I am setting up a Shiny Server w/ LDAP authentication. My users are organized into departments for administrative purposes. User DNs use the following format:
uid=testuser1,ou=People,ou=Dept1,dc=example,dc=com
uid=testuser2,ou=People,ou=Dept2,dc=example,dc=com
My issues is that I can seem to find a setting that will allow both of the above users to login. When the users attempts to login, the DN used needs to have the department (e.g. ou=Dept1) included, but it will instead try to bind without it (e.g. uid=testuser2,ou=People,dc=example,dc=com).
Is there a way to set up the conf file so that shiny will search for the full DN (including department) of the user with a given UID and then bind using that full DN?
I get the sense that this is possible from the shiny configuration reference, but I can't seem to find the right settings.
In particular, this passage seems relevant, but It isn't clear to me what I need to do for this use case:
4.6.9 user_filter
Some systems (notably many Active Directory implementations) do not use the username as a part of the user's DN. In such systems, It may be necessary to perform an extra LDAP query after binding to determine the user's DN based on their username before group membership can be determined. This setting stores the LDAP filter used to find the user object which matches the entered username.
Using the default provided for auth_active_dir (userPrincipalName={userBind}), as an example. Shiny Server Pro will attempt to bind to the LDAP server using the given username (after being manipulated as defined in user_bind_template) and password. If successful, it will then search for an object whose attribute userPrincipalName matches the username manipulated by user_bind_template. If found, the returned object's DN will be made available to the group_filter as the {userDN} variable.
Default Value
For auth_ldap -- N/A For auth_active_dir -- userPrincipalName={userBind}
Any help is much appreciated.
After consulting w/ Rstudio technical support, I was able to get it working with the following config in Shiny Server:
auth_ldap ldaps://server:636/dc=example,dc=com {
base_bind "uid=searcheraccount,ou=People,{root}" 'thepassword';
user_filter "uid={username}";
user_search_base "";
}
What this does:
uid=searcheraccount,ou=people,{root} using its password thepassword.uid={username} (i.e. the username entered by the user on the login
page). In this case, this should return something like
uid=testuser1,ou=People,ou=Dept1I had tried setups similar to this, but the problem was in user_search_base. In my previous setup, I had set this parameter to be 'ou=people', which fails since my users in departments are not directly under ou=people,{root}.
This configuration also would have solved a related problem I had previously when gosa was setting up accounts where the DNs were constructed using {firstName}&" "&{lastName} rather than the uid.