App Visibility Restriction with LDAP-backed Groups Not Working in OnDemand 3.1.1

sbilmis (Sbilmis) July 3, 2025, 6:48am 1

Hi,

We’re running Open OnDemand version 3.1.1 on an EL9 system, and the user authentication and group memberships are managed via LDAP.

We want to restrict the visibility of an Interactive App (MATLAB) to a specific LDAP group and a couple of additional users. Our manifest.yml file looks like this:

---
name: MATLAB
category: interactive
subcategory: GUIs
role: batch_connect
description: |
  MATLAB GUI 

allowed_groups:
  - xxx

allowed_users:
  - xxx
  - yyy

The issue is:

The app is still visible to all users , even those not in group or allowed users .
We’re sure the users’ group memberships are managed in LDAP (confirmed with id username).
Apache is running and serving OnDemand as expected (httpd service).
File ownership and permissions on /var/www/ood/apps/sys/bc_matlab/ are correct.
We run touch tmp/restart.txt after every change to refresh the app.

We’re wondering:

Does allowed_groups work out of the box with LDAP-backed groups in 3.1.1?
Are any additional configurations (e.g., SSSD or OOD environment variables) needed to make LDAP groups recognizable for app visibility logic?

Thanks in advance for any guidance!

Best,

jeff.ohrstrom (Jeff Ohrstrom) July 3, 2025, 1:25pm 2

Hi and welcome. I’m not sure where you got allowed_groups or allowed_users from. Maybe someone’s hack/modification?

In any case, allowed_groups and allowed_users are not a part of core Open OnDemand.

What you can do however, is simply use FACLs on the applications directory so if it’s readable, then they have access. When it’s unreadable, they don’t.

sbilmis (Sbilmis) July 4, 2025, 9:51am 3

Thanks for the suggestion. Adjusting group permissions does help restrict access, but the app still shows up for all users in the OnDemand dashboard. This can lead to confusion or failed attempts from users who aren’t supposed to run it.

Ideally, having a way to control app visibility—such as allowed_groups or allowed_users in manifest.yml—would be great, if technically feasible.

For now, modifying the file permissions is our only choice, but I hope visibility controls might be considered in future versions.
Thanks again for the support.

jeff.ohrstrom (Jeff Ohrstrom) July 7, 2025, 1:20pm 4

You likely need to set it to 750 to disable anonymous access.

mjbludwig (Morgan - Cambridge Computer) July 9, 2025, 1:38pm 5

This is unlikely but it is important to remember that NFSv3 does have a hard limit of 16 user groups so if you are using NFSv3 and have tons of user groups, it can crop up.

Topic		Replies	Views	Activity
Dashboard : selective view of Interactive Apps list Get Help	3	489	May 26, 2022
OnDemand does not respond to user group change for "Disabling applications" Get Help question	1	47	February 11, 2025
Group specific app visibility Get Help feature-request	3	612	May 19, 2022
OIDC with Keycloak filter by groups/roles Get Help question	4	1501	March 9, 2024
Restrict login to members of LDAP group Get Help	4	45	May 18, 2025