I’m trying to wrap my head around how ShinyProxy uses LDAP. It looks like SP needs a manager account in order to bind with the LDAP server and ask the server who is a member of each group. And then compare that with the log in name. This seems odd since an LDAP login typically returns the groups to the client. Anyone know why this design decision was made? SP seems very thoughtfully engineered so I’m sure there’s a solid reason, I just don’t know it. I notice that JupyterLab logs in users without any manager account binding first.
One of the challenges presented by having to have a manager name and password in the yml is that I can’t check the yml into our internal version control repo as we have a policy of “no passwords to any accounts anywhere in version control.” Is there any way to abstract away the manager password? Maybe set it in an environment variable or some such?
If I opt out of any group level permissions is it possible to not have to use a manager account? I’ve read through all the docs and can’t see how to do this. FWIW I’m using Active Directory LDAP.
Another work around for me would be to have the manager dn and password just set to the user who’s logging in. All users can query our LDAP, but we don’t allow anonymous interrogation.
Thanks for your help!