minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-11-06 03:49:02 +03:00
Code Activity
Files
main
docs/source/includes/baremetal/steps-configure-ad-ldap-external-identity-management.rst
Ravind Kumar 571f188a4e Attempting to reduce docs to single platform (#1258) 
##

We are going to make the following changes to the Object Store docs as
part of a larger QC/Content pass:

### Left Navigation

We want to modify the left navigation flow to be a natural progression
from a basic setup to more advanced.

For example:

- Core Concepts
  - Deployment Architecture
  - Availability and Resiliency
  - Erasure Coding and Object Healing
  - Object Scanner
  - Site Replication and Failover
  - Thresholds and Limits
- Installation
  - Deployment Checklist
  - Deploy MinIO on Kubernetes
  - Deploy MinIO on Red Hat Linux
  - Deploy MinIO on Ubuntu Linux
  - Deploy MinIO for Development (MacOS, Windows, Container)
- Security and Encryption (Conceptual Overview)
  - Network Encryption (TLS) (Conceptual overview)
    - Enable Network Encryption using Single Domain
    - Enable Network Encryption using Multiple Domains
    - Enable Network Encryption using certmanager (Kubernetes only)
  - Data Encryption (SSE) (Conceptual overview)
    - Enable SSE using AIStor Key Management Server
    - Enable SSE using KES (Summary page + linkouts)
  - External Identity Management (Conceptual Overview)
    - Enable External Identity management using OpenID
    - Enable External Identity management using AD/LDAP
- Backup and Recovery
  - Create a Multi-Site Replication Configuration
  - Recovery after Hardware Failure
    - Recover after drive failure
    - Recover after node failure
    - Recover after site failure
- Monitoring and Alerts
  - Metrics and Alerting (v3 reference)
    - Monitoring and Alerting using Prometheus
    - Monitoring and Alerting using InfluxDB
    - Monitoring and Alerting using Grafana
    - Metrics V2 Reference
  - Publish Server and Audit Logs to External Services
  - MinIO Healthcheck API

The Administration, Developer, and Reference sections will remain as-is
for now.

http://192.241.195.202:9000/staging/singleplat/mindocs/index.html

# Goals

Maintaining multiple platforms is getting to be too much, and based on
analytics the actual number of users taking advantage of it is minimal.

Furthermore, the majority of traffic is to installation pages.

Therefore we're going to try to collapse back into a single MinIO Object
Storage product, and use simple navigation and on-page selectors to
handle Baremetal vs Kubernetes.

This may also help to eventually stage us to migrate to Hugo + Markdown

---------

Co-authored-by: Daryl White <53910321+djwfyi@users.noreply.github.com>
Co-authored-by: Rushan <rushenn@minio.io>
Co-authored-by: rushenn <rushenn123@gmail.com>
2025-07-30 12:33:02 -04:00

8.2 KiB
Raw Permalink Blame History

  1. Set the Active Directory / LDAP Configuration Settings

    Configure the AD/LDAP provider using one of the following:

    • MinIO Client
    • Environment variables

    All methods require starting/restarting the MinIO deployment to apply changes.

    The following tabs provide a quick reference for the available configuration methods:

    MinIO Client

    MinIO supports specifying the AD/LDAP provider settings using mc idp ldap commands.

    For distributed deployments, the mc idp ldap command applies the configuration to all nodes in the deployment.

    The following example code sets all configuration settings related to configuring an AD/LDAP provider for external identity management.

    The minimum required settings are:

    • server_addr <identity_ldap.server_addr>
    • lookup_bind_dn <identity_ldap.lookup_bind_dn>
    • lookup_bind_password <identity_ldap.lookup_bind_password>
    • user_dn_search_base_dn <identity_ldap.user_dn_search_base_dn>
    • user_dn_search_filter <identity_ldap.user_dn_search_filter>
    mc idp ldap add ALIAS                                                  \
  server_addr="ldaps.example.net:636"                                  \
  lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"        \
  lookup_bind_password="xxxxxxxx"                                      \
  user_dn_search_base_dn="DC=example,DC=net"                           \
  user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"  \
  group_search_filter= "(&(objectClass=group)(member=%d))"             \
  group_search_base_dn="ou=MinIO Users,dc=example,dc=net"              \
  tls_skip_verify="off"                                                \
  server_insecure=off                                                  \
  server_starttls="off"                                                \
  srv_record_name=""                                                   \
  comment="Test LDAP server"

    For Kubernetes deployments, ensure the ALIAS corresponds to the externally accessible hostname for the MinIO Tenant.

