Configure MinIO for Authentication using Active Directory / LDAP

Overview

MinIO supports configuring a single Active Directory / LDAP Connect for external management of user identities.

The procedure on this page provides instructions for:

Kubernetes

For MinIO Tenants deployed using the MinIO Kubernetes Operator, this procedure covers:

Configuring a MinIO Tenant to use an external AD/LDAP provider
Accessing the Tenant Console using AD/LDAP Credentials.
Using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) API to generate temporary credentials for use by applications.

Baremetal

For MinIO deployments on baremetal infrastructure, this procedure covers:

Configuring a MinIO cluster for an external AD/LDAP provider.
Accessing the MinIO Console using AD/LDAP credentials.
Using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) API to generate temporary credentials for use by applications.

This procedure is generic for AD/LDAP services. See the documentation for the AD/LDAP provider of your choice for specific instructions or procedures on configuration of user identities.

Prerequisites

Active Directory / LDAP Compatible IDentity Provider

This procedure assumes an existing Active Directory or LDAP service. Instructions on configuring AD/LDAP are out of scope for this procedure.

MinIO requires a read-only access keys with which it binds to perform authenticated user and group queries. Ensure each AD/LDAP user and group intended for use with MinIO has a corresponding policy on the MinIO deployment. An AD/LDAP user with no assigned policy and with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster.

Configure MinIO with Active Directory or LDAP External Identity Management

Kubernetes

Access the Operator Console

Temporarily forward traffic between the local host machine and the MinIO Operator Console and retrieve the JWT token for your Operator deployment. For instructions, see Configure access to the Operator Console service.

Open your browser to the temporary URL and enter the JWT Token into the login page. You should see the Tenants page:

To deploy a new MinIO Tenant with AD/LDAP external identity management, select the + Create Tenant button.

To configure an existing MinIO Tenant with AD/LDAP external identity management select that Tenant from the displayed list. The following steps reference the necessary sections and configuration settings for existing Tenants.

Complete the Identity Provider Section

To enable external identity management with an Active Directory / LDAP provider, select the Identity Provider section. You can then change the radio button to Active Directory to display the configuration settings.

MinIO Operator Console - Create a Tenant - External Identity Provider Section - Active Directory / LDAP

An asterisk * marks required fields. The following table provides general guidance for those fields:

Field	Description
LDAP Server Address	The hostname of the Active Directory or LDAP server.
Lookup Bind DN	The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server. See Querying the Active Directory / LDAP Service for more information.
List of user DNs (Distinguished Names) to be Tenant Administrators	Specify a user DNs which MinIO assigns a policy with administrative permissions for the Tenant. You can specify multiple DNs by selecting the plus icon. You can delete a DN by selecting the trash can icon for that DN.

Field

Description

LDAP Server Address

The hostname of the Active Directory or LDAP server.

Lookup Bind DN

The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server.

See Querying the Active Directory / LDAP Service for more information.

List of user DNs (Distinguished Names) to be Tenant Administrators

Specify a user DNs which MinIO assigns a policy with administrative permissions for the Tenant. You can specify multiple DNs by selecting the plus icon. You can delete a DN by selecting the trash can icon for that DN.

Once you complete the section, you can finish any other required sections of Tenant Deployment.

Assign Policies to AD/LDAP Users

MinIO by default assigns no policies to AD/LDAP users or groups. You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment.

The following example assumes an existing alias configured for the MinIO Tenant.

Use the mc idp ldap policy attach command to assign a user or group DN to an existing MinIO Policy:
```
mc idp ldap policy attach minio-tenant POLICY --user='uid=primary,cn=applications,dc=domain,dc=com'
mc idp ldap policy attach minio-tenant POLICY --group='cn=applications,ou=groups,dc=domain,dc=com'
```
Replace POLICY with the name of the MinIO policy to assign to the user or group DN.

See Access Control for AD/LDAP-Managed Identities for more information on access control with AD/LDAP users and groups.
Use the MinIO Tenant Console to Log In with AD/LDAP Credential

The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.

See Deploy MinIO Tenant: Connect to the Tenant for additonal information about accessing the Tenant Console.

If the AD/LDAP configuration succeeded, the Console displays a button to login with AD/LDAP credentials.

Enter the user’s AD/LDAP credentials and log in to access the Console.

Once logged in, you can perform any action for which the authenticated user is authorized.

You can also create access keys for supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the access keys.
Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials

Applications can use an AD/LDAP user credential to generate temporary S3-compatible credentials as-needed using the AssumeRoleWithLDAPIdentity Security Token Service (STS) API endpoint. MinIO provides an example Go application ldap.go with an example of managing this workflow.
```
POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}
```
- Replace minio.example.net with the hostname or URL for the MinIO Tenant service.
- Replace the LDAPUsername with the username of the AD/LDAP user.
- Replace the LDAPPassword with the password of the AD/LDAP user.
- Replace the Policy with an inline URL-encoded JSON policy that further restricts the permissions associated to the temporary credentials.
  
  Omit to use the policy whose name matches the Distinguished Name (DN) of the AD/LDAP user.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

See the AssumeRoleWithLDAPIdentity for reference documentation.

