LDAP Settings
This page documents settings for enabling external identity management using an Active Directory or LDAP service. See Configure AIStor for Authentication using Active Directory / LDAP for a tutorial on using these settings.
mc idp ldap commands for LDAP management operations.
These commands offer better validation and additional features, while providing the same settings as the identity_ldap configuration key.
The identity_ldap configuration settings remains available for existing scripts and other tools.
You can establish or modify settings by defining:
- an environment variable on the host system prior to starting or restarting the AIStor Server. Refer to your operating system’s documentation for how to define an environment variable.
- a configuration setting using
mc admin config set.
If you define both an environment variable and the similar configuration setting, AIStor uses the environment variable value.
Some settings have only an environment variable or a configuration setting, but not both.
Examples
Settings
Server Address
Required
Specify the hostname for the Active Directory / LDAP server. For example:
ldapserver.com:636
If your AD/LDAP server supports SRV Lookup Records, you can use the SRV Record Name configuration to identify the appropriate port for each hostname. If using that configuration, omit the port number from the provided server address.
Lookup Bind DN
Required
Specify the Distinguished Name (DN) for an AD/LDAP account AIStor uses when querying the AD/LDAP server. Enables Lookup-Bind authentication to the AD/LDAP server.
The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups.
Lookup Bind Password
Required
Specify the password for the Lookup-Bind user account.
AIStor redacts this value when returned as part of mc admin config get.
User DN Search Base DN
Required
Specify the base Distinguished Name (DN) AIStor uses when querying for user credentials matching those provided by an authenticating client.
Separate multiple DNs with a semicolon (;).
For example:
cn=miniousers,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=io
Supports Lookup-Bind mode.
User DN Search Filter
Required
Specify the AD/LDAP search filter AIStor uses when querying for user credentials matching those provided by an authenticating client.
Use the %s substitution character to insert the client-specified username into the search string. For example:
(userPrincipalName=%s)
User DN Attributes
Optional
Comma-separated list of user DN attributes.
Some valid values include, uid,cn,mail,sshPublicKey.
To enable public authentication for LDAP users, pass sshPublicKey as a DN attribute.
The user can then use the passed SSH Public Key to log in to SFTP servers.
mc idp ldap update ALIAS user_dn_attributes=sshPublicKey
Enabled
Optional
Set to false to disable the AD/LDAP configuration.
If false, applications cannot generate STS credentials or otherwise authenticate to AIStor using the configured provider.
Defaults to true or “enabled”.
Group Search Filter
Optional
Specify an AD/LDAP search filter for performing group lookups for the authenticated user
Use the %s substitution character to insert the client-specified username into the search string.
Use the %d substitution character to insert the Distinguished Name of the client-specified username into the search string.
For example:
(&(objectclass=groupOfNames)(memberUid=%s))
When configuring AD/LDAP group lookups, configure specific filters that return the minimum number of relevant groups for the purpose of supporting authentication.
Filters that return large group assignments increase the size of associated calls and resources. Functions sensitive to large request or response bodies may exhibit unexpected behaviors as a result.
Group Search Base DN
Optional
Specify a semicolon-separated (;) list of group search base Distinguished Names AIStor uses when performing group lookups.
For example:
cn=miniogroups,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=io
TLS Skip Verify
Optional
Specify on to trust the AD/LDAP server TLS certificates without verification.
This option may be required if the AD/LDAP server TLS certificates are signed by an untrusted Certificate Authority (for example, self-signed).
Defaults to off
Server Insecure
Optional
Specify on to allow unsecured (non-TLS encrypted) connections to the AD/LDAP server.
AIStor sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.
Defaults to off.
Server Start TLS
Optional
Specify on to enable StartTLS connections to an AD/LDAP server.
Defaults to off
For more about StartTLS, refer to section 4.14 of the LDAP RFC 4511 specification.
SRV Record Name
Optional
Specify the appropriate value to enable AIStor to select an AD/LDAP server using a DNS SRV record request.
When enabled, AIStor selects an AD/LDAP server by:
- Constructing the target SRV record name following standard naming conventions.
- Requesting a list of available AD/LDAP servers.
- Choosing an appropriate target based on priority and weight.
The configuration examples below presume the AD/LDAP server address is set to example.com and the SRV record protocol is _tcp.
For SRV record names beginning with _ldap, specify ldap.
The constructed DNS SRV record name resembles the following:
_ldap._tcp.example.com
For SRV record names with beginning with _ldaps, specify ldaps.
The constructed DNS SRV record name resembles the following:
_ldaps._tcp.example.com
If your DNS SRV record name uses alternate service or protocol names, specify on and provide the full record name as your LDAP server address.
Example: _ldapserver._specialtcp.example.com
For more about DNS SRV records, see DNS SRV Records for LDAP.
Comment
Optional
Specify a comment to associate to the AD/LDAP configuration.