Active Directory/LDAP Identity Management

AIStor supports configuring one or more Active Directory or LDAP (AD/LDAP) services for external management of user identities. You can configure multiple LDAP providers to support different groups of users or organizational units within your environment.

Steps to integrate your AD/LDAP service:

• Configure your AIStor cluster for AD/LDAP integration.

• Access the AIStor console with AD/LDAP credentials.

• Generate temporary credentials for application access with the AssumeRoleWithLDAPIdentity Security Token Service (STS) API

See the documentation for your AD/LDAP provider for detailed information about configuring user identities.

• Access to AIStor Cluster

  These instructions use mc to perform actions on your AIStor cluster. Install mc on a machine with network access to the cluster. Make sure to configure an alias for your cluster.

• AD/LDAP identity provider access

  AIStor must have bidirectional network connectivity to the target AD/LDAP service.

  AIStor requires a read-only access key with which it binds to perform authenticated user and group queries. Ensure each AD/LDAP user and group has a corresponding policy on the AIStor deployment. An AD/LDAP user with no assigned policy and with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster.

1. Create the AD/LDAP configuration

   AIStor Client

   The mc idp ldap command controls AD/LDAP configurations for an AIStor deployment.

   The following example sets all configurations for an AD/LDAP provider. The minimum required settings are:

   • server_addr

   • lookup_bind_dn

   • lookup_bind_password

   • user_dn_search_base_dn

   • user_dn_search_filter

   mc idp ldap add ALIAS                                                \
   server_addr="ldaps.example.net:636"                                  \
   lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"        \
   lookup_bind_password="xxxxxxxx"                                      \
   user_dn_search_base_dn="DC=example,DC=net"                           \
   user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"  \
   group_search_filter= "(&(objectClass=group)(member=%d))"             \
   group_search_base_dn="ou=MinIO Users,dc=example,dc=net"              \
   tls_skip_verify="off"                                                \
   server_insecure=off                                                  \
   server_starttls="off"                                                \
   srv_record_name=""                                                   \
   comment="Test LDAP server"
   

   To add a named LDAP configuration, specify the configuration name after the alias:

   mc idp ldap add ALIAS PARTNERS                                       \
   server_addr="ldaps.partners.example.net:636"                         \
   lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=partners,DC=net"       \
   lookup_bind_password="xxxxxxxx"                                      \
   user_dn_search_base_dn="DC=partners,DC=net"                          \
   user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"  \
   comment="Partner organization LDAP"
   

   For more complete documentation on these settings, see mc idp ldap.

   mc idp ldap offers additional features and improved validation over mc admin config set runtime configuration settings. mc idp ldap supports the same settings asmc admin config and the identity_ldap configuration key.

   The identity_ldap configuration key remains available for existing scripts and tools.

   Environment Variables

   You can specify environment variables. The server process applies the specified settings on the next startup.

   For distributed deployments, you must specify the same values for all settings across all nodes. Any differences between node configurations results in startup or configuration failures.

   The following example code sets all environment variables for an AD/LDAP provider. The minimum required variables are:

   • MINIO_IDENTITY_LDAP_SERVER_ADDR

   • MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN

   • MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD

   • MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN

   • MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER

   export MINIO_IDENTITY_LDAP_SERVER_ADDR="ldaps.example.net:636"
   export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"
   export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="dc=example,dc=net"
   export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectCategory=user)(sAMAccountName=%s))"
   export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="xxxxxxxxx"
   export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=group)(member=%d))"
   export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=MinIO Users,dc=example,dc=net"
   export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off"
   export MINIO_IDENTITY_LDAP_SERVER_INSECURE="off"
   export MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off"
   export MINIO_IDENTITY_LDAP_SRV_RECORD_NAME=""
   export MINIO_IDENTITY_LDAP_COMMENT="LDAP test server"
   

   To configure additional named LDAP providers, append the configuration name to each environment variable. The name is case-sensitive and must be consistent across all variables. By convention, use uppercase (for example, _CORP):

   # Partners LDAP configuration (name: "partners")
   export MINIO_IDENTITY_LDAP_SERVER_ADDR_PARTNERS="ldaps.partners.example.net:636"
   export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN_PARTNERS="CN=xxxxx,OU=xxxxx,DC=partners,DC=net"
   export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN_PARTNERS="dc=partners,dc=net"
   export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER_PARTNERS="(&(objectCategory=user)(sAMAccountName=%s))"
   export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD_PARTNERS="xxxxxxxxx"
   export MINIO_IDENTITY_LDAP_COMMENT_PARTNERS="Partner organization LDAP"
   

   See also the complete Active Directory/LDAP Settings.

