Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage

Configure MinIO for Authentication using Active Directory / LDAP

Overview

MinIO supports configuring a single Active Directory / LDAP Connect for external management of user identities.

The procedure on this page provides instructions for:

For MinIO Tenants deployed using the MinIO Kubernetes Operator, this procedure covers:

  • Configuring a MinIO Tenant to use an external AD/LDAP provider

  • Accessing the Tenant Console using AD/LDAP Credentials.

  • Using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) API to generate temporary credentials for use by applications.

For MinIO deployments on baremetal infrastructure, this procedure covers:

  • Configuring a MinIO cluster for an external AD/LDAP provider.

  • Accessing the MinIO Console using AD/LDAP credentials.

  • Using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) API to generate temporary credentials for use by applications.

This procedure is generic for AD/LDAP services. See the documentation for the AD/LDAP provider of your choice for specific instructions or procedures on configuration of user identities.

Prerequisites

Access to MinIO Cluster

You must have access to the MinIO Operator Console web UI. You can either expose the MinIO Operator Console service using your preferred Kubernetes routing component, or use temporary port forwarding to expose the Console service port on your local machine.

This procedure uses mc for performing operations on the MinIO cluster. Install mc on a machine with network access to the cluster. See the mc Installation Quickstart for instructions on downloading and installing mc.

This procedure assumes a configured alias for the MinIO cluster.

Active Directory / LDAP Compatible IDentity Provider

This procedure assumes an existing Active Directory or LDAP service. Instructions on configuring AD/LDAP are out of scope for this procedure.

  • For AD/LDAP deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the AD/LDAP service.

  • For AD/LDAP deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.

The MinIO deployment must have bidirectional network connectivity to the target AD / LDAP service.

MinIO requires a read-only access keys with which it binds to perform authenticated user and group queries. Ensure each AD/LDAP user and group intended for use with MinIO has a corresponding policy on the MinIO deployment. An AD/LDAP user with no assigned policy and with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster.

Configure MinIO with Active Directory or LDAP External Identity Management

  1. Set the Active Directory / LDAP Configuration Settings

    Configure the AD/LDAP provider using one of the following:

    • MinIO Client

    • Environment variables

    All methods require starting/restarting the MinIO deployment to apply changes.

    The following tabs provide a quick reference for the available configuration methods:

    MinIO supports specifying the AD/LDAP provider settings using mc idp ldap commands.

    For distributed deployments, the mc idp ldap command applies the configuration to all nodes in the deployment.

    The following example code sets all configuration settings related to configuring an AD/LDAP provider for external identity management.

    The minimum required settings are:

    mc idp ldap add ALIAS                                                  \
  server_addr="ldaps.example.net:636"                                  \
  lookup_bind_dn="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"        \
  lookup_bind_password="xxxxxxxx"                                      \
  user_dn_search_base_dn="DC=example,DC=net"                           \
  user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"  \
  group_search_filter= "(&(objectClass=group)(member=%d))"             \
  group_search_base_dn="ou=MinIO Users,dc=example,dc=net"              \
  tls_skip_verify="off"                                                \
  server_insecure=off                                                  \
  server_starttls="off"                                                \
  srv_record_name=""                                                   \
  comment="Test LDAP server"

    For Kubernetes deployments, ensure the ALIAS corresponds to the externally accessible hostname for the MinIO Tenant.

    For more complete documentation on these settings, see mc idp ldap.

    mc idp ldap recommended

    mc idp ldap offers additional features and improved validation over mc admin config set runtime configuration settings. mc idp ldap supports the same settings as mc admin config and the identity_ldap configuration key.

    The identity_ldap configuration key remains available for existing scripts and tools.

    MinIO supports specifying the AD/LDAP provider settings using environment variables.

    The minio server process applies the specified settings on its next startup. For distributed deployments, specify these settings across all nodes in the deployment using the same values. Any differences in server configurations between nodes will result in startup or configuration failures.

    The following example code sets all environment variables related to configuring an AD/LDAP provider for external identity management. The minimum required variable are:

    export MINIO_IDENTITY_LDAP_SERVER_ADDR="ldaps.example.net:636"
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN="CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=example,DC=net"
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN="dc=example,dc=net"
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER="(&(objectCategory=user)(sAMAccountName=%s))"
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD="xxxxxxxxx"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER="(&(objectClass=group)(member=%d))"
export MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN="ou=MinIO Users,dc=example,dc=net"
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY="off"
export MINIO_IDENTITY_LDAP_SERVER_INSECURE="off"
export MINIO_IDENTITY_LDAP_SERVER_STARTTLS="off"
export MINIO_IDENTITY_LDAP_SRV_RECORD_NAME=""
export MINIO_IDENTITY_LDAP_COMMENT="LDAP test server"

    For complete documentation on these variables, see Active Directory / LDAP Settings.

  2. Restart the MinIO Deployment

    You must restart the MinIO deployment to apply the configuration changes.

    If you configured AD/LDAP from the MinIO Console, no additional action is required. The MinIO Console automatically restarts the deployment after saving the new AD/LDAP configuration.

    For MinIO Client and environment variable configuration, use the mc admin service restart command to restart the deployment:

    mc admin service restart ALIAS

    Replace ALIAS with the alias of the deployment to restart.

  3. Use the MinIO Console to Log In with AD/LDAP Credentials

    The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.

    You can access the Console by opening the root URL for the MinIO cluster. For example, https://minio.example.net:9000.

    Once logged in, you can perform any action for which the authenticated user is authorized.

    You can also create access keys for supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account.

  4. Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials

    MinIO requires clients to authenticate using AWS Signature Version 4 protocol with support for the deprecated Signature Version 2 protocol. Specifically, clients must present a valid access key and secret key to access any S3 or MinIO administrative API, such as PUT, GET, and DELETE operations.

    Applications can generate temporary access credentials as-needed using the AssumeRoleWithLDAPIdentity Security Token Service (STS) API endpoint and AD/LDAP user credentials. MinIO provides an example Go application ldap.go that manages this workflow.

    POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}

    • Replace the LDAPUsername with the username of the AD/LDAP user.

    • Replace the LDAPPassword with the password of the AD/LDAP user.

    • Replace the Policy with an inline URL-encoded JSON policy that further restricts the permissions associated to the temporary credentials.

      Omit to use the policy whose name matches the Distinguished Name (DN) of the AD/LDAP user.

    The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

    See the AssumeRoleWithLDAPIdentity for reference documentation.

Disable a Configured Active Directory / LDAP Connection

New in version RELEASE.2023-03-20T20-16-18Z.

You can enable and disable the configured AD/LDAP connection as needed.

Use mc idp ldap disable to deactivate a configured connection. Use mc idp ldap enable to activate a previously configured connection.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License