Shinyproxy - LDAP authentication without manager account?

ShinyProxy
#1

Hi. I have been working toward trying to get a shinyproxy server going at my organization, and I have managed to get a test version running and hosting a simple shiny app using simple authentication. I have previously been running my shiny apps using shiny server and a home-made LDAP binding mechanism using curl, but I’m interested in the shinyproxy ldap authentication mechanism.

We use AD at my org, but previously I had been using the logging-in user’s credentials to do the bind and to and retrieve group membership, etc. It seems like the shinyproxy ldap configuration requires that I input a “manager-dn” and “manager-password” in order to perform the initial bind.

Is a “manager” account required in order to do the process? I don’t necessarily have access to any such account, but users are able to bind to the LDAP server and retrieve group membership, etc with their own credentials.

Thanks in advance.

#2

@benhmin Not sure if you’ve already solved this by now but the documentation on authentication has all the info. In particular it says that the manager parameters are only needed if the server requires authentcation for binding. If your LDAP server is set up with anonymous bind, i.e. no login is required to query the server (as seems the case), you would just need something like this in your application.yml file:

 authentication: ldap
  ldap:
    url: ldap://ldap.domain.url:389/dc=...,dc=...
    user-search-filter: uid={0}
    group-search-filter: (uniqueMember={0})

where {0} represents the user login name. The url field needs the url of the server and the base dn, i.e. the directory entry under which the server will search for users. Details may vary depending on your ldap directory structure.

1 Like
#3

Thanks @jkh1. My LDAP server does require auth for bind, but I don’t have a “manager” user.

I have previously passed the logging-in users credentials to the LDAP server for bind, not a manager user’s.

How does is the manager user used in the process? It could check group membership, etc, but the logging-in user would still need to have their password verified by binding to the LDAP server wouldn’t they?

#4

The “manager” account would be the one to use for the initial bind request if the server doesn’t use anonymous bind. In principle, users can’t do the initial bind because they would need to use their complete DN which they normally don’t know hence the search but this search needs to be first authorized so either the server allows this anonymously or requires the use of dedicated credentials.
So since you say you used the user’s credentials this means either the full DN is known and there’s no need for an initial bind/search or the server allows anonymous bind. Often when the LDAP server is used within a local network, it is set with anonymous bind so that multiple services can communicate with it without requiring to distribute credentials to all of them. If for some reason this is not the case then you need to talk to the server admin and ask for the proper credentials to use.

1 Like
#5

Thanks. I think I’m going to have to figure out whether there is a “manager” account that can be used for this purpose. There is no anonymous bind allowed to our server.