Erasure Code Calculator
Reference Hardware
Active Directory / LDAP Settings
This page documents settings for enabling external identity management using an Active Directory or LDAP service. See Configure MinIO for Authentication using Active Directory / LDAP for a tutorial on using these settings.
Important
New in version RELEASE.2023-05-26T23-31-54Z:
mc idp ldap commands are preferred over using configuration settings to configure MinIO to use Active Directory or LDAP for identity management.
MinIO recommends using the mc idp ldap commands for LDAP management operations.
These commands offer better validation and additional features, while providing the same settings as the identity_ldap configuration key.
See Configure MinIO for Authentication using Active Directory / LDAP for a tutorial on using mc idp ldap.
The identity_ldap configuration settings remains available for existing scripts and other tools.
You can establish or modify settings by defining:
an environment variable on the host system prior to starting or restarting the MinIO Server. Refer to your operating system’s documentation for how to define an environment variable.
a configuration setting using
mc admin config set.a configuration setting using the MinIO Console’s Administrator > Settings pages.
If you define both an environment variable and the similar configuration setting, MinIO uses the environment variable value.
Some settings have only an environment variable or a configuration setting, but not both.
Important
Each configuration setting controls fundamental MinIO behavior and functionality. MinIO strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.
Examples
MINIO_IDENTITY_LDAP_SERVER_ADDR="ldapserver.com:636"
Note
srv_record_name automatically identifies the port.
If your AD/LDAP server uses DNS SRV Records, do not append the port number to your server_addr value.
SRV requests automatically include port numbers when returning the list of available servers.
The following settings are required when defining LDAP using mc admin config set:
enabledserver_addrlookup_bind_dnlookup_bind_dn_passworduser_dn_search_base_dnuser_dn_search_filter
mc admin config set identity_ldap \
enabled="true" \
server_addr="ad-ldap.example.net/" \
lookup_bind_dn="cn=miniolookupuser,dc=example,dc=net" \
lookup_bind_dn_password="userpassword" \
user_dn_search_base_dn="dc=example,dc=net" \
user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"
Settings
Server Address
Required
- MINIO_IDENTITY_LDAP_SERVER_ADDR
Specify the hostname for the Active Directory / LDAP server. For example:
ldapserver.com:636
srv_record_nameautomatically identifies the portIf your AD/LDAP server uses
DNS SRV Records, do not append the port number to yourserver_addrvalue. SRV requests automatically include port numbers when returning the list of available servers.
Specify the hostname for the Active Directory / LDAP server. For example:
ldapserver.com:636
srv_record_name automatically identifies the port
If your AD/LDAP server uses DNS SRV Records, do not append the port number to your server_addr value.
SRV requests automatically include port numbers when returning the list of available servers.
Lookup Bind DN
Required
Specify the Distinguished Name (DN) for an AD/LDAP account MinIO uses when querying the AD/LDAP server. Enables Lookup-Bind authentication to the AD/LDAP server.
The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups.
Lookup Bind Password
Required
Specify the password for the Lookup-Bind user account.
Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.
User DN Search Base DN
Required
Specify the base Distinguished Name (DN) MinIO uses when querying for user credentials matching those provided by an authenticating client. For example:
cn=miniousers,dc=myldapserver,dc=net
Supports Lookup-Bind mode.
User DN Search Filter
Required
Specify the AD/LDAP search filter MinIO uses when querying for user credentials matching those provided by an authenticating client.
Use the %s substitution character to insert the client-specified
username into the search string. For example:
(userPrincipalName=%s)
Enabled
Optional
This setting does not have an environment variable option. Use the configuration setting instead.
Set to false to disable the AD/LDAP configuration.
If false, applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider.
Defaults to true or “enabled”.
Group Search Filter
Optional
Specify an AD/LDAP search filter for performing group lookups for the authenticated user
Use the %s substitution character to insert the client-specified username
into the search string. Use the %d substitution character to insert the
Distinguished Name of the client-specified username into the search string.
For example:
(&(objectclass=groupOfNames)(memberUid=%s))
Group Search Base DN
Optional
Specify a comma-separated list of group search base Distinguished Names MinIO uses when performing group lookups.
For example:
cn=miniogroups,dc=myldapserver,dc=net"
TLS Skip Verify
Optional
Specify on to trust the AD/LDAP server TLS certificates without
verification. This option may be required if the AD/LDAP server TLS certificates
are signed by an untrusted Certificate Authority (e.g. self-signed).
Defaults to off
Server Insecure
Optional
Specify on to allow unsecured (non-TLS encrypted) connections to
the AD/LDAP server.
MinIO sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.
Defaults to off.
Server Start TLS
Optional
Specify on to enable StartTLS connections to an AD/LDAP server.
Defaults to off
For more about StartTLS, refer to section 4.14 of the LDAP RFC 4511 specification.
SRV Record Name
Optional
New in version RELEASE.2022-12-12T19-27-27Z.
Specify the appropriate value to enable MinIO to select an AD/LDAP server using a DNS SRV record request.
When enabled, MinIO selects an AD/LDAP server by:
Constructing the target SRV record name following standard naming conventions.
Requesting a list of available AD/LDAP servers.
Choosing an appropriate target based on priority and weight.
The configuration examples below presume the AD/LDAP server address is set to example.com and the SRV record protocol is _tcp.
For SRV record names beginning with _ldap, specify ldap.
The constructed DNS SRV record name resembles the following:
_ldap._tcp.example.com
For SRV record names with beginning with _ldaps, specify ldaps.
The constructed DNS SRV record name resembles the following:
_ldaps._tcp.example.com
If your DNS SRV record name uses alternate service or protocol names, specify on and provide the full record name as your LDAP server address.
Example: _ldapserver._specialtcp.example.com
For more about DNS SRV records, see DNS SRV Records for LDAP.
Server address for DNS SRV record configurations
The specified server name must not include a port number. This is different from a standard AD/LDAP configuration, where the port number is required.
See server_addr or MINIO_IDENTITY_LDAP_SERVER_ADDR for more about configuring an AD/LDAP server address.
Comment
Optional
Specify a comment to associate to the AD/LDAP configuration.
