Active Directory/LDAP Access Management

If you integrate AIStor with Active Directory (AD/LDAP) as your identity provider, you can also manage access with AD/LDAP. AIStor can map a user’s Distinguished Name or group Distinguished Names (DNs) to existing policies.

See Active Directory/LDAP Identity Management for configuring the integration. This page explains how to create AIStor access policies that match the AD/LDAP DNs.

AIStor supports configuring a single Active Directory or LDAP (AD/LDAP) service for external management of user identities. Enabling AD/LDAP external identity management disables the AIStor internal IDP.

For identities managed by the external AD/LDAP provider, AIStor uses the user’s Distinguished Name and attempts to map it against an existing policy.

If the AD/LDAP configuration includes the necessary settings to query the user’s AD/LDAP group membership, AIStor also uses those group Distinguished Names and attempts to map each against an existing policy

By default, AIStor denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Users managed by an AD/LDAP provider must specify the necessary policies as part of the user profile data. If no policies match either the user DN or group DNs, AIStor blocks all access to actions and resources on the deployment.

The specific AD/LDAP queries AIStor issues to authenticate the user and retrieve its group membership are configured as part of deploying the cluster with Active Directory / LDAP identity management. This page covers creation of AIStor policies to match the possible returned Distinguished Names.

Authentication and authorization Flow

The login flow for an application using Active Directory / LDAP credentials is as follows:

  1. Specify the AD/LDAP credentials to the AIStor Security Token Service (STS) AssumeRoleWithLDAPIdentity API endpoint.

  2. AIStor verifies the provided credentials against the AD/LDAP server.

  3. AIStor checks for any policy whose name matches the user Distinguished Name (DN) and assigns that policy to the authenticated user.

    If configured to perform group queries, AIStor also queries for a list of AD/LDAP groups in which the user has membership. AIStor checks for any policy whose name matches a returned group DN and assigns that policy to the authenticated user.

  4. AIStor returns temporary credentials in the STS API response in the form of an access key, secret key, and session token. The credentials have permissions matching those policies whose name matches either the authenticated user DN or a group DN.

AIStor provides an example Go application ldap.go that handles the full login flow.

AD/LDAP users can alternatively create long-lived access keys associated to their AD/LDAP user Distinguished Name with inherited permissions. The parent user can further restrict those privileges while creating the access keys. Use either of the following methods to create a new access key:

  • Log into the AIStor Console using the AD/LDAP-managed user credentials. In the User section, select Access Keys followed by Create access keys +.

  • Use the mc admin user accesskey command to manage the access keys. Specify the user Distinguished Name as the username to which to associate the access keys.

Mapping policies to user DN

The following commands use mc idp ldap policy attach to associate an existing AIStor policy with an AD/LDAP User DN.

mc idp ldap policy attach myminio consoleAdmin\
--user='cn=sisko,cn=users,dc=example,dc=com'

mc idp ldap policy attach myminio readwrite,diagnostics\
--user='cn=dax,cn=users,dc=example,dc=com'

  • AIStor would assign an authenticated user with DN matching cn=sisko,cn=users,dc=example,dc=com the consoleAdmin policy, granting complete access to the AIStor server.

  • AIStor would assign an authenticated user with DN matching cn=dax,cn=users,dc=example,dc=com both the readwrite and diagnostics policies, granting general read/write access to the Object Store and access to diagnostic administrative operations.

  • AIStor would assign no policies to an authenticated user with DN matching cn=quark,cn=users,dc=example,dc=com and deny all access to API operations.

Mapping policies to group DN

The following commands run mc idp ldap policy attach to associate an existing AIStor policy with an AD/LDAP Group DN.

mc idp ldap policy attach myminio consoleAdmin\
--group='cn=ops,cn=groups,dc=example,dc=com'

mc idp ldap policy attach myminio diagnostics\
--group='cn=engineering,cn=groups,dc=example,dc=com'

  • AIStor would assign any authenticating user with membership in the cn=ops,cn=groups,dc=example,dc=com AD/LDAP group the consoleAdmin policy, granting complete access to the AIStor server.

  • AIStor would assign any authenticating user with membership in the cn=engineering,cn=groups,dc=example,dc=com AD/LDAP group the diagnostics policy, granting access to diagnostic administrative operations.

Multiple DN policy mappings

Starting in AIStor RELEASE.2025-06-20T23-57-47Z, DNs are normalized to be lower case only when loaded. In the case of multiple DNs that normalize to the same value, automatic policies from DNs might not work as expected. You should check to make sure the appropriate policies are applied to your LDAP users. You might see a warning if DN precedence is not clear. To resolve the warning, run mc idp ldap policy attach to specify the desired policy.

All rights reserved 2024-Present, MinIO, Inc.