    For more complete documentation on these settings, see mc idp ldap.

    mc idp ldap recommended

    mc idp ldap offers additional features and improved validation over mc admin config set runtime configuration settings. mc idp ldap supports the same settings as mc admin config and the identity_ldap configuration key.

    The identity_ldap configuration key remains available for existing scripts and tools.

    Environment Variables

    MinIO supports specifying the AD/LDAP provider settings using environment variables <minio-server-envvar-external-identity-management-ad-ldap>.

    The minio server process applies the specified settings on its next startup. For distributed deployments, specify these settings across all nodes in the deployment using the same values. Any differences in server configurations between nodes will result in startup or configuration failures.

    The following example code sets all environment variables related to configuring an AD/LDAP provider for external identity management. The minimum required variable are:

    • MINIO_IDENTITY_LDAP_SERVER_ADDR
    • MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
    • MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
    • MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
    • MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER
    export MINIO_IDENTITY_LDAP_SERVER_ADDR="ldaps.example.net:636"
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="dc=example,dc=net"
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectCategory=user)(sAMAccountName=%s))"
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="xxxxxxxxx"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=group)(member=%d))"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=MinIO Users,dc=example,dc=net"
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off"
export MINIO_IDENTITY_LDAP_SERVER_INSECURE="off"
export MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off"
export MINIO_IDENTITY_LDAP_SRV_RECORD_NAME=""
export MINIO_IDENTITY_LDAP_COMMENT="LDAP test server"

    For complete documentation on these variables, see minio-server-envvar-external-identity-management-ad-ldap.

  2. Restart the MinIO Deployment

    You must restart the MinIO deployment to apply the configuration changes.

    If you configured AD/LDAP from the MinIO Console, no additional action is required. The MinIO Console automatically restarts the deployment after saving the new AD/LDAP configuration.

    For MinIO Client and environment variable configuration, use the mc admin service restart command to restart the deployment:

    mc admin service restart ALIAS

    Replace ALIAS with the alias <alias> of the deployment to restart.

  3. Use the MinIO Console to Log In with AD/LDAP Credentials

    The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO minio-sts-assumerolewithldapidentity Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.

    You can access the Console by opening the root URL for the MinIO cluster. For example, https://minio.example.net:9000.

    Once logged in, you can perform any action for which the authenticated user is authorized <minio-external-identity-management-ad-ldap-access-control>.

    You can also create access keys <minio-idp-service-account> for supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account.

  4. Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials

    MinIO requires clients to authenticate using AWS Signature Version 4 protocol <sig-v4-authenticating-requests.html> with support for the deprecated Signature Version 2 protocol. Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as PUT, GET, and DELETE operations.

    Applications can generate temporary access credentials as-needed using the minio-sts-assumerolewithldapidentity Security Token Service (STS) API endpoint and AD/LDAP user credentials. MinIO provides an example Go application ldap.go <minio/blob/master/docs/sts/ldap.go> that manages this workflow.

    POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}

    • Replace the LDAPUsername with the username of the AD/LDAP user.

    • Replace the LDAPPassword with the password of the AD/LDAP user.

    • Replace the Policy with an inline URL-encoded JSON policy <minio-policy> that further restricts the permissions associated to the temporary credentials.

      Omit to use the policy whose name matches <minio-external-identity-management-ad-ldap-access-control> the Distinguished Name (DN) of the AD/LDAP user.

    The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

    See the minio-sts-assumerolewithldapidentity for reference documentation.