MinIO Server Documentation
Customer Login
Product
MinIO Enterprise Object Store
Overview Architecture
Features
MinIO for Public Cloud
AWS GCS Azure
MinIO for Private Cloud
OpenShift SUSE Rancher Tanzu
MinIO for Baremetal
Linux and Windows
Determine your raw and usable capacity Erasure Code Calculator MinIO's Recommended Hardware Configuration Reference Hardware
Solutions
AI Storage Object storage is powering the AI revolution. Learn how MinIO is leading the AI storage market through performance at scale. Modern Datalakes Modern, multi-engine datalakes depend on object stores that deliver performance at scale. Learn more about this core MinIO use case. Hybrid Cloud Effective multi-cloud storage strategies rely on utilizing architecture and tools that can function seamlessly across diverse environments. Equinix Repatriate your data onto the cloud you control with MinIO on Equinix to lower costs while maintaining public cloud adjacency. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. Snowflake Query and analyze multiple data sources, including streaming data, residing on MinIO with the Snowflake Data Cloud. No need to move the data, just query using SnowSQL. SQL Server Discover how to pair SQL Server 2022 with MinIO to run queries on your data on any cloud - without having to move it. HDFS Migration Modernize and simplify your big data storage infrastructure with high-performance, Kubernetes-native object storage from MinIO. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions. Veeam Learn how MinIO and Veeam have partnered to drive performance and scalability for a variety of backup use cases. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Integrations Browse our vast portfolio of integrations.
Community
GitHub Join our GitHub open source community: explore, experiment, ask questions, and contribute. Slack Channel The MinIO Community Slack provides an open forum for discussing topics related to MinIO. All support is provided on a best-effort basis.
Docs Blog Resources Training Partner Pricing Download

Documentation

MinIO Object Storage for Google Kubernetes Engine

Configure MinIO for Authentication using Active Directory / LDAP

Overview

MinIO supports configuring a single Active Directory / LDAP Connect for external management of user identities.

The procedure on this page provides instructions for:

  • Configuring a MinIO Tenant to use an external AD/LDAP provider

  • Accessing the Tenant Console using AD/LDAP Credentials.

  • Using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) API to generate temporary credentials for use by applications.

This procedure is generic for AD/LDAP services. See the documentation for the AD/LDAP provider of your choice for specific instructions or procedures on configuration of user identities.

Prerequisites

MinIO Kubernetes Operator and Plugin

Ensure your target Kubernetes cluster has a valid and working installation of the MinIO Kubernetes Operator. The host machine from which you perform the procedure should have a matching installation of the MinIO Kubernetes Plugin

This documentation assumes the latest stable Operator and Plugin version 5.0.14.

Active Directory / LDAP Compatible IDentity Provider

This procedure assumes an existing Active Directory or LDAP service. Instructions on configuring AD/LDAP are out of scope for this procedure.

  • For AD/LDAP deployments within the same Kubernetes cluster as the MinIO Tenant, you can use Kubernetes service names to allow the MinIO Tenant to establish connectivity to the AD/LDAP service.

  • For AD/LDAP deployments external to the Kubernetes cluster, you must ensure the cluster supports routing communications between Kubernetes services and pods and the external network. This may require configuration or deployment of additional Kubernetes network components and/or enabling access to the public internet.

MinIO requires a read-only access keys with which it binds to perform authenticated user and group queries. Ensure each AD/LDAP user and group intended for use with MinIO has a corresponding policy on the MinIO deployment. An AD/LDAP user with no assigned policy and with membership in groups with no assigned policy has no permission to access any action or resource on the MinIO cluster.

MinIO Tenant

This procedure assumes your Kubernetes cluster has sufficient resources to deploy a new MinIO Tenant.

You can also use this procedure as guidance for modifying an existing MinIO Tenant to enable AD/LDAP Identity Management.

Deploy MinIO Tenant with Active Directory / LDAP Identity Management

1) Access the Operator Console

Use the kubectl minio proxy command to temporarily forward traffic between the local host machine and the MinIO Operator Console:

kubectl minio proxy

The command returns output similar to the following:

Starting port forward of the Console UI.

To connect open a browser and go to http://localhost:9001

Current JWT to login: TOKEN

Open your browser to the specified URL and enter the JWT Token into the login page. You should see the Tenants page:

MinIO Operator Console

Click the + Create Tenant to start creating a MinIO Tenant.