   Kubernetes

   For Kubernetes deployments using the AIStor Operator, configure LDAP settings using environment variables in the ObjectStore custom resource.

   			<div class="mb-3 text-base font-bold">Enhanced in Operator RELEASE.2025-10-16T16-46-38Z</div>
   		
   		<div
   			class="&_li]:marker:text-current [&_a]:underline [&_a]:decoration-1 [&_a]:underline-offset-4 hover:[&_a]:text-current [&_code]:bg-white dark:[&_code]:bg-slate-800 [&_pre]:mb-0 [&_pre_code]:bg-transparent!"
   		>
   			Support for securely referencing values from Kubernetes Secrets using <code>valueFrom.secretKeyRef</code> requires Operator version <code>RELEASE.2025-10-16T16-46-38Z</code> or later.
   		</div>
   	</div>
   </div>
   

   For security, store sensitive values like the LDAP bind password in a Kubernetes Secret and reference it using valueFrom.secretKeyRef. This keeps credentials separate from the ObjectStore specification.

   For complete configuration examples and best practices, see Environment Variable Configuration.

   AIStor Console

   You can work with the AIStor Console.

   For distributed deployments, configuring AD/LDAP in the console applies the configuration to all nodes in the deployment.

   1. Log in to the console as either the root user or a user with the consoleAdmin policy.

   2. Go to Identity > LDAP > Edit Configuration.

      The minimum required settings are:

      • Server Address

      • Lookup Bind DN

      • Lookup Bind Password

      • User DN Search Base

      • User DN Search Filter

      Not all configuration options are available in the console. For additional settings, use mc idp ldap or environment variables.

   When configuring AD/LDAP group lookups, configure specific filters that return the minimum number of relevant groups for the purpose of supporting authentication.

   Filters that return large group assignments increase the size of associated calls and resources. Functions sensitive to large request or response bodies may exhibit unexpected behaviors as a result.

2. Restart the deployment

   You must restart the deployment to apply the configuration changes.

   If you configured AD/LDAP from the console, no additional action is required. The console automatically restarts the deployment after you save the new configuration.

   For the client or environment variable configuration, run mc admin service restart to restart the deployment:

   mc admin service restart ALIAS
   

   Replace ALIAS with the alias of the deployment to restart.

3. Log in to the console with AD/LDAP credentials

   The AIStor Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the AssumeRoleWithLDAPIdentity Security Token Service (STS) endpoint, and logging the user in.

   Go to the root URL for the deployment, for example https://minio.example.net:9000.

   After you log in, you can perform any action for which your account is authorized.

4. Generate STS credentials for application authentication

   Clients must authenticate using AWS Signature Version 4 protocol with support for the deprecated Signature Version 2 protocol. Clients must present a valid access key and secret key to access any S3 or AIStor administrative API, such as PUT, GET, and DELETE operations.

   You can create access keys to support applications that must perform operations on AIStor. Access keys are long-lived credentials that inherit their permissions from the parent user.

   Alternatively, applications can generate temporary access credentials as needed with the AssumeRoleWithLDAPIdentity Security Token Service (STS) API endpoint and AD/LDAP user credentials. See the example Go application ldap.go for this workflow.

   POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
   &LDAPUsername=USERNAME
   &LDAPPassword=PASSWORD
   &Version=2011-06-15
   &Policy={}
   &ConfigName=CONFIGNAME
   

   • Replace LDAPUsername with the username of the AD/LDAP user.

   • Replace LDAPPassword with the password of the AD/LDAP user.

   • Replace Policy with an inline URL-encoded JSON policy that further restricts the permissions associated to the temporary credentials.

     Omit to use the policy whose name matches the Distinguished Name (DN) of the AD/LDAP user.

   • Replace ConfigName with the name of the LDAP configuration to authenticate against.

     Omit to use the default LDAP configuration (_).

   The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use this access key and secret key to access and perform operations on MinIO.

   See AssumeRoleWithLDAPIdentity for reference documentation.

You can enable or disable the configured AD/LDAP connection as needed.

Run mc idp ldap disable to deactivate a configured connection. Run mc idp ldap enable to activate a previously configured connection.

For deployments with multiple LDAP configurations, specify the configuration name:

mc idp ldap disable ALIAS NAME
mc idp ldap enable ALIAS NAME

Replace NAME with the desired configuration to modify. If you do not specify a configuration NAME, then the command applies to the default configuration (internally named _).

If you disable the default configuration, then AIStor does not use a default LDAP configuration. Any other existing named configurations continue to function.

You can also enable or disable AD/LDAP from the console.