Active Directory/LDAP Identity Management

AIStor supports configuring a single Active Directory or LDAP (AD/LDAP) service for external management of user identities. Enabling AD/LDAP integration for identity management disables the internal identity provider.

Steps to integrate your AD/LDAP service:

Configure your AIStor cluster for AD/LDAP integration.
Access the AIStor console with AD/LDAP credentials.
Generate temporary credentials for application access with the AssumeRoleWithLDAPIdentity Security Token Service (STS) API

See the documentation for your AD/LDAP provider for detailed information about configuring user identities.

Prerequisites

Access to AISor Cluster

These instructions use mc to perform actions on your AIStor cluster. Install mc on a machine with network access to the cluster. Make sure to configure an alias for your cluster.
AD/LDAP identity provider access

AIStor must have bidirectional network connectivity to the target AD/LDAP service.

AIStor requires a read-only access key with which it binds to perform authenticated user and group queries. Ensure each AD/LDAP user and group has a corresponding policy on the AIStor deployment. An AD/LDAP user with no assigned policy and with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster.

Configure AD/LDAP for AIStor

Create the AD/LDAP configuration
AIStor client
The mc idp ldap command controls AD/LDAP configurations for an AIStor deployment.

The following example sets all configurations for an AD/LDAP provider. The minimum required settings are:
- server_addr
- lookup_bind_dn
- lookup_bind_password
- user_dn_search_base_dn
- user_dn_search_filter
```
mc idp ldap add ALIAS                                                   \
server_addr="ldaps.example.net:636"                                  \
lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"        \
lookup_bind_password="xxxxxxxx"                                      \
user_dn_search_base_dn="DC=example,DC=net"                           \
user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"  \
group_search_filter= "(&(objectClass=group)(member=%d))"             \
group_search_base_dn="ou=MinIO Users,dc=example,dc=net"              \
tls_skip_verify="off"                                                \
server_insecure=off                                                  \
server_starttls="off"                                                \
srv_record_name=""                                                   \
comment="Test LDAP server"
```
For more complete documentation on these settings, see mc idp ldap.

mc idp ldap offers additional features and improved validation over mc admin config set runtime configuration settings. mc idp ldap supports the same settings asmc admin config and the identity_ldap configuration key.

The identity_ldap configuration key remains available for existing scripts and tools.
Environment Variables
You can specify environment variables. The server process applies the specified settings on the next startup.

For distributed deployments, you must specify the same values for all settings across all nodes. Any differences between node configurations results in startup or configuration failures.

The following example code sets all environment variables for an AD/LDAP provider. The minimum required variables are:
- MINIO_IDENTITY_LDAP_SERVER_ADDR
- MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
- MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
- MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
- MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER
```
export MINIO_IDENTITY_LDAP_SERVER_ADDR="ldaps.example.net:636"
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="dc=example,dc=net"
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectCategory=user)(sAMAccountName=%s))"
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="xxxxxxxxx"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=group)(member=%d))"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=MinIO Users,dc=example,dc=net"
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off"
export MINIO_IDENTITY_LDAP_SERVER_INSECURE="off"
export MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off"
export MINIO_IDENTITY_LDAP_SRV_RECORD_NAME=""
export MINIO_IDENTITY_LDAP_COMMENT="LDAP test server"
```
See also the complete Active Directory/LDAP Settings.
AIStor Console
You can work with the AIStor Console.

For distributed deployments, configuring AD/LDAP in the console applies the configuration to all nodes in the deployment.
1. Log in to the console as either the root user or a user with the consoleAdmin policy.
2. Go to Identity > LDAP > Edit Configuration.
  
  The minimum required settings are:
  - Server Address
  - Lookup Bind DN
  - Lookup Bind Password
  - User DN Search Base
  - User DN Search Filter
  Not all configuration options are available in the console. For additional settings, use mc idp ldap or environment variables.
When configuring AD/LDAP group lookups, configure specific filters that return the minimum number of relevant groups for the purpose of supporting authentication.

Filters that return large group assignments increase the size of associated calls and resources. Functions sensitive to large request or response bodies may exhibit unexpected behaviors as a result.
Restart the deployment

You must restart the deployment to apply the configuration changes.

If you configured AD/LDAP from the console, no additional action is required. The console automatically restarts the deployment after you save the new configuration.

For the client or environment variable configuration, run mc admin service restart to restart the deployment:
```
mc admin service restart ALIAS
```
Replace ALIAS with the alias of the deployment to restart.
Log in to the console with AD/LDAP credentials

The AIStor Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the AssumeRoleWithLDAPIdentity Security Token Service (STS) endpoint, and logging the user in.

Go to the root URL for the deployment, for example https://minio.example.net:9000.

After you log in, you can perform any action for which your account is authorized.
Generate STS credentials for application authentication

Clients must authenticate using AWS Signature Version 4 protocol with support for the deprecated Signature Version 2 protocol. Clients must present a valid access key and secret key to access any S3 or AIStor administrative API, such as PUT, GET, and DELETE operations.

You can create access keys to support applications that must perform operations on AIStor. Access keys are long-lived credentials that inherit their permissions from the parent user.

Alternatively, applications can generate temporary access credentials as needed with the AssumeRoleWithLDAPIdentity Security Token Service (STS) API endpoint and AD/LDAP user credentials. See the example Go application ldap.go for this workflow.
```
POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}
```
- Replace LDAPUsername with the username of the AD/LDAP user.
- Replace LDAPPassword with the password of the AD/LDAP user.
- Replace Policy with an inline URL-encoded JSON policy that further restricts the permissions associated to the temporary credentials.
  
  Omit to use the policy whose name matches the Distinguished Name (DN) of the AD/LDAP user.
The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use this access key and secret key to access and perform operations on MinIO.

See AssumeRoleWithLDAPIdentity for reference documentation.

Disable AD/LDAP integration

You can enable or disable the configured AD/LDAP connection as needed.

Run mc idp ldap disable to deactivate a configured connection. Run mc idp ldap enable to activate a previously configured connection.

You can also enable or disable AD/LDAP from the console.