minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-04-21 08:05:59 +03:00
Code
docs/source/includes/common-minio-external-auth.rst

8.2 KiB
Raw Blame History

Specify the unique public identifier MinIO uses when authenticating user credentials against the OIDC (OpenID Connect) compatible provider.

Specify the client secret MinIO uses when authenticating user credentials against the OIDC (OpenID Connect) compatible provider. This field may be optional depending on the provider.

Specify the URL for the JSON Web Key Set (JWKS) for MinIO to use when verifying any JSON Web Tokens (JWT) issued by the OIDC (OpenID Connect) compatible provider.

Specify the URL for the OIDC (OpenID Connect) compatible provider discovery document.

The OIDC (OpenID Connect) Discovery URL typically resembles the following:

https://openid-provider.example.net/.well-known/openid-configuration

Specify the name of the JWT Claim MinIO uses to identify the policies <minio-policy> to attach to the authenticated user.

The claim can contain one or more comma-separated policy names to attach to the user. The claim must contain at least one policy for the user to have any permissions on the MinIO server.

Defaults to policy.

Specify the JWT Claim namespace prefix to apply to the specified claim name.

Specify a comma-separated list of scopes. Defaults to those scopes advertised in the discovery document.

Specify the redirect URI the MinIO Console uses when authenticating against the configured provider. Include the console port and /oauth_callback as part of the URL:

http://minio.example.net:consoleport/oauth_callback

MinIO defaults to using the hostname of the node making the authentication request. MinIO deployments behind a load balancer or reverse proxy may need to specify this field to ensure the OIDC provider returns the authentication response to the correct URL.

The specified URI must match one of the approved redirect / callback URIs on the provider. See the OpenID Authentication Request for more information.

Note

The embedded MinIO Console by default uses a random port number selected at server startup. Start the MinIO server process with the ~minio server --console-address option to specify a static port number.

Specify a comment to associate with the OIDC (OpenID Connect) compatible provider configuration.

Specify the hostname for the Active Directory / LDAP server. For example:

https://ldapserver.com:636

Specify the duration for which the credentials are valid as <int><unit>. Valid time units are as follows:

  • s - seconds.
  • m - minutes.
  • h - hours.
  • d - days

The default is 1h or 1 hour.

Specify the Distinguished Name (DN) for an AD/LDAP account MinIO uses when querying the AD/LDAP server. Enables Lookup-Bind <minio-external-identity-management-ad-ldap-lookup-bind> authentication to the AD/LDAP server.

The DN account should be a read-only service account with sufficient privileges to support querying performing user and group lookups.

Specify the password for the Lookup-Bind <minio-external-identity-management-ad-ldap-lookup-bind> user account.

Specify the base Distinguished name (DN) MinIO uses when querying for user credentials matching those provided by an authenticating client. For example:

cn=miniousers,dc=myldapserver,dc=net

Supports Lookup-Bind <minio-external-identity-management-ad-ldap-lookup-bind> mode.

Specify the AD/LDAP search filter MinIO uses when querying for user credentials matching those provided by an authenticating client.

Use the %s substitution character to insert the client-specified username into the search string. For example:

(userPrincipalName=%s)

Specify a comma-separated list of Distinguished Name templates used for querying the AD/LDAP server. MinIO attempts to login to the AD/LDAP server by applying the user credentials specified by the authenticating client to each DN template.

Use the %s substitution character to insert the client-specified username into the search string. For example:

uid=%s,cn=miniousers,dc=myldapserver,dc=net,userPrincipalName=%s,cn=miniousers,dc=myldapserver,dc=net

MinIO uses the first DN template that results in successful login to perform a group lookup for that user.

Specify an AD/LDAP search filter for performing group lookups for the authenticated user

Use the %s substitution character to insert the client-specified username into the search string. Use the %d substitution character to insert the Distinguished Name of the client-specified username into the search string.

For example:

(&(objectclass=groupOfNames)(memberUid=%s))

Specify a comma-separated list of group search base Distinguished Names MinIO uses when performing group lookups.

For example:

cn=miniogroups,dc=myldapserver,dc=net"

Specify on to trust the AD/LDAP server TLS certificates without verification. This option may be required if the AD/LDAP server TLS certificates are signed by an untrusted Certificate Authority (e.g. self-signed).

Defaults to off

Specify on to allow unsecured (non-TLS encrypted) connections to the AD/LDAP server.

MinIO sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.

Defaults to off.

Specify on to enable StartTLS connections to AD/LDAP server.

Defaults to off

Specify a comment to associate to the AD/LDAP configuration.