Shiny Proxy - Active Directory auth problem

ShinyProxy
#1

Hello,
I did check all the posts about AD auth with SP but I did not find solution that could work in my environment.

My AD tree looks like this:

  • ldap-url: ldap://ad.company.pl/DC=ad,DC=company,DC=pl
  • tech account for dn-manager: tech_shinyProxy, and its in: OU=Tech Accounts, OU=Servers, OU=CompanyName, DC=ad, DC=company, dc=pl
  • accounts for logging into shinyproxy are grouped in: OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl
  • for ex. shinyproxy admin account for user John Smith is here:
    CN=John Smith, CN=RshinyLocalAdmin, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl
  • for ex.2 shinyproxy user account for user Eva Sweet is here:
    CN=Eva Sweet, CN=RshinyApp1, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl

To AD we’re logging with user name like jsmith for John Smith and esweet for Eva Sweet

My config looks like this:

shiny:
proxy:
authentication: ldap
admin-groups: RshinyLocalAdmin
ldap:
url: ldap://ad.company.pl/DC=ad,DC=company,DC=pl
manager-dn: CN=tech_shinyProxy,OU=Tech Accounts, OU=Servers, OU=CompanyName, DC=ad, DC=company, dc=pl
manager-password: password
group-search-base: OU=RShiny,OU=Groups
group-search-filter: (member={0})
user-dn-pattern: uid={0}

When I’m trying to log in i get message like:

2018-03-12 12:01:07.201 DEBUG 21976 --- [XNIO-2 task-11] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-12 12:01:07.203 DEBUG 21976 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Attempting to bind as uid=jsmith,dc=ad,dc=comany,dc=pl
2018-03-12 12:01:07.207 DEBUG 21976 --- [XNIO-2 task-11] o.s.s.l.a.BindAuthenticator              : Failed to bind as uid=jsmith: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]
2018-03-12 12:01:07.208  INFO 21976 --- [XNIO-2 task-11] eu.openanalytics.services.UserService    : Authentication failure [user: jsmith] [error: Niepoprawne dane uwierzytelniające]

[error: Niepoprawne dane uwierzytelniające] means [error: Auth data not valid] (but in polish lang).

How should I set up ldap configuration?
If I understand right there is no problem with manager-dn connection for CN=tech_shinyProxy ?
Is it a problem that my user accounts (CN=John Smith) is in group CN=RshinyLocalAdmin ?

thx in advance…

#2

Hi @velblu,

You manager bind is indeed working ok. The problem is the bind of the person logging in.
As you can see in the log, it is trying this (incorrect) DN:

Attempting to bind as uid=jsmith,dc=ad,dc=comany,dc=pl

While the correct DN is:

CN=John Smith, CN=RshinyLocalAdmin, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl

ShinyProxy supports two ways to find a correct DN:

  1. Map the login name to a DN using the user-dn-pattern setting. This is happening in your case, but it will only work if all your users are in the same fixed AD location.
  2. Search for the DN using a query. This is more flexible, and should work for you, by setting these properties:

user-search-base:
user-search-filter: (sAMAccountName={0})

See here for more information:

#3

Thanks for quick replay. I tried this settings before and i did not log in. An error message:

2018-03-13 09:35:48.200 DEBUG 11096 --- [XNIO-2 task-4] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-13 09:35:48.204 ERROR 11096 --- [XNIO-2 task-4] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

error 52e means invalid credentials

but if I try to log in with non-existing user (like efsaf) i get this same error message…

2018-03-13 09:47:55.575 DEBUG 11480 --- [XNIO-2 task-3] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: efsaf
2018-03-13 09:47:55.607 ERROR 11480 --- [XNIO-2 task-3] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

I have error message as well if I log in with full user name (like John Smith)…

Any ideas why ?

#4

We check if there are any connections to AD for my tech user and:

  • if I used ldapsearch query was logged
  • if I used shinyproxy query was not logged…

Do and how can I investigate is shinyproxy is connecting to AD? Now I’m using

logging:
  level:
    org.springframework.security.ldap.authentication: DEBUG
    org.springframework.security.ldap.userdetails: DEBUG
  file:
    shinyproxy.log
#5

Hi @velblu,

Those logging settings look correct to me.
Can you confirm that with these settings:

user-dn-pattern:
user-search-filter: (sAMAccountName={0})

You see this debug line in your log file?

