Shinyproxy LDAP auth against AD Groups?

ShinyProxy
#1

Hello,

we are trying to configure a shinyproxy docker based containerized version on a redhat 8 Linux. The shinyproxy should authenticate against our Active Directory and permits only users that are members in a AD group named RShiny_Prod_ABS. All others are denied to login.

distinguishedName: CN=RShiny_Prod_ABS,OU=RShiny,OU=SLK_Ressource,OU=SLK_Users,DC=slk,DC=lokal

distinguishedName:
CN=Frank Trebin,OU=Abt_Edv,OU=SLK_Users,DC=slk,DC=lokal

Problem, it doesn’t work with the actual configuration. Every user that is a member in our AD is able to login but this is not what we want. We need a ldap Configuration to authenticate users, that are members in this special AD Group. Who can help ?

Here are our config files.

docker-compose.yml

version: ‘3.8’
services:
shinyproxy:
build: .
image: shinyproxy-template
restart: unless-stopped
container_name: ShinyProxy
user: 0:985
ports:
- 8080:8080
networks:
- sp-example-net
# https://github.com/docker/compose/issues/4700#issuecomment-813751699
volumes:
# Check permissions here
- /var/run/docker.sock:/var/run/docker.sock
- ./application.yml:/opt/shinyproxy/application.yml

networks:
sp-example-net:
name: sp-example-net

application.yml

proxy:
title: Analytics Shiny Proxy
logo-url: https://www.openanalytics.eu/shinyproxy/logo.png
landing-page: /
heartbeat-rate: 10000
heartbeat-timeout: 60000
port: 8080
authentication: ldap
ldap:
url: ldap://172.16.0.1:389/dc=slk,dc=lokal
manager-dn: ldapmanager@slk.lokal
manager-password: **********
user-search-filter: (sAMAccountName={0})
group-search-filter: (uniqueMember={0})
group-search-base: CN=RShiny_Prod_ABS,OU=RShiny,OU=SLK_Ressource,OU=SLK_Users

docker:
internal-networking: true
specs:

  • id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: [“R”, “-e”, “shinyproxy::run_01_hello()”]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net
  • id: 06_tabsets
    container-cmd: [“R”, “-e”, “shinyproxy::run_06_tabsets()”]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-example-net

logging:
level:
org.springframework.security.ldap.authentication: DEBUG
org.springframework.security.ldap.userdetails: DEBUG
file:
shinyproxy.log

docker logs -f ShinyProxy

2022-03-29 14:13:13.862 INFO 1 — [ main] e.o.c.util.StartupEventListener : Started ShinyProxy 2.6.0 (ContainerProxy 0.8.10)
2022-03-29 14:13:13.863 INFO 1 — [ main] e.o.c.service.AppRecoveryService : Recovery of running apps disabled
2022-03-29 14:13:24.223 INFO 1 — [ XNIO-1 task-1] io.undertow.servlet : Initializing Spring DispatcherServlet ‘dispatcherServlet’
2022-03-29 14:13:24.224 INFO 1 — [ XNIO-1 task-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet ‘dispatcherServlet’
2022-03-29 14:13:24.233 INFO 1 — [ XNIO-1 task-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 9 ms
2022-03-29 14:13:28.794 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: franktrebin
2022-03-29 14:13:28.840 INFO 1 — [ XNIO-1 task-3] o.s.s.ldap.SpringSecurityLdapTemplate : Ignoring PartialResultException
2022-03-29 14:13:28.842 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal
2022-03-29 14:13:28.846 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2022-03-29 14:13:28.847 DEBUG 1 — [ XNIO-1 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal
2022-03-29 14:13:28.847 DEBUG 1 — [ XNIO-1 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘franktrebin’, DN = ‘cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal’, with filter (uniqueMember={0}) in search base ‘CN=RShiny_Prod_ABS,OU=RShiny,OU=SLK_Ressource,OU=SLK_Users’
2022-03-29 14:13:28.852 DEBUG 1 — [ XNIO-1 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Roles from search: []
2022-03-29 14:13:28.853 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.u.LdapUserDetailsMapper : Mapping user details from context with DN: cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal
2022-03-29 14:13:28.855 INFO 1 — [ XNIO-1 task-3] e.o.containerproxy.service.UserService : User logged in [user: franktrebin]
2022-03-29 14:43:29.113 INFO 1 — [ XNIO-1 task-3] e.o.containerproxy.service.UserService : User logged out [user: franktrebin]
2022-03-30 08:21:06.233 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: franktrebin
2022-03-30 08:21:06.251 INFO 1 — [ XNIO-1 task-3] o.s.s.ldap.SpringSecurityLdapTemplate : Ignoring PartialResultException
2022-03-30 08:21:06.251 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal
2022-03-30 08:21:06.257 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2022-03-30 08:21:06.258 DEBUG 1 — [ XNIO-1 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal
2022-03-30 08:21:06.259 DEBUG 1 — [ XNIO-1 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘franktrebin’, DN = ‘cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal’, with filter (uniqueMember={0}) in search base ‘CN=RShiny_Prod_ABS,OU=RShiny,OU=SLK_Ressource,OU=SLK_Users’
2022-03-30 08:21:06.262 DEBUG 1 — [ XNIO-1 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Roles from search: []
2022-03-30 08:21:06.262 DEBUG 1 — [ XNIO-1 task-3] o.s.s.l.u.LdapUserDetailsMapper : Mapping user details from context with DN: cn=Frank Trebin,ou=Abt_Edv,ou=SLK_Users,dc=slk,dc=lokal
2022-03-30 08:21:06.262 INFO 1 — [ XNIO-1 task-3] e.o.containerproxy.service.UserService : User logged in [user: franktrebin]
2022-03-30 08:51:06.457 INFO 1 — [ XNIO-1 task-3] e.o.containerproxy.service.UserService : User logged out [user: franktrebin]

thank you in advance
Frank

#2

Mine works with this:

ldap:
url: ldaps://yourCorpActiveDirectory:389/DC=blah1,DC=blah2,DC=com
manager-dn: CN=someMechanizedId,OU=users,OU=corporatedesktop,OU=desktop,DC=blah1,DC=bla2,DC=com
manager-password: somePassword
user-search-base: OU=Desktop
user-search-filter: (cn={0})
group-search-base: OU=ManagedBySomeExternalAuthorizationSystem,OU=Groups
group-search-filter: (member={0})

#3

Hi,

thank you for your answer but I have a question. What is the name of the Group that you check against for permit or deny members ? I don’t understand your example.

If I try it like your example then no login is possible. Seems to me that this is not an ldap check against users,that are members in RShiny_Prod_ABS group ?

user-search-base: OU=SLK_Users
user-search-filter: (cn={0})
group-search-base: CN=RShiny_Prod_ABS,OU=RShiny,OU=SLK_Ressource,OU=SLK_Users
group-search-filter: (member={0})

#4

Hi

Currently it is not possible to limit access to the full ShinyProxy server. Every user that can login to your AD, will be able to login into ShinyProxy.
What you can do is, use the access-groups setting, so that apps are only available to specific groups. Therefore, when a user logs in which doesn’t have the correct groups, they will simply see no apps in the list.