b79934f11d
Corrects docs to state that when expanding a site replication peer set, you must list all existing peers. Closes #1340 Adds information that when adding Distinguished Names as search parameters, multiple DNs must be separated with a semi-colon. Closes #1341
16 KiB
Specify the unique public identifier MinIO uses when authenticating
user credentials against the OIDC (OpenID Connect) compatible provider.
Specify the client secret MinIO uses when authenticating user
credentials against the OIDC (OpenID Connect) compatible provider. This field
may be optional depending on the provider.
RELEASE.2023-06-23T20-26-00Z
MinIO redacts this value when returned as part of mc admin config get.
Specify a comma-separated list of policy names <minio-policy> to use for the
request's RoleArn for all authentication requests for the
provider. The specified policy or policies must already exist on the
MinIO Server.
To use this OIDC configuration, you must specify the corresponding
RoleArn <minio-assumerolewithwebidentity-query-parameters>
in the STS request body.
Specify the URL for the JSON Web Key Set (JWKS) for MinIO to use when
verifying any JSON Web Tokens (JWT) issued by the OIDC (OpenID Connect)
compatible provider.
Specify the URL for the OIDC (OpenID Connect) compatible provider discovery
document.
The OIDC (OpenID Connect) Discovery URL typically
resembles the following:
https://openid-provider.example.net/.well-known/openid-configuration
Specify the name of the JWT
Claim MinIO uses to identify the policies <minio-policy> to attach to the
authenticated user.
The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.
Defaults to policy.
Specify the user-facing name the MinIO Console displays on the login screen.
Specify the JWT Claim namespace prefix to apply to the specified claim name.
Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.
Important
This parameter was removed in RELEASE.2023-02-27T18-10-45Z. Use the MINIO_BROWSER_REDIRECT_URL
environment variable <minio-server-environment-variables>
instead.
The MinIO Console defaults to using the hostname of the node making
the authentication request. For MinIO deployments behind a load balancer
or reverse proxy, specify this field to ensure the OIDC provider returns
the authentication response to the correct MinIO Console URL. Include
the Console hostname, port, and /oauth_callback:
http://minio.example.net:consoleport/oauth_callbackEnsure you start the MinIO Server with the ~minio server --console-address option to set a
static Console listen port. The default behavior with that option
omitted is to select a random port number at startup.
The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.
The MinIO Console defaults to using the hostname of the node making the authentication request as part of the redirect URI provided to the OIDC provider. For MinIO deployments behind a load balancer using a round-robin protocol, this may result in the load balancer returning the response to a different MinIO Node than the originating client.
Specify this option as on to direct the MinIO Console to
use the Host header of the originating request to construct
the redirect URI passed to the OIDC provider. Defaults to
off.
Allow MinIO to fetch claims from the UserInfo Endpoint for the authenticated user.
Valid values are on or off.
Specify the OIDC Vendor to enable specific supported behaviors for that vendor.
Supports the following value:
keycloak
Specify the Keycloak Realm to use as part of Keycloak Admin API
Operations, such as main.
Specify the Keycloak Admin API URL. MinIO can use this URL if
configured to periodically validate authenticated Keycloak users as
active/existing. For example,
https://keycloak-endpoint:port/admin/.
Specify a comment to associate with the OIDC (OpenID Connect)
compatible provider configuration.
Specify the hostname for the Active Directory / LDAP server. For example:
ldapserver.com:636~mc idp ldap add srv_record_name automatically
identifies the port
If your AD/LDAP server uses DNS SRV Records <mc idp ldap add srv_record_name>,
do not append the port number to your ~mc idp ldap add server_addr value. SRV requests
automatically include port numbers when returning the list of available
servers.
Specify the Distinguished Name (DN) for an AD/LDAP account MinIO uses
when querying the AD/LDAP server. Enables Lookup-Bind
<minio-external-identity-management-ad-ldap-lookup-bind>
authentication to the AD/LDAP server.
The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups.
Specify the password for the Lookup-Bind
<minio-external-identity-management-ad-ldap-lookup-bind>
user account.
RELEASE.2023-06-23T20-26-00Z
MinIO redacts this value when returned as part of mc admin config get.
RELEASE.2024-06-06T09-36-42Z
Comma-separated list of user DN attributes.
Some valid values include, uid,cn,mail,sshPublicKey.
