I'm setting up RStudio Connect as our primary delivery method of data science dashboards and APIs in our Windows-dominated company.
Because it's a large company, I would need AD-integration, with per-AD-group access to resources. Furthermore, because of GDPR (the European data security act), I need to propagate AD credentials through Kerberos to calls to MSSQL Server.
Right now, it seems like it's either PAM (with kerberos and run-as-unix-user) or LDAP AD with groups. Is there a way to get both of these functionalities at the same time?
Unfortunately, you're reading that correctly. We currently support PAM auth which will enable running as the logged in user and optionally Kerberos, OR you can use LDAP.
We've talked about two potential solutions to your issue:
Adding support for groups to PAM
Decoupling the user search and group membership so that you could use LDAP as the source of group membership or to search for users/groups, but use PAM to handle username/password logins.
I suspect #2 would solve your issue, but it's unfortunately a bigger chunk of work for us. If we were to do #1, would that unblock you from being able to use PAM?
Hi Jeff,
Thanks for your very quick reply.
Since we’re running the LDAP integration in Redhat Linux already, and PAM is simply exploiting that, adding groups to PAM integration would solve the problem with combining AD, groups and Kerberos. I could imagine other customers in EU finance/regulatory would need the same.