Attempting to bind as CN=John Smith, CN=RshinyLocalAdmin, OU=Rshiny,OU=Groups, DC=ad,DC=company,DC=pl

#6

Hi @fmichielssen

I do not have lines like this in my log file… I tried it with different settings and I still have this same result (or no result).

  user-dn-pattern:
  user-search-filter: (sAMAccountName={0})

2018-03-16 17:03:14.869 DEBUG 11053 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 17:03:14.893 ERROR 11053 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

  group-search-base: OU=RShiny,OU=Groups
  user-dn-pattern:
  user-search-filter: (sAMAccountName={0})

2018-03-16 17:02:08.786 DEBUG 10973 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 17:02:08.827 ERROR 10973 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

group-search-base: OU=RShiny,OU=Groups
user-dn-pattern:
user-search-base:
user-search-filter: (sAMAccountName={0})

2018-03-16 17:00:37.105 DEBUG 10761 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 17:00:37.134 ERROR 10761 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

  group-search-base: OU=RShiny,OU=Groups
  group-search-filter: (member={0})
  user-dn-pattern:
  user-search-filter: (sAMAccountName={0})

2018-03-16 16:58:46.130 DEBUG 10660 --- [  XNIO-2 task-7] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 16:58:46.156 ERROR 10660 --- [  XNIO-2 task-7] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

group-search-base: OU=RShiny,OU=Groups
group-search-filter: (member={0})
user-dn-pattern:
user-search-base:
user-search-filter: (sAMAccountName={0})

2018-03-16 16:46:33.704 DEBUG 10311 --- [  XNIO-2 task-1] o.s.s.l.a.LdapAuthenticationProvider     : Processing authentication request for user: jsmith
2018-03-16 16:46:33.777 ERROR 10311 --- [  XNIO-2 task-1] w.a.UsernamePasswordAuthenticationFilter : An internal error occurred while trying to authenticate the user.

org.springframework.security.authentication.InternalAuthenticationServiceException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]

plus some java exception infos…

#7

Hi @fmichielssen

I solved the problem. It was all about my auth credentials for dn-manager.
I should not use:

CN=tech_shinyProxy,OU=Tech Accounts, OU=Servers, OU=CompanyName, DC=ad, DC=company, dc=pl

Instead of that I should use:

tech_shinyProxy@ad.company.pl

Now my config looks like this:

   authentication: ldap
    admin-groups: gr_RshinyLocalAdmin
    ldap:
      url: ldap://ad.company:389/DC=ad,DC=company,DC=pl
      manager-dn: tech_shinyProxy@ad.company.pl
      manager-password: password
      group-search-base: OU=RShiny,OU=Groups
      group-search-filter: (member={0})
      user-search-base:
      user-search-filter: (sAMAccountName={0})

Thanks for your time and help :slight_smile:

2 Likes
#8

Hi @velblu,

Good to hear it is working now!
Though I am a bit surprised that the manager DN was the issue… I had thought AD would accept both formats.

#9

[ XNIO-1 task-4] io.undertow.request : UT005023: Exception handling request to /login

Hi there, thanks in advance for any assistance. I am posting this here as it seems closely related.

I am having problems trying to get shinyproxy working, I have been on many forums and tried various configs, most of which have been discussed above. I have managed to get a point where it is authenticating and pulling back the user and its location (I have tested this with a user that exists outside of the Users OU too to make sure it is not a hardcode recall of the specified OU) but it appears to stall when trying to bring back the group memberships for that user. I would really appreciate any help/pointers.

DCServerName represents our DC1 Server Name
Redacted Password - self explanatory
Admin Group for testing is called TestShinyGlobal and exists in the OU called Users at the top level in AD
For simplicity I have also put the TestShinyUser in the same OU and it is a member of the group above
TestShinyUser is loginname, Test ShinyUser is CN

application.yml extract

authentication: ldap
admin-groups: TestShinyGlobal
ldap:
url: ldap://DCServerName:389/dc=companyname,dc=local
manager-dn: CN=ServiceAccountName,OU=Service Accounts,DC=companyname,DC=local
manager-password: RedactedPassword
user-search-base:
user-search-filter: (sAMAccountName={0})
group-search-base: ou=users
group-search-filter: (member={0})

Error log

2022-04-25 20:21:16.059 DEBUG 7688 — [ XNIO-1 task-4] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: TestShinyUser
2022-04-25 20:21:16.174 INFO 7688 — [ XNIO-1 task-4] o.s.s.ldap.SpringSecurityLdapTemplate : Ignoring PartialResultException
2022-04-25 20:21:16.175 DEBUG 7688 — [ XNIO-1 task-4] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=Test ShinyUser,cn=Users,dc=companyname,dc=local
2022-04-25 20:21:16.240 DEBUG 7688 — [ XNIO-1 task-4] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2022-04-25 20:21:16.242 DEBUG 7688 — [ XNIO-1 task-4] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Test ShinyUser,cn=Users,dc=companyname,dc=local
2022-04-25 20:21:16.243 DEBUG 7688 — [ XNIO-1 task-4] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘TestShinyUser’, DN = ‘cn=Test ShinyUser,cn=Users,dc=companyname,dc=local’, with filter (member={0}) in search base ‘ou=users’
2022-04-25 20:21:16.282 ERROR 7688 — [ XNIO-1 task-4] io.undertow.request : UT005023: Exception handling request to /login

org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=companyname,DC=local’
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=companyname,DC=local’
]; remaining name ‘ou=users’

#10

Resolved by @bartekch on a new thread: Shiny Proxy and Windows Active Directory Authentication