Skip to content

LDAP without Service Credentials (single-bind)#

RStudio Connect can integrate with your company's LDAP infrastructure using the LDAP authentication provider solely for authentication purposes.

Note

This integration does not require the use of a set of service credentials assigned to the RStudio Connect server. User credentials will be used for authentication and to obtain the user's own personal information (names, email, etc.). However, in this mode searching capabilities across LDAP are not possible, and neither is the support for obtaining group memberships. If your use case for RStudio Connect require searching for user or groups, we recommend configuring RStudio Connect to use LDAP with Service Credentials

In this mode, LDAP groups will not be available. However, you can still use Locally Managed Groups in RStudio Connect to organize your users and associate them to content with these groups.

LDAP Example without Service Credentials#

Note

The Advanced LDAP / AD and LDAP configuration appendixes contain more detailed information about each LDAP configuration option.

; /etc/rstudio-connect/rstudio-connect.gcfg

[Authentication]
Provider = ldap

[LDAP "Sample Configuration Without Service Credentials"]
; Connectivity

; For legacy SSL (ldaps) use these:
ServerAddress = ldaps.company.com:636
TLS = true
; Or for TLS (StartTLS extension) use these:
; ServerAddress = ldap.company.com:389
; StartTLS = true

TLSCACertificate= /etc/ssl/cert/ca.pem
; For TLS/SSL testing purposes only:
; ServerTLSInsecure = true

; No service credentials or anonymous bind!

; Users (OpenLDAP example)
UserSearchBaseDN = "OU=Users,DC=example,DC=com"
UserObjectClass = "posixAccount"
; UniqueIdAttribute - vendor-specific object attribute
; Please refer to your LDAP vendor documentation for the correct value.
; (OpenLDAP) UniqueIdAttribute = "entryUUID"
; (Oracle OID) UniqueIdAttribute = "orclGuid"
; (IBM RACF) UniqueIdAttribute = "ibm-entryUUID"
; (Novell eDirectory) UniqueIdAttribute = "GUID"
; (389 Directory Server) UniqueIdAttribute = "nsUniqueID"
UniqueIdAttribute = "entryUUID"
UsernameAttribute = "uid"
UserEmailAttribute = "mail"
UserFirstNameAttribute = "givenName"
UserLastNameAttribute = "sn"

; When attempting to troubleshoot a problem relating to LDAP, 
; you can enable more verbose logging by enabling the following line
;Logging = true

User Provisioning#

LDAP users are created in RStudio Connect upon the first successful login attempt.

RStudio Connect will collect the user's credentials and forward them to the LDAP server which will validate the authentication. If valid, the remote user's information will be returned to the RStudio Connect server.

Users within RStudio Connect are assigned Roles. Users are assigned the role specified by the Authorization.DefaultUserRole setting or one defined by the User Role Mapping if configured. Additionally, an administrator can reassign the role from within the dashboard or via the User Manager CLI.

Usernames#

Usernames are controlled by your LDAP server. However, RStudio Connect imposes some additional restrictions on the usernames it supports:

  • A username or DN containing a forward slash (/) is not supported.
  • The following values are prohibited: connect, apps, users, groups, setpassword, user-completion, confirm, recent, reports, plots, unpublished, settings, metrics, tokens, help, login, welcome, register, resetpassword, content

Duplicate Usernames#

Usernames in LDAP do not need to be unique. A user is uniquely identified by the attribute defined in LDAP.UniqueIdAttribute. (Users with the same username are differentiated via their personal passwords.)

Duplicate usernames are a reality of large LDAP deployments with multiple servers, which implies multiple LDAP server configurations in RStudio Connect.

Note

The RStudio Studio IDE does not support duplicate usernames when publishing to the same RStudio Connect host. However, it is unlikely that two users with the same usernames will be sharing the same IDE account or workstation.

Tip

Duplicate users may have adverse affects on content that tracks the user credentials. Please refer to the Credentials for Content in the Advanced Users and Group Topics appendix for alternatives under this condition.

Username Limitations Without Service Credentials#

The DN of a user must contain their username (e.g., must utilize the LDAP.UsernameAttribute).

