1

I've been developing an app in R Shiny and deployed it locally at my company. I'm trying to set up an authentication process using an LDAP server. I managed to connect to the LDAP server using an admin account specific to the app; however, I can't perform searches in the directory to find users allowed to use the app.

Here is my draft code:

library(yaml)
config <- yaml::read_yaml("path_to/config.yml")

library(reticulate)

# use_python("C:/Users/cal14236/AppData/Local/Programs/Python/Python313/python.exe", required = TRUE)
use_virtualenv("~/.virtualenvs/r-reticulate", required = TRUE)
py_config()
# py_install("ldap3")
ldap3 <- import("ldap3")

# Créer un serveur LDAP
server <- ldap3$Server(config$ldap$server)

# Créer une connexion
conn <- ldap3$Connection(
  server,
  user = config$ldap$bind_user,
  password = config$ldap$bind_password,
  auto_bind = TRUE
)

conn$search(
  search_base = "ou=StatiCAL,dc=testcal,dc=local",
  search_filter = "(cn=username)",
  attributes = "cn"
)

Here is the LDAP configuration:

LDAP directory configuration

I really can't find the problem, I tried to see if this was a permission issue but the IT said no.

Improve this question
6
  • I'm not very familiar with R – will this run client-side or server-side? I thought R is a desktop application, but R Shiny seems like a web app platform, so I hope this is server-side. (Client-side auth is fundamentally flawed and should not be done.) But besides that I'd like to know the results of the attempted search – does it return an error message or merely 0 entries? – and also whether your 'bind_user' is a valid DN or just a username, and whether you've tried doing the same search from plain Python? Commented Sep 23 at 15:40
  • 1
    @grawity generally "R code" works on the server-side (there are rare exceptions). Some reactivity is javascript and therefore client-side. I'm interpreting from the OP that this is all server-side auth issues (I'm with you, doing that on the client may not be good or sufficient). Commented Sep 23 at 17:52
  • Not what you're asking, but in case it's useful: I'm not a fan of handling authentication in R, preferring it in the encasing web server. I think the rev-proxies like nginx, apache, etc tend to have auth-ldap and similar modules for handling authentication. In general they tend to be a little safer in that you don't miss a corner-case in your "R" code that allows access that inadvertently allows access. Sometimes you can get details user/group context in headers. Commented Sep 23 at 17:58
  • @r2evans: Yes, personally I use mod_shib2 for SSO very often at work (my environment has SAML SSO available) and mod_auth_gssapi in personal projects (Kerberos SSO), but if it's going to be password-based either way then I don't mind OP using python-ldap3 directly... passing information via headers is actually one of the most fragile-looking parts of mod_shib2, letting the app itself process the data has its advantages. Commented Sep 23 at 18:37
  • 1
    Here you can find a related question. Also see this or this. Commented Sep 24 at 11:40

1 Answer 1

Reset to default
0

So the problem was that my bind_user didn't have the permission to read my directory. Using my root account, I managed to perform the authentication process.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.