How to set ldap configuration in your shinyproxy.yml to filter app access by group?

Question

We are trying to set a shinyproxy server with ldap security.

In the shinyproxy.yml the ldap configuration is set as:

ldap:
    url: ldap://ourIP:389/dc=ourdomain,dc=com
    manager-dn: cn=admin,dc=ourdomain,dc=com
    manager-password: ++++++++
    group-search-base: ou=Groups
    group-search-filter: (|(cn=admingroup)(cn=nonadmingroup))
    user-search-base: ou=People
    user-search-filter: uid={0}

But with this configuration filters in the .yml like admin-groups, or access-groups in every app doesn´t seem to work. Having all users all permissions.

How should we set it so the filters work?

score 1 · Accepted Answer · answered Oct 04 '22 at 14:45

We needed to make the group filter dependent on the userpass entry.

First, to be able to relate user and group, in our OpenLDAP server, instead of adding the user to the group as primary group (sharing the gidNumber), we needed to add it to another primary group, and then to the intended group (adding the attribute "memberUid" in it).

Finally specifying the group filter as:

group-search-filter: (&(objectClass=posixGroup)(memberUid={1}))

How to set ldap configuration in your shinyproxy.yml to filter app access by group?

1 Answers1