Hi,
I set permissions for manager-dn-account using: Manager-dn account permissions for Active Directory
For each user prorepty SHINYPROXY_USERGROUPS is empty. I want to set access to apps using “groups” property, but for each value I haven’t access to app.
application.yml:
ldap:
url: ldap://dc.partner.ru:3268/dc=partner,dc=ru
user-dn-pattern:
user-search-filter: (sAMAccountName={0})
group-search-base:
group-search-filter: (uniqueMember={0})
manager-dn: cn=ShinyAuth,ou=_System accounts,ou=DNS Users,dc=partner,dc=ru
manager-password: password
…
apps:
name: current_user
display-name: current user
description: current user and group
docker-cmd: [“R”, “-e”, “shiny::runApp(’/root/GetUser’)”]
docker-image: shiny_reports
groups: analyze
authorization log:
2018-01-31 11:30:00.598 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: username
2018-01-31 11:30:00.733 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=Username,ou=Users,dc=partner,dc=ru
2018-01-31 11:30:00.742 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2018-01-31 11:30:00.743 DEBUG 27080 — [ XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Username,ou=Users,dc=partner,dc=ru
2018-01-31 11:30:00.744 DEBUG 27080 — [ XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘username’, DN = ‘cn=Username,ou=Users,dc=partner,dc=ru’, with filter (uniqueMember={0}) in search base ''
2018-01-31 11:30:00.750 DEBUG 27080 — [ XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Roles from search: []
2018-01-31 11:30:00.750 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.u.LdapUserDetailsMapper : Mapping user details from context with DN: cn=Username,ou=Users,dc=partner,dc=ru
2018-01-31 11:30:00.754 INFO 27080 — [ XNIO-2 task-3] eu.openanalytics.services.UserService : User logged in [user: username]
Why I not see user groups?
May be manager-dn-account have not necessary rights? Or shinyproxy cannot to get groups from Active Directory? Or config is incorrected?
In AD list of groups is stored in the attribute “memberOf”:
Attribute: memberOf
Syntax: DN
Values:
CN=Group1,OU=Domain Users,DC=partner,DC=ru
CN=Group2,OU=_System accounts and groups,OU=DNS Users,DC=partner,DC=ru
I want to see Values of “memberOf” attribute
I try: group-search-filter: (memberOf={0}), but SHINYPROXY_USERGROUPS is empty:
Note that the group search will search for group objects where the user is listed as a ‘member’. Not the other way around: it will not inspect the ‘memberOf’ attributes of the user object.
So the manager bind account needs permission to find and see the groups.
What may also help, is setting the group-search-base to a path where the groups are located.
For example, if your groups are located at
ou=Groups,dc=partner,dc=ru
Try setting
group-search-base: ou=Groups
Note that you don’t have to repeat dc=partner,dc=ru because it is already in your connection URL.
It’s partially works.
I have next AD structure:
CN=MyGroup,OU=GroupLevel2,OU=GroupLevel1,OU=DNS Users,DC=partner,DC=ru
When I set: group-search-base: OU=GroupLevel2,OU=GroupLevel1,OU=DNS Users
Then I see: env=[SHINYPROXY_USERNAME=MyUser, SHINYPROXY_USERGROUPS=MyGroup]
But when I set: group-search-base: OU=GroupLevel1,OU=DNS Users
Then I see: env=[SHINYPROXY_USERNAME=MyUser, SHINYPROXY_USERGROUPS=]
Groups may be located in:
DNS Users -> Level1Group1 -> MyGroup1
DNS Users -> Level1Group2 -> Level2Group2 -> MyGroup2
DNS Users -> MyGroup3
Domain Users -> MyGroup4
…
How can I see the whole structure of domain groups if it is hierarchical?
You’re right, the search only deals with the immediate sublevel right now. I thought it was set to ‘subtree’ but it isn’t.
This will be fixed in the next update of ShinyProxy.
When do you plan to release an update fixing this error?
I understand that I can not claim for you any specific deadlines, but could you tell me when to expect this? One week, one month, a few months?