Product
Overview
What is AIStor?
Features
Replication Replication Console Console Cache Cache Encryption Encryption Versioning Versioning Observability Observability Object Immutability Object Immutability Key Management Server Key Management Server S3 Compatibility S3 Compatibility Identity + Access Mgt Identity + Access Mgt Catalog Catalog Object Prompt Object Prompt Lifecycle Lifecycle Firewall Firewall AIHub AIHub
Tools
Erasure Code Calculator Erasure Code Calculator Determine your raw and usable capacity across a range of erasure coding settings. Reference Hardware Reference Hardware MinIO’s recommended Configuration and reference hardware for building large scale data infrastructure.
Solutions
AI Storage Learn how MinIO is leading the AI storage market from its exclusive features to performance at scale. HDFS Migration Modernize and simplify your big data storage infrastructure with cloud native storage with AIStor. Snowflake Learn how to leverage Snowflake external tables to query data without having to move it.
Integrations Integrations with MinIO Browse our expansive list of
integrations with links to the relevant
documentation.
Veeam Learn how MinIO and Veeam have partnered deliver superior RTO and RPO. Modern Datalakes Learn how modern, multi-engine data lakeshouses depend on MinIO's AIStor. Equinix Repatriate your data onto the cloud you control with MinIO and Equinix. SQL Server Learn how to leverage SQL Server 2022 with MinIO to run queries on your data without having to move it. Commvault Learn how Commvault and MinIO are partnered to deliver performance at scale for mission critical backup and restore workloads. Hybrid Cloud Learn how enterprises use MinIO to build AI data infrastructure that runs on any cloud - public, private or colo. Splunk Find out how MinIO is delivering performance at scale for Splunk SmartStores. VMware Discover how MinIO integrates with VMware across the portfolio from the Persistent Data platform to TKG and how we support their Kubernetes ambitions.
Open Source
Github Community Explore, experiment, ask questions and contribute. Docs Development guides. Slack Channel Open Forum for discussing topics related to MinIO.
Download MinIO Object Store Get MinIO's open source server, client, and SDK.
Resources
Resources Home Browse our library of white papers, solution briefs, benchmarks and videos. Blog Product updates, company news, and educational content. Training Learn the MinIO Way and Become a Data Infrastructure Expert.
Events Join us to take advantage to meet with MinIO partners, employees, and subject-matter experts.
Partner Pricing Login Download

Documentation

MinIO Object Storage for Linux

Active Directory / LDAP Settings

This page documents settings for enabling external identity management using an Active Directory or LDAP service. See Configure MinIO for Authentication using Active Directory / LDAP for a tutorial on using these settings.

Important

New in version RELEASE.2023-05-26T23-31-54Z:

mc idp ldap commands are preferred over using configuration settings to configure MinIO to use Active Directory or LDAP for identity management.

MinIO recommends using the mc idp ldap commands for LDAP management operations. These commands offer better validation and additional features, while providing the same settings as the identity_ldap configuration key. See Configure MinIO for Authentication using Active Directory / LDAP for a tutorial on using mc idp ldap.

The identity_ldap configuration settings remains available for existing scripts and other tools.

You can establish or modify settings by defining:

  • an environment variable on the host system prior to starting or restarting the MinIO Server. Refer to your operating system’s documentation for how to define an environment variable.

  • a configuration setting using mc admin config set.

  • a configuration setting using the MinIO Console’s Administrator > Settings pages.

If you define both an environment variable and the similar configuration setting, MinIO uses the environment variable value.

Some settings have only an environment variable or a configuration setting, but not both.

Important

Each configuration setting controls fundamental MinIO behavior and functionality. MinIO strongly recommends testing configuration changes in a lower environment, such as DEV or QA, before applying to production.

Examples

MINIO_IDENTITY_LDAP_SERVER_ADDR="ldapserver.com:636"

Note

srv_record_name automatically identifies the port.

If your AD/LDAP server uses DNS SRV Records, do not append the port number to your server_addr value. SRV requests automatically include port numbers when returning the list of available servers.

identity_ldap

The following settings are required when defining LDAP using mc admin config set:

  • enabled

  • server_addr

  • lookup_bind_dn

  • lookup_bind_dn_password

  • user_dn_search_base_dn

  • user_dn_search_filter

mc admin config set identity_ldap                        \
   enabled="true"                                        \
   server_addr="ad-ldap.example.net/"                    \
   lookup_bind_dn="cn=miniolookupuser,dc=example,dc=net" \
   lookup_bind_dn_password="userpassword"                \
   user_dn_search_base_dn="dc=example,dc=net"            \
   user_dn_search_filter="(&(objectCategory=user)(sAMAccountName=%s))"

Settings

Server Address

Required

MINIO_IDENTITY_LDAP_SERVER_ADDR

Specify the hostname for the Active Directory / LDAP server. For example:

ldapserver.com:636

srv_record_name automatically identifies the port

If your AD/LDAP server uses DNS SRV Records, do not append the port number to your server_addr value. SRV requests automatically include port numbers when returning the list of available servers.

identity_ldap server_addr

Specify the hostname for the Active Directory / LDAP server. For example:

ldapserver.com:636

srv_record_name automatically identifies the port

If your AD/LDAP server uses DNS SRV Records, do not append the port number to your server_addr value. SRV requests automatically include port numbers when returning the list of available servers.

Lookup Bind DN

Required

MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
identity_ldap lookup_bind_dn

Specify the Distinguished Name (DN) for an AD/LDAP account MinIO uses when querying the AD/LDAP server. Enables Lookup-Bind authentication to the AD/LDAP server.

The DN account should be a read-only access keys with sufficient privileges to support querying performing user and group lookups.

Lookup Bind Password

Required

MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
identity_ldap lookup_bind_password

Specify the password for the Lookup-Bind user account.

Changed in version RELEASE.2023-06-23T20-26-00Z: MinIO redacts this value when returned as part of mc admin config get.

User DN Search Base DN

Required

MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
identity_ldap user_dn_search_base_dn

Specify the base Distinguished Name (DN) MinIO uses when querying for user credentials matching those provided by an authenticating client.

Separate multiple DNs with a semicolon (;).

For example:

cn=miniousers,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=io

Supports Lookup-Bind mode.

User DN Search Filter

Required

MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER
identity_ldap user_dn_search_filter

Specify the AD/LDAP search filter MinIO uses when querying for user credentials matching those provided by an authenticating client.

Use the %s substitution character to insert the client-specified username into the search string. For example:

(userPrincipalName=%s)

User DN Attributes

Optional

MINIO_IDENTITY_LDAP_USER_DN_ATTRIBUTES
identity_ldap user_dn_attributes

New in version RELEASE.2024-06-06T09-36-42Z.

Comma-separated list of user DN attributes.

Some valid values include, uid,cn,mail,sshPublicKey.

To enable public authentication for LDAP users, pass sshPublicKey as a DN attribute. The user can then use the passed SSH Public Key to log in to SFTP servers.

mc idp ldap update ALIAS user_dn_attributes=sshPublicKey

Enabled

Optional

This setting does not have an environment variable option. Use the configuration setting instead.

identity_ldap enabled

Set to false to disable the AD/LDAP configuration.

If false, applications cannot generate STS credentials or otherwise authenticate to MinIO using the configured provider.

Defaults to true or “enabled”.

Group Search Filter

Optional

MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER
identity_ldap group_search_filter

Specify an AD/LDAP search filter for performing group lookups for the authenticated user

Use the %s substitution character to insert the client-specified username into the search string. Use the %d substitution character to insert the Distinguