mc idp ldap update

The mc idp ldap update command modifies an existing set of configurations for an AD/LDAP provider.

Syntax

Example

The following example changes two of the AD/LDAP configuration settings for the myminio deployment.

mc idp ldap update                                \
            myminio                               \
            lookup_bind_dn=cn=admin,dc=min,dc=io  \
            lookup_bind_password=somesecret

Syntax

The command has the following syntax:

mc [GLOBALFLAGS] idp ldap update           \
                          ALIAS            \
                          [CFG_PARAM1]     \
                          [CFG_PARAM2]...

Replace ALIAS with the alias of a AIStor deployment to update for AD/LDAP integration.
Replace the [CFG_PARAM#] with each of the configuration setting key-value pairs in the format of PARAMETER="value".
Brackets [] indicate optional parameters.
Parameters sharing a line are mutually dependent.
Parameters separated using the pipe | operator are mutually exclusive.

Copy the example to a text editor and modify as-needed before running the command in the terminal/shell.

Parameters

ALIAS

Required

The alias of the AIStor deployment on which to modify an AD/LDAP integration.

For example:

mc idp ldap update myminio                               \
                   lookup_bind_dn=cn=admin,dc=min,dc=io

server_addr

Required

Specify the hostname for the Active Directory / LDAPserver. For example:

ldapserver.com:636

This parameter corresponds with the MINIO_IDENTITY_LDAP_SERVER_ADDR environment variable.

lookup_bind_dn

Required

Specify the Distinguished Name (DN) for an AD/LDAP account AIStor uses when querying the AD/LDAPserver. Enables Lookup-Bind authentication to the AD/LDAP server.

The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups.

This parameter corresponds with the MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN environment variable.

lookup_bind_password

Required

Specify the password for the Lookup-Bind user account.

AIStor redacts this value when returned as part of mc admin config get.

This parameter corresponds with the MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD environment variable.

user_dn_attributes

Optional

Comma-separated list of user DN attributes.

Some valid values include, uid,cn,mail,sshPublicKey.

To enable public authentication for LDAP users, pass sshPublicKey as a DN attribute. The user can then use the passed SSH Public Key to log in to SFTP servers.

mc idp ldap update ALIAS user_dn_attributes=sshPublicKey

user_dn_search_base_dn

Required

Specify the base Distinguished Name (DN) AIStor uses when querying for user credentials matching those provided by an authenticating client.

Separate multiple DNs with a semicolon (;).

For example:

cn=miniousers,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=io

Supports Lookup-Bind mode.

This parameter corresponds with the MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN environment variable.

user_dn_search_filter

Required

Specify the AD/LDAP search filter AIStor uses when querying for user credentials matching those provided by an authenticating client.

Use the %s substitution character to insert the client-specified username into the search string. For example:

(userPrincipalName=%s)

This parameter corresponds with the MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER environment variable.

comment

Optional

Specify a comment to associate to the AD/LDAP configuration.

This parameter corresponds with the MINIO_IDENTITY_LDAP_COMMENT environment variable.

enabled

Optional

Set to false to disable the AD/LDAP configuration.

If false, applications cannot generate STS credentials or otherwise authenticate to AIStor using the configured provider.

Defaults to true or “enabled”.

group_search_base_dn

Optional

Specify a semicolon-separated (;) list of group search base Distinguished Names AIStor uses when performing group lookups.

For example:

cn=miniogroups,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=io

This parameter corresponds with the MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN environment variable.

group_search_filter

Optional

Specify an AD/LDAP search filter for performing group lookups for the authenticated user

Use the %s substitution character to insert the client-specified username into the search string. Use the %d substitution character to insert the Distinguished Name of the client-specified username into the search string.

For example:

(&(objectclass=groupOfNames)(memberUid=%s))

This parameter corresponds with the MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER environment variable.

server_insecure

Optional

Specify on to allow unsecured (non-TLS encrypted) connections to the AD/LDAP server.

AIStor sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.

Defaults to off.

This parameter corresponds with the MINIO_IDENTITY_LDAP_SERVER_INSECURE environment variable.

server_starttls

Optional

Specify on to enable StartTLS connections to an AD/LDAP server.

Defaults to off

For more about StartTLS, refer to section 4.14 of the LDAP RFC 4511 specification.

This parameter corresponds with the MINIO_IDENTITY_LDAP_SERVER_STARTTLS environment variable.

srv_record_name

Optional

Specify the appropriate value to enable AIStor to select an AD/LDAP server using a DNS SRV record request.

When enabled, AIStor selects an AD/LDAP server by:

Constructing the target SRV record name following standard naming conventions.
Requesting a list of available AD/LDAP servers.
Choosing an appropriate target based on priority and weight.

The configuration examples below presume the AD/LDAP server address is set to example.com and the SRV record protocol is _tcp.

For SRV record names beginning with _ldap, specify ldap. The constructed DNS SRV record name resembles the following:

_ldap._tcp.example.com

For SRV record names with beginning with _ldaps, specify ldaps. The constructed DNS SRV record name resembles the following:

_ldaps._tcp.example.com

If your DNS SRV record name uses alternate service or protocol names, specify on and provide the full record name as your LDAP server address. Example: _ldapserver._specialtcp.example.com

For more about DNS SRV records, see DNS SRV Records for LDAP.

This parameter corresponds with the MINIO_IDENTITY_LDAP_SRV_RECORD_NAME environment variable.

tls_skip_verify

Optional

Specify on to trust the AD/LDAP server TLS certificates without verification. This option may be required if the AD/LDAP server TLS certificates are signed by an untrusted Certificate Authority (for example, self-signed).

Defaults to off

This parameter corresponds with the MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY environment variable.

Global Flags

This command supports any of the global flags.

Behavior

S3 Compatibility

The mc commandline tool is built for compatibility with the AWS S3 API and is tested with AIStor and AWS S3 for expected functionality and behavior.

AIStor provides no guarantees for other S3-compatible services, As their S3 API implementation is unknown and therefore unsupported.

While mc commands may work as documented, any such usage is at your own risk.