To enable public authentication for LDAP users, pass
sshPublicKey as a DN attribute. The user can then use the
passed SSH Public Key to log in to SFTP servers.
mc idp ldap update ALIAS user_dn_attributes=sshPublicKeySpecify the base Distinguished Name (DN) MinIO uses when querying for user credentials matching those provided by an authenticating client.
Separate multiple DNs with a semicolon (;).
For example:
cn=miniousers,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=ioSupports Lookup-Bind <minio-external-identity-management-ad-ldap-lookup-bind>
mode.
Specify the AD/LDAP search filter MinIO uses when querying for user credentials matching those provided by an authenticating client.
Use the %s substitution character to insert the
client-specified username into the search string. For example:
(userPrincipalName=%s)Specify an AD/LDAP search filter for performing group lookups for the authenticated user
Use the %s substitution character to insert the
client-specified username into the search string. Use the
%d substitution character to insert the Distinguished Name
of the client-specified username into the search string.
For example:
(&(objectclass=groupOfNames)(memberUid=%s))Specify a semicolon-separated (;) list of group search
base Distinguished
Names MinIO uses when performing group lookups.
For example:
cn=miniogroups,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=ioSpecify on to trust the AD/LDAP server TLS certificates
without verification. This option may be required if the AD/LDAP server
TLS certificates are signed by an untrusted Certificate Authority (e.g.
self-signed).
Defaults to off
Specify on to allow unsecured (non-TLS encrypted)
connections to the AD/LDAP server.
MinIO sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.
Defaults to off.
Specify on to enable StartTLS connections
to an AD/LDAP server.
Defaults to off
For more about StartTLS, refer to section 4.14 of the LDAP RFC 4511
specification.
Specify the appropriate value to enable MinIO to select an AD/LDAP server using a DNS SRV record request.
When enabled, MinIO selects an AD/LDAP server by:
- Constructing the target SRV record name following standard naming conventions.
- Requesting a list of available AD/LDAP servers.
- Choosing an appropriate target based on priority and weight.
The configuration examples below presume the AD/LDAP server address
is set to example.com and the SRV record protocol is
_tcp.
For SRV record names beginning with _ldap, specify
ldap. The constructed DNS SRV record name resembles the
following:
_ldap._tcp.example.comFor SRV record names with beginning with _ldaps, specify
ldaps. The constructed DNS SRV record name resembles the
following:
_ldaps._tcp.example.comIf your DNS SRV record name uses alternate service or protocol names,
specify on and provide the full record name as your LDAP
server address. Example:
_ldapserver._specialtcp.example.com
For more about DNS SRV records, see DNS SRV Records for LDAP.
Server address for DNS SRV record configurations
The specified server name must not include a port number. This is different from a standard AD/LDAP configuration, where the port number is required.
See ~identity_ldap.server_addr or MINIO_IDENTITY_LDAP_SERVER_ADDR for more about
configuring an AD/LDAP server address.
Specify a comment to associate to the AD/LDAP configuration.
Log in to the MinIO Console as either the
root <minio-users-root>user or a MinIO user with theconsoleAdminpolicy.In the
Identitysection, selectLDAPand thenEdit Configurationto configure an Active Directory or LDAP server. The minimum required settings are:- Server Address
- Lookup Bind DN
- Lookup Bind Password
- User DN Search Base
- User DN Search Filter
Not all configuration options are available in the MinIO Console. For additional settings, use
mc idp ldaporenvironment variables <minio-server-envvar-external-identity-management-ad-ldap>.
The webhook endpoint for the external identity management service
(https://authservice.example.net:8080/auth).
An authentication token to present to the configured webhook endpoint.
Specify a supported HTTP Authentication
scheme as a string value, such as "Bearer TOKEN". MinIO
sends the token using the HTTP Authorization
header.
Specify a comma-separated list of MinIO policies <minio-policy>
to assign to authenticated users.
Specify a unique ID MinIO uses to generate an ARN for this identity manager.
If omitted, MinIO automatically generates the ID and prints the full ARN to the server log.
Specify a comment to associate to the identity configuration.
The webhook endpoint for the external access management service
(https://authzservice.example.net:8080/authz).
An authentication token to present to the configured webhook endpoint.
Specify a supported HTTP Authentication
scheme as a string value, such as "Bearer TOKEN". MinIO
sends the token using the HTTP Authorization
header.
Enable experimental HTTP2 support for connecting to the configure webhook service.
Defaults to off
Specify a comment to associate to the external access management configuration.