Baremetal

Set the Active Directory / LDAP Configuration Settings

Configure the AD/LDAP provider using one of the following:
- MinIO Client
- Environment variables
- MinIO Console
All methods require starting/restarting the MinIO deployment to apply changes.

The following tabs provide a quick reference for the available configuration methods:
MinIO Client
MinIO supports specifying the AD/LDAP provider settings using mc idp ldap commands.

For distributed deployments, the mc idp ldap command applies the configuration to all nodes in the deployment.

The following example code sets all configuration settings related to configuring an AD/LDAP provider for external identity management. The minimum required settings are:

server_addr

lookup_bind_dn

lookup_bind_password

user_dn_search_base_dn

user_dn_search_filter
mc idp ldap add ALIAS \ server_addr="ldaps.example.net:636" \ lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net" \ lookup_bind_password="xxxxxxxx" \ user_dn_search_base_dn="DC=example,DC=net" \ user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))" \ group_search_filter= "(&(objectClass=group)(member=%d))" \ group_search_base_dn="ou=MinIO Users,dc=example,dc=net" \ enabled="true" \ tls_skip_verify="off" \ server_insecure=off \ server_starttls="off" \ srv_record_name="" \ comment="Test LDAP server"
For more complete documentation on these settings, see mc idp ldap.

mc idp ldap recommended

mc idp ldap offers additional features and improved validation over mc admin config set runtime configuration settings. mc idp ldap supports the same settings as mc admin config and the identity_ldap configuration key.

The identity_ldap configuration key remains available for existing scripts and tools.
Environment Variables
MinIO supports specifying the AD/LDAP provider settings using environment variables. The minio server process applies the specified settings on its next startup. For distributed deployments, specify these settings across all nodes in the deployment using the same values. Any differences in server configurations between nodes will result in startup or configuration failures.

The following example code sets all environment variables related to configuring an AD/LDAP provider for external identity management. The minimum required variable are:
export MINIO_IDENTITY_LDAP_SERVER_ADDR="ldaps.example.net:636" export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net" export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="dc=example,dc=net" export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectCategory=user)(sAMAccountName=%s))" export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="xxxxxxxxx" export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=group)(member=%d))" export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=MinIO Users,dc=example,dc=net" export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off" export MINIO_IDENTITY_LDAP_SERVER_INSECURE="off" export MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off" export MINIO_IDENTITY_LDAP_SRV_RECORD_NAME="" export MINIO_IDENTITY_LDAP_COMMENT="LDAP test server"
For complete documentation on these variables, see Active Directory / LDAP Settings
MinIO Console
MinIO supports specifying the AD/LDAP provider settings using the MinIO Console. For distributed deployments, configuring AD/LDAP from the Console applies the configuration to all nodes in the deployment.
1. Log in to the MinIO Console as either the root user or a MinIO user with the consoleAdmin policy.
2. In the Identity section, select LDAP and then Edit Configuration to configure an Active Directory or LDAP server. The minimum required settings are:
  - Server Address
  - Lookup Bind DN
  - Lookup Bind Password
  - User DN Search Base
  - User DN Search Filter
  Not all configuration options are available in the MinIO Console. For additional settings, use mc idp ldap or environment variables.
Restart the MinIO Deployment

You must restart the MinIO deployment to apply the configuration changes.

If you configured AD/LDAP from the MinIO Console, no additional action is required. The MinIO Console automatically restarts the deployment after saving the new AD/LDAP configuration.

For MinIO Client and environment variable configuration, use the mc admin service restart command to restart the deployment:
```
mc admin service restart ALIAS
```
Replace ALIAS with the alias of the deployment to restart.
Use the MinIO Console to Log In with AD/LDAP Credentials

The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.

You can access the Console by opening the root URL for the MinIO cluster. For example, https://minio.example.net:9000.

Once logged in, you can perform any action for which the authenticated user is authorized.

You can also create access keys for supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account.
Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials

MinIO requires clients to authenticate using AWS Signature Version 4 protocol with support for the deprecated Signature Version 2 protocol. Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as PUT, GET, and DELETE operations.

Applications can generate temporary access credentials as-needed using the AssumeRoleWithLDAPIdentity Security Token Service (STS) API endpoint and AD/LDAP user credentials. MinIO provides an example Go application ldap.go that manages this workflow.
```
POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}
```
- Replace the LDAPUsername with the username of the AD/LDAP user.
- Replace the LDAPPassword with the password of the AD/LDAP user.
- Replace the Policy with an inline URL-encoded JSON policy that further restricts the permissions associated to the temporary credentials.
  
  Omit to use the policy whose name matches the Distinguished Name (DN) of the AD/LDAP user.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

See the AssumeRoleWithLDAPIdentity for reference documentation.

Disable a Configured Active Directory / LDAP Connection

New in version RELEASE.2023-03-20T20-16-18Z.

You can enable and disable the configured AD/LDAP connection as needed.

Use mc idp ldap disable to deactivate a configured connection. Use mc idp ldap enable to activate a previously configured connection.

You may also enable or disable AD/LDAP from the MinIO Console.

Documentation