Updated LDAP docs (#939)

Update the AD/LDAP configuration instructions, including adding details about configuring with Console. Includes reformatting some existing content. Questions: - What, exactly, is the status of the `mc admin config identity_ldap` settings? Deprecated? There, but not recommended for new configurations? - Are the "all settings" examples correct and appropriate? I'm not clear if `mc idp ldap` supports the same settings with the same names as `identity_ldap`. Staged: http://192.241.195.202:9000/staging/DOCS-919/linux/html/operations/external-iam/configure-ad-ldap-external-identity-management.html Fixes https://github.com/minio/docs/issues/919 --------- Co-authored-by: Ravind Kumar <ravind@min.io> Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
2025-07-28 19:42:10 +03:00 · 2023-08-10 09:44:12 -06:00
parent a5729b78e5
commit 8f598693f0
6 changed files with 148 additions and 106 deletions
--- a/source/administration/console/security-and-access.rst
+++ b/source/administration/console/security-and-access.rst
@ -145,6 +145,8 @@ Configuring an external IDP enables Single-Sign On workflows, where applications
 Use the the screens in this section to view, add, or edit OIDC configurations for the deployment.
 MinIO supports any number of active OIDC configurations.

+.. _minio-console-admin-identity-ldap:
+
 LDAP
 ~~~~

@ -154,4 +156,5 @@ Configuring an external IDentity Provider (IDP) enables Single-Sign On (SSO) wor
 Use the the screens in this section to view, add, or edit an LDAP configuration for the deployment.
 MinIO only supports one active LDAP configuration.

-MinIO queries the active Active Directory / LDAP server to verify the credentials specified by the application and optionally return a list of groups in which the user has membership. 
+MinIO queries the Active Directory / LDAP server to verify the client-specified credentials. 
+MinIO also performs a group lookup on the AD/LDAP server if configured to do so.
--- a/source/administration/identity-access-management/ad-ldap-access-management.rst
+++ b/source/administration/identity-access-management/ad-ldap-access-management.rst
@ -55,9 +55,10 @@ full login flow.
 AD/LDAP users can alternatively create :ref:`access keys <minio-idp-service-account>` associated to their AD/LDAP user Distinguished Name. 
 Access Keys are long-lived credentials which inherit their privileges from the parent user. 
 The parent user can further restrict those privileges while creating the access keys. 
-Use either of the following methods to create a new access keys:
+Use either of the following methods to create a new access key:

- Log into the :ref:`MinIO Console <minio-console>` using the AD/LDAP-managed user credentials. From the :guilabel:`Identity` section of the left navigation, select :guilabel:`Access Keys` followed by the :guilabel:`Create access keys +` button.
+- Log into the :ref:`MinIO Console <minio-console>` using the AD/LDAP-managed user credentials. 
+   In the :guilabel:`User` section, select :guilabel:`Access Keys` followed by :guilabel:`Create access keys +`.

 - Use the :mc:`mc admin user svcacct add` command to create the access keys. Specify the user Distinguished Name as the username to which to associate the access keys.

@ -102,4 +103,4 @@ Consider the following policy assignments:
 - MinIO would assign any authenticating user with membership in the
  ``cn=engineering,cn=groups,dc=example,dc=com`` AD/LDAP group the
  :userpolicy:`diagnostics` policy, granting access to diagnostic administrative
-  operations.
+  operations.