Changes for several issues related to SFTP and LDAP (#1252)

- Adds info the docs about recent changes to LDAP and SFTP authentication - Adds new config/envvar parameter - Adds new sftp option for server - Adds new example for forcing ldap or sa auth to SFTP - Adds new example for using certificate authority for auth to SFTP Closes #1240 Closes #1229 Closes #1226 Closes #1208
2025-07-30 07:03:26 +03:00 · 2024-07-15 14:30:19 -04:00
parent 7ffa8b61b2
commit 529e67dc7e
8 changed files with 199 additions and 2 deletions
--- a/source/reference/minio-mc-admin/mc-admin-group.rst
+++ b/source/reference/minio-mc-admin/mc-admin-group.rst
@ -224,6 +224,8 @@ Syntax
      already exist. Use :mc-cmd:`mc admin group ls` to review the existing
      groups on a deployment.

+      A group name cannot contain the characters ``=`` (equal sign) or ``,`` (comma).
+
   .. mc-cmd:: MEMBERS

      The name of the user to add to the group.
--- a/source/reference/minio-mc/mc-idp-ldap-accesskey-create.rst
+++ b/source/reference/minio-mc/mc-idp-ldap-accesskey-create.rst
@ -77,6 +77,7 @@ Parameters
   :optional:

   An access key to use for the account.
+   The access key cannot contain the characters ``=`` (equal sign) or ``,`` (comma).

   Requires :mc-cmd:`~mc idp ldap accesskey create --secret-key`

--- a/source/reference/minio-server/minio-server.rst
+++ b/source/reference/minio-server/minio-server.rst
@ -192,6 +192,11 @@ The command accepts the following arguments:
        - Path to the user's private key file.
        - Absolute path or relative path from current location to the key file to use.
 
+      * - ``trusted-user-ca-key``
+        - Specifies a file containing public key of a certificate authority that is trusted to sign user certificates for authentication.
+          The file must contain a `user principals list <https://man.openbsd.org/ssh-keygen#CERTIFICATES>`__, and the list must include the user(s) that can authenticate with the key. 
+        - Absolute path or relative path from current location to the user's trusted certificate authority public key file.
+
      * - ``pub-key-algos``
        - Comma-separated list of the public key algorithms to support.
        - 
@ -253,6 +258,9 @@ The command accepts the following arguments:
             hmac-sha1
             hmac-sha1-96

+      * - ``disable-password-auth``
+        - Disable password authentication.
+        - ``true``

   For example:

--- a/source/reference/minio-server/settings/iam/ldap.rst
+++ b/source/reference/minio-server/settings/iam/ldap.rst
@ -198,6 +198,28 @@ User DN Search Filter
   :start-after: start-minio-ad-ldap-user-dn-search-filter
   :end-before: end-minio-ad-ldap-user-dn-search-filter
         
+User DN Attributes
+~~~~~~~~~~~~~~~~~~
+
+*Optional*
+
+.. tab-set::
+
+   .. tab-item:: Environment Variable
+      :sync: envvar
+
+      .. envvar:: MINIO_IDENTITY_LDAP_USER_DN_ATTRIBUTES
+
+   .. tab-item:: Configuration Setting
+      :sync: config
+
+      .. mc-conf:: identity_ldap user_dn_attributes
+         :delimiter: " "
+
+.. include:: /includes/common-minio-external-auth.rst
+   :start-after: start-minio-ad-ldap-user-dn-attributes
+   :end-before: end-minio-ad-ldap-user-dn-attributes
+
 Enabled
 ~~~~~~~