Skip to content

Configuring LDAP / Active Directory with RStudio Team#

Many RStudio Team customers use LDAP or Active Directory to authenticate into their server. LDAP (Lightweight Directory Access Protocol) is a directory service, frequently used for authentication. Active Directory (AD) is a Microsoft directory service that implements LDAP.

The instructions below apply the same whether your implementation is Active Directory or some other LDAP implementation.

Note

If you are using Azure Active Directory, you will want to configure RStudio Team to use SAML authentication rather than LDAP.

Summary of using LDAP with RStudio Connect#

To configure RStudio Connect with LDAP, you will

  1. Test that you have the proper LDAP server settings
  2. Configure the server with LDAP
  3. Restart RStudio Connect
  4. Test that your configuration works

1. Confirm LDAP Server Settings#

The first step to successfully configuring RStudio Connect with LDAP is to check your LDAP server settings outside of RStudio Connect. If you cannot connect to your LDAP server from the command line, you will not be able to do so from RStudio Connect.

You will do all of the following from the command line after logging into the RStudio Connect server via SSH.

In order to proceed, you will need to get the following, likely from your organization's LDAP team.

  1. Your LDAP server information (host and port)
  2. The username and password of a normal user
  3. A Bind DN to use for a double-bind configuration (recommended)
  4. The user search base distinguished name

We recommend you configure LDAP in a double-bind configuration, or you will not be able to do anything other than confirm that a user is allowed access (use groups for example).

Check Networking#

The first thing to ensure is that your networking is properly configured to allow RStudio Connect to access the LDAP server.

The command is

nc -vz <hostname> <port>

For LDAP, the standard port is 389 and LDAPS often uses 636.

For example, if your LDAP server is configured on port 389 at ldap.example.org, you would run

nc -vz ldap.example.org 389

A successful connection will return something like Connection to ldap.example.org port 389 succeeded!

LDAP Credentials#

Your linux server probably has the command line utility ldapsearch installed. If not, it can be apt/yum/zypper installed.

The command to confirm your bind credentials is

ldapsearch -h <hostname> -p <port> -D <bind DN> -w <bind password> -b <user search DN>

You'll need to use the full distinguished name (DN) for both the bind account and the user search in the command.

For example, for the LDAP server at ldap.example.org on port 389, if the bind DN were cn=admin,dc=example,dc=org, the bind password was admin, and the user search base DN was dc=example,dc=org, you would run

ldapsearch -h ldap.example.org -p 389 -D "cn=admin,dc=example,dc=org" -w admin -b "dc=example,dc=org"

A proper configuration will return something like

# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

If you are not using a double-bind configuration, sometimes called single or anonymous bind, you may be able to test using your own DN and password instead of the one for the bind account.

2. Configure the Server with LDAP#

You will configure the server's LDAP settings in an LDAP block in the RStudio Connect config file, /etc/rstudio-connect/rstudio-connect.gfcg.

For example, for the LDAP server at ldap.example.org on port 389, if the bind DN were cn=admin,dc=example,dc=org and the bind password were admin, the first few lines of the LDAP configuration would look like

; /etc/rstudio-connect/rstudio-connect.gcfg
[LDAP "My LDAP Config"]
ServerAddress = ldap.example.org:389
BindDN = "cn=admin,dc=example,dc=org"
BindPassword = admin
UserSearchBaseDN = "dc=example,dc=org"

The bind password can be encrypted in the config file using the included utility.

In the rest of the configuration, you'll configure how RStudio Connect searches for users and map attributes like first and last name, unique id, and email from your LDAP server to RStudio Connect.

The exact names of attributes in your LDAP server may vary, but there are some common configurations for both Active Directory and Open LDAP. Example configurations are in the RStudio Connect admin guide.

There are many other LDAP configuration options for RStudio Connect. A complete list can be found in the admin guide.

3. Restart the RStudio Connect Service#

Changes to the authentication mechanism will only be adopted when the server is stopped and restarted. If the server is on, restart it with sudo systemctl restart rstudio-connect. If it is not, start it with sudo systemctl start rstudio-connect.

4. Test a User#

To test that RStudio Connect is properly configured, attempt to login as a normal user. If the login succeeds, you have configured LDAP correctly in RStudio Connect.

You may also wish to publish a piece of content and add a group to the content to confirm groups are properly configured.

Copyright © RStudio, PBC. All Rights Reserved.