Shiny Proxy and Windows Active Directory Authentication

Hi there, thanks in advance for any assistance.

I am having problems trying to get shinyproxy working with active directory authentication, I have been on many forums and tried various configs, most of which have been discussed above. I have managed to get a point where it is authenticating and pulling back the user and its location (I have tested this with a user that exists outside of the Users OU too to make sure it is not a hardcode recall of the specified OU) but it appears to stall when trying to bring back the group memberships for that user. I would really appreciate any help/pointers.

DCServerName represents our DC1 Server Name
Redacted Password - self explanatory
Admin Group for testing is called TestShinyGlobal and exists in the OU called Users at the top level in AD
For simplicity I have also put the TestShinyUser in the same OU and it is a member of the group above
TestShinyUser is loginname, Test ShinyUser is CN

application.yml extract

authentication: ldap
admin-groups: TestShinyGlobal
ldap:
url: ldap://DCServerName:389/dc=companyname,dc=local
manager-dn: CN=ServiceAccountName,OU=Service Accounts,DC=companyname,DC=local
manager-password: RedactedPassword
user-search-base:
user-search-filter: (sAMAccountName={0})
group-search-base: ou=users
group-search-filter: (member={0})

Error log

2022-04-25 20:21:16.059 DEBUG 7688 — [ XNIO-1 task-4] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: TestShinyUser
2022-04-25 20:21:16.174 INFO 7688 — [ XNIO-1 task-4] o.s.s.ldap.SpringSecurityLdapTemplate : Ignoring PartialResultException
2022-04-25 20:21:16.175 DEBUG 7688 — [ XNIO-1 task-4] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=Test ShinyUser,cn=Users,dc=companyname,dc=local
2022-04-25 20:21:16.240 DEBUG 7688 — [ XNIO-1 task-4] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2022-04-25 20:21:16.242 DEBUG 7688 — [ XNIO-1 task-4] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Test ShinyUser,cn=Users,dc=companyname,dc=local
2022-04-25 20:21:16.243 DEBUG 7688 — [ XNIO-1 task-4] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘TestShinyUser’, DN = ‘cn=Test ShinyUser,cn=Users,dc=companyname,dc=local’, with filter (member={0}) in search base ‘ou=users’
2022-04-25 20:21:16.282 ERROR 7688 — [ XNIO-1 task-4] io.undertow.request : UT005023: Exception handling request to /login

org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=companyname,DC=local’
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
‘DC=companyname,DC=local’
]; remaining name ‘ou=users’

Are you sure that your group-search-base is correct? I’ve got the same error when I intetionally insert incorrect value, for example “cn=users” <-> “ou=users”.

@bartekch, Thank you so much for your response and helpful guidance. Think I spent so much energy just getting AD to authenticate the user that I lost sight of that small detail. After changing to CN for testing all is working well. I just need to test it properly with nested OU’s and where the actual groups will reside, but that was a fantastic help. I was close to giving up, so really appreciate you reaching out! Thank you so much again. Alan.

Glad to help, I’ve also spent a lot of time trying to configure AD authentication correctly.