Users do not have LDAP groups using Active Directory


#1

Hi,
I set permissions for manager-dn-account using: Manager-dn account permissions for Active Directory
For each user prorepty SHINYPROXY_USERGROUPS is empty. I want to set access to apps using “groups” property, but for each value I haven’t access to app.
application.yml:
ldap:
url: ldap://dc.partner.ru:3268/dc=partner,dc=ru
user-dn-pattern:
user-search-filter: (sAMAccountName={0})
group-search-base:
group-search-filter: (uniqueMember={0})
manager-dn: cn=ShinyAuth,ou=_System accounts,ou=DNS Users,dc=partner,dc=ru
manager-password: password

apps:

  • name: current_user
    display-name: current user
    description: current user and group
    docker-cmd: [“R”, “-e”, “shiny::runApp(’/root/GetUser’)”]
    docker-image: shiny_reports
    groups: analyze

authorization log:
2018-01-31 11:30:00.598 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: username
2018-01-31 11:30:00.733 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=Username,ou=Users,dc=partner,dc=ru
2018-01-31 11:30:00.742 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.a.BindAuthenticator : Retrieving attributes…
2018-01-31 11:30:00.743 DEBUG 27080 — [ XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Username,ou=Users,dc=partner,dc=ru
2018-01-31 11:30:00.744 DEBUG 27080 — [ XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user ‘username’, DN = ‘cn=Username,ou=Users,dc=partner,dc=ru’, with filter (uniqueMember={0}) in search base ''
2018-01-31 11:30:00.750 DEBUG 27080 — [ XNIO-2 task-3] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Roles from search: []
2018-01-31 11:30:00.750 DEBUG 27080 — [ XNIO-2 task-3] o.s.s.l.u.LdapUserDetailsMapper : Mapping user details from context with DN: cn=Username,ou=Users,dc=partner,dc=ru
2018-01-31 11:30:00.754 INFO 27080 — [ XNIO-2 task-3] eu.openanalytics.services.UserService : User logged in [user: username]

Why I not see user groups?
May be manager-dn-account have not necessary rights? Or shinyproxy cannot to get groups from Active Directory? Or config is incorrected?


#2

Hi @skar,

If your group retrieval is failing, you can try this search filter instead:

group-search-filter: (member={0}) 

I’m not sure if Active Directory uses the uniqueMember attribute in group memberships. OpenLDAP does.


#3

No, it not works.

In AD list of groups is stored in the attribute “memberOf”:
Attribute: memberOf
Syntax: DN
Values:
CN=Group1,OU=Domain Users,DC=partner,DC=ru
CN=Group2,OU=_System accounts and groups,OU=DNS Users,DC=partner,DC=ru

I want to see Values of “memberOf” attribute

I try: group-search-filter: (memberOf={0}), but SHINYPROXY_USERGROUPS is empty:

INFO 6063 — [ XNIO-2 task-17] c.s.docker.client.DefaultDockerClient : Creating container with ContainerConfig: ContainerConfig{hostname=null, domainname=null, user=null, attachStdin=null, attachStdout=null, attachStderr=null, portSpecs=null, exposedPorts=[3838], tty=null, openStdin=null, stdinOnce=null, env=[SHINYPROXY_USERNAME=skarzhinets, SHINYPROXY_USERGROUPS=],


#4

Hi @skar,

Note that the group search will search for group objects where the user is listed as a ‘member’. Not the other way around: it will not inspect the ‘memberOf’ attributes of the user object.

So the manager bind account needs permission to find and see the groups.
What may also help, is setting the group-search-base to a path where the groups are located.

For example, if your groups are located at

ou=Groups,dc=partner,dc=ru

Try setting

group-search-base: ou=Groups

Note that you don’t have to repeat dc=partner,dc=ru because it is already in your connection URL.


#5

It’s partially works.
I have next AD structure:
CN=MyGroup,OU=GroupLevel2,OU=GroupLevel1,OU=DNS Users,DC=partner,DC=ru

When I set: group-search-base: OU=GroupLevel2,OU=GroupLevel1,OU=DNS Users
Then I see: env=[SHINYPROXY_USERNAME=MyUser, SHINYPROXY_USERGROUPS=MyGroup]

But when I set: group-search-base: OU=GroupLevel1,OU=DNS Users
Then I see: env=[SHINYPROXY_USERNAME=MyUser, SHINYPROXY_USERGROUPS=]

Groups may be located in:
DNS Users -> Level1Group1 -> MyGroup1
DNS Users -> Level1Group2 -> Level2Group2 -> MyGroup2
DNS Users -> MyGroup3
Domain Users -> MyGroup4

How can I see the whole structure of domain groups if it is hierarchical?


#6

Hi @skar,

You’re right, the search only deals with the immediate sublevel right now. I thought it was set to ‘subtree’ but it isn’t.
This will be fixed in the next update of ShinyProxy.