If you are modifying an existing Tenant, select that Tenant from the list. The following steps reference the necessary sections and configuration settings for existing Tenants.

2) Complete the Identity Provider Section

To enable external identity management with an Active Directory / LDAP provider, select the Identity Provider section. You can then change the radio button to Active Directory to display the configuration settings.

MinIO Operator Console - Create a Tenant - External Identity Provider Section - Active Directory / LDAP

An asterisk * marks required fields. The following table provides general guidance for those fields:

Field

Description

LDAP Server Address

The hostname of the Active Directory or LDAP server.

Lookup Bind DN

The Distinguished Name MinIO uses to authenticate and query the AD/LDAP server.

See Querying the Active Directory / LDAP Service for more information.

List of user DNs (Distinguished Names) to be Tenant Administrators

Specify a user DNs which MinIO assigns a policy with administrative permissions for the Tenant. You can specify multiple DNs by selecting the plus icon. You can delete a DN by selecting the trash can icon for that DN.

Once you complete the section, you can finish any other required sections of Tenant Deployment.

3) Assign Policies to AD/LDAP Users

MinIO by default assigns no policies to AD/LDAP users or groups. You must explicitly assign MinIO policies to a given user or group Distinguished Name (DN) to grant that user or group access to the MinIO deployment.

The following example assumes an existing alias configured for the MinIO Tenant.

Use the mc idp ldap policy attach command to assign a user or group DN to an existing MinIO Policy:

mc idp ldap policy attach minio-tenant POLICY --user='uid=primary,cn=applications,dc=domain,dc=com'
mc idp ldap policy attach minio-tenant POLICY --group='cn=applications,ou=groups,dc=domain,dc=com'

Replace POLICY with the name of the MinIO policy to assign to the user or group DN.

See Access Control for AD/LDAP-Managed Identities for more information on access control with AD/LDAP users and groups.

4) Use the MinIO Tenant Console to Log In with AD/LDAP Credentials

The MinIO Console supports the full workflow of authenticating to the AD/LDAP provider, generating temporary credentials using the MinIO AssumeRoleWithLDAPIdentity Security Token Service (STS) endpoint, and logging the user into the MinIO deployment.

See the Deploy MinIO Tenant: Access the Tenant’s MinIO Console for instructions on accessing the Tenant Console.

If the AD/LDAP configuration succeeded, the Console displays a button to login with AD/LDAP credentials.

Enter the user’s AD/LDAP credentials and log in to access the Console.

Once logged in, you can perform any action for which the authenticated user is authorized.

You can also create access keys for supporting applications which must perform operations on MinIO. Access Keys are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the access keys.

5) Generate S3-Compatible Temporary Credentials using AD/LDAP Credentials

Applications can use an AD/LDAP user credential to generate temporary S3-compatible credentials as-needed using the AssumeRoleWithLDAPIdentity Security Token Service (STS) API endpoint. MinIO provides an example Go application ldap.go with an example of managing this workflow.

POST https://minio.example.net?Action=AssumeRoleWithLDAPIdentity
&LDAPUsername=USERNAME
&LDAPPassword=PASSWORD
&Version=2011-06-15
&Policy={}

  • Replace minio.example.net with the hostname or URL for the MinIO Tenant service.

  • Replace the LDAPUsername with the username of the AD/LDAP user.

  • Replace the LDAPPassword with the password of the AD/LDAP user.

  • Replace the Policy with an inline URL-encoded JSON policy that further restricts the permissions associated to the temporary credentials.

    Omit to use the policy whose name matches the Distinguished Name (DN) of the AD/LDAP user.

The API response consists of an XML document containing the access key, secret key, session token, and expiration date. Applications can use the access key and secret key to access and perform operations on MinIO.

See the AssumeRoleWithLDAPIdentity for reference documentation.

Disable a Configured Active Directory / LDAP Connection

New in version RELEASE.2023-03-20T20-16-18Z.

You can enable and disable the configured AD/LDAP connection as needed.

Use mc idp ldap disable to deactivate a configured connection. Use mc idp ldap enable to activate a previously configured connection.

You may also enable or disable AD/LDAP from the MinIO Console.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License