In general, most LDAP schemas have uid (the username) as the part of the user's DN, for example uid=johndoe,ou=People,dc=company,dc=com which works perfectly with RStudio Connect for the following configuration:

; /etc/rstudio-connect/rstudio-connect.gcfg
[LDAP "Example"]
...
UsernameAttribute = uid

However, if the DN for a user is cn=John Doe,ou=People,dc=company,dc=com, but their actual username is johndoe, due to limitations imposed by the lack of service credentials, the RStudio Studio configuration must be:

; /etc/rstudio-connect/rstudio-connect.gcfg
[LDAP "Example"]
...
UsernameAttribute = cn

And, the user must use John Doe (with spaces) as their username to login.

To use the actual username (johndoe), you must configure RStudio Connect with LDAP service credentials in this situation.

User Attributes#

The following user information is required:

  • First name.
  • Last name.
  • Email address.
  • Username.

Different LDAP attributes may be used for each of these fields, but in general, all user attributes are provided by LDAP, and they should all be present in the RStudio Connect configuration.

Tip

If your LDAP server cannot provide some of these, be sure to not define the respective attributes in the RStudio Connect configuration, so that the profile information can be entered manually by users. Otherwise, the profile values will not be editable in RStudio Connect and will remain blank.

When changes are made to a user's name, email address, or username in your LDAP system, these changes will automatically propagate to RStudio Connect:

  • The next time that the user logs into RStudio Connect.

  • When the user is returned in a search result while adding new users.

Editing User Attributes#

A username is the primary means of authentication. Therefore, it is required in the configuration, and never editable.

By default, the setting Authorization.UserInfoEditableBy has a value of AdminAndSelf, permitting users and administrators to manage these editable user profile information not configured to be managed by LDAP.

Configure Authorization.UserInfoEditableBy with Admin if profile editing should be restricted only to administrators.

Tip

It is recommended that if you disable LDAP.RegisterOnFirstLogin with a value of false, that you also configure Authorization.UserInfoEditableBy to Admin. A value of Admin means that users created by the administrator, cannot be changed by non-administrators.

Editing User Roles#

User roles are only editable in RStudio Connect if Automatic User Role Mapping is not configured, and the LDAP authentication provider is not configured to send roles in as part of the user profile.

Automatic User Role Mapping#

RStudio Connect offers ways to map their user information to valid roles when users login. This can be done with roles defined as part of the user profile .

Warning

UserRoleMapping currently sets roles only on first login. If you need to change roles for users after they log in for the first time, use the usermanager command line tool.

Using User Profile Roles#

Use the configuration option Authorization.UserRoleMapping to enable user role mapping via a user profile attribute.

The LDAP.UserRoleAttribute configuration option should also be defined to receive role information as part of the user profile.

Note

User roles can be used directly from your authentication provider without the need of mapping values as long as it only returns the values of viewer, publisher and administrator to define roles in RStudio Connect.

When mapping is enabled, each role can be mapped to one or more values specific to your organization using the configuration options Authorization.ViewerRoleMapping, Authorization.PublisherRoleMapping, and Authorization.AdministratorRoleMapping.

In the following example the authentication provider returns department names:

; /etc/rstudio-connect/rstudio-connect.gcfg
[Authorization]
UserRoleMapping = true
ViewerRoleMapping = "HR"
ViewerRoleMapping = "Marketing"
PublisherRoleMapping = "Engineering"
AdministratorRoleMapping = "IT"

Multiple User Role Mappings#

When there are multiple matches between the configured mapping and the user

sent by the authentication provider, the role with the most privileges is selected. This behavior makes it easy to promote users to a new role.

Note

If there are concerns about security, a more restrictive behavior can be used in these scenarios with the configuration option Authorization.UserRoleMappingRestrictive. When enabled, it will cause the least privileged role to be selected.

Locally Managed Groups#

You can still use groups in RStudio Connect without using LDAP service credentials.

Important

Locally managed groups have no relation with LDAP groups.

These groups are local to RStudio Connect, they can be created via the Dashboard or via the Connect Server API. Group memberships must also be managed using the same means.

Tip

If you do not want groups at all in RStudio Connect, set the Authorization.UserGroups configuration option to false.