Active Directory without Service Credentials (single-bind)#
Posit Connect can integrate with your company's Active Directory (AD) infrastructure using the LDAP authentication provider solely for authentication purposes.
This integration does not require the use of a set of service
credentials assigned to the Posit Connect server. User credentials will be
used for authentication and to obtain the user's own personal information
(names, email, etc.).
However, in this mode searching capabilities across Active Directory are not
possible, and neither is the support for obtaining group memberships.
If your use case for Posit Connect require searching for user or groups,
we recommend configuring Posit Connect to use
Active Directory with Service Credentials.
In this mode, Active Directory groups will not be available. However, you can still use Locally Managed Groups in Posit Connect to organize your users and associate them to content with these groups.
Active Directory Example without service credentials#
; /etc/rstudio-connect/rstudio-connect.gcfg [Authentication] Provider = ldap [LDAP "Sample AD Configuration Without Service Credentials"] ; Connectivity ; For legacy SSL (ldaps) use these: ServerAddress = ldaps.company.com:636 TLS = true ; Or for TLS (StartTLS extension) use these: ; ServerAddress = ldap.company.com:389 ; StartTLS = true TLSCACertificate= /etc/ssl/cert/ca.pem ; For TLS/SSL testing purposes only: ; ServerTLSInsecure = true ; No service credentials or anonymous bind! ; Users UserSearchBaseDN = "OU=Users,DC=example,DC=com" UserObjectClass = "user" UniqueIdAttribute = "objectGUID" ; Note that users will have to login with their first and last ; names in this configuration, instead of their usernames UsernameAttribute = "cn" UserEmailAttribute = "mail" UserFirstNameAttribute = "givenName" UserLastNameAttribute = "sn" ; When attempting to troubleshoot a problem relating to LDAP, ; you can enable more verbose logging by enabling the following line ;Logging = true
Active Directory users are created in Posit Connect upon the first successful login attempt.
Posit Connect will collect the user's credentials and forward them to the Active Directory server which will validate the authentication. If valid, the remote user's information will be returned to the Posit Connect server.
Users within Posit Connect are assigned Roles.
Users are assigned the role specified by the
setting or one defined by the User Role Mapping if configured.
Additionally, an administrator can reassign the role from within the dashboard or via the User Manager CLI.
Usernames are controlled by your Active Directory server. However, Posit Connect imposes some additional restrictions on the usernames it supports:
- A username or DN containing a forward slash (
/) is not supported.
- The following values are prohibited:
Usernames in Active Directory do not need to be unique. A user is uniquely identified
by the attribute defined in
(Users with the same username are differentiated via their personal passwords.)
Duplicate usernames are a reality of large Active Directory deployments with multiple servers, which implies multiple Active Directory server configurations in Posit Connect.
Active Directory global catalog configurations can also return duplicate usernames. However, that happens over a single connection which means a search for a username may return multiple hits. This configuration is not currently supported by Posit Connect.
The RStudio IDE does not support duplicate usernames when publishing to the same Posit Connect host. However, it is unlikely that two users with the same usernames will be sharing the same IDE account or workstation.
Duplicate users may have adverse affects on content that tracks the user credentials. Please refer to the Credentials for Content in the Advanced Users and Group Topics appendix for alternatives under this condition.
Username Limitations Without Service Credentials#
The DN of a user must contain their username (e.g., must utilize the
In general, most LDAP schemas have
uid (the username) as the part of the
user's DN, for example
uid=johndoe,ou=People,dc=company,dc=com which works
perfectly with Posit Connect for the following configuration:
; /etc/rstudio-connect/rstudio-connect.gcfg [LDAP "Example"] ... UsernameAttribute = uid
However, if the DN for a user is
but their actual username is
johndoe, due to limitations imposed by the lack
of service credentials, the Posit Connect configuration must be:
; /etc/rstudio-connect/rstudio-connect.gcfg [LDAP "Example"] ... UsernameAttribute = cn
And, the user must use
John Doe (with spaces) as their username to login.
To use the actual username (
johndoe), you must configure Posit Connect
with Active Directory service credentials in this situation.
The following user information is required:
- First name.
- Last name.
- Email address.
Different Active Directory attributes may be used for each of these fields, but in general, all user attributes are provided by Active Directory, and they should all be present in the Posit Connect configuration.
If your Active Directory server cannot provide some of these, be sure to not define the respective attributes in the Posit Connect configuration, so that the profile information can be entered manually by users. Otherwise, the profile values will not be editable in Posit Connect and will remain blank.
When changes are made to a user's name, email address, or username in your Active Directory system, these changes will automatically propagate to Posit Connect:
The next time that the user logs into Posit Connect.
When the user is returned in a search result while adding new users.
Editing User Attributes#
A username is the primary means of authentication. Therefore, it is required in the configuration, and never editable.
By default, the setting
has a value of
AdminAndSelf, permitting users and administrators to
manage these editable user profile information not configured to be managed by
Admin if profile editing should be restricted only to administrators.
It is recommended that if you disable
with a value of
false, that you also configure
Admin. A value of
Admin means that users created by the administrator,
cannot be changed by non-administrators.
Editing User Roles#
User roles are only editable in Posit Connect if Automatic User Role Mapping is not configured, and the Active Directory authentication provider is not configured to send roles in as part of the user profile.
Automatic User Role Mapping#
Posit Connect offers ways to map their user information to valid roles when users login. This can be done with roles defined as part of the user profile .
Using User Profile Roles#
Use the configuration option
to enable user role mapping via a user profile attribute from your authentication provider.
option should also be used if the values you receive from your authentication provider do not
match the default expected values of
User roles can be used directly from your authentication provider without
the need of mapping values as long as it only returns the values of
administrator to define roles in Posit
# LDAP Record with no role mapping needed uid: RUser rsc-role: administrator # Posit Connect Configuration to enable RUser [LDAP "My LDAP Server Name"] UserRoleAttribute = rsc-role # LDAP Record with role mapping needed uid: RUser2 rsc-role: connect-administrator # Posit Connect Configuration to enable RUser2 [LDAP "My LDAP Server Name"] UserRoleAttribute = rsc-role [Authorization] UserRoleMapping = true AdministratorRoleMapping = connect-administrator ; PublisherRoleMapping = connect-publisher ; assuming the values continue as such ; ViewerRoleMapping = connect-viewer
When mapping is enabled, each role can be mapped to one or more values specific
to your organization using the configuration options
In the following example the authentication provider returns department names:
; /etc/rstudio-connect/rstudio-connect.gcfg [Authorization] UserRoleMapping = true ViewerRoleMapping = "HR" ViewerRoleMapping = "Marketing" PublisherRoleMapping = "Engineering" AdministratorRoleMapping = "IT"
Multiple User Role Mappings#
When there are multiple matches between the configured mapping and the user
sent by the authentication provider, the role with the most privileges is selected. This behavior makes it easy to promote users to a new role.
If there are concerns about security, a more restrictive behavior can be
used in these scenarios with the configuration option
When enabled, it will cause the least privileged role to be selected.
Locally Managed Groups#
You can still use groups in Posit Connect without using Active Directory service credentials.
Locally managed groups have no relation with Active Directory groups.
These groups are local to Posit Connect, they can be created via the Dashboard or via the Connect Server API. Group memberships must also be managed using the same means.
If you do not want groups at all in Posit Connect, set the
configuration option to