this in my log file… I tried it with different settings and I still have this same result (or no result).

  user-dn-pattern:
  user-search-filter: (sAMAccountName={0})
2018-03-16 17:03:14.869 DEBUG 11053 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 17:03:14.893 ERROR 11053 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

  group-search-base: OU=RShiny,OU=Groups
  user-dn-pattern:
  user-search-filter: (sAMAccountName={0})
2018-03-16 17:02:08.786 DEBUG 10973 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 17:02:08.827 ERROR 10973 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

group-search-base: OU=RShiny,OU=Groups
user-dn-pattern:
user-search-base:
user-search-filter: (sAMAccountName={0})

2018-03-16 17:00:37.105 DEBUG 10761 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 17:00:37.134 ERROR 10761 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

  group-search-base: OU=RShiny,OU=Groups
  group-search-filter: (member={0})
  user-dn-pattern:
  user-search-filter: (sAMAccountName={0})
2018-03-16 16:58:46.130 DEBUG 10660 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 16:58:46.156 ERROR 10660 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

group-search-base: OU=RShiny,OU=Groups
group-search-filter: (member={0})
user-dn-pattern:
user-search-base:
user-search-filter: (sAMAccountName={0})

2018-03-16 16:46:33.704 DEBUG 10311 --- [  XNIO-2 task-1] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 16:46:33.777 ERROR 10311 --- [  XNIO-2 task-1] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…


#7

Hi @fmichielssen

I solved the problem. It was all about my auth credentials for dn-manager.
I should not use:

CN=tech_shinyProxy,OU=Tech Accounts, OU=Servers, OU=CompanyName, DC=ad, DC=company, dc=pl

Instead of that I should use:

tech_shinyProxy@ad.company.pl

Now my config looks like this:

   authentication: ldap
    admin-groups: gr_RshinyLocalAdmin
    ldap:
      url: ldap://ad.company:389/DC=ad,DC=company,DC=pl
      manager-dn: tech_shinyProxy@ad.company.pl
      manager-password: password
      group-search-base: OU=RShiny,OU=Groups
      group-search-filter: (member={0})
      user-search-base:
      user-search-filter: (sAMAccountName={0})

Thanks for your time and help :slight_smile:


#8

Hi @velblu,

Good to hear it is working now!
Though I am a bit surprised that the manager DN was the issue… I had thought AD would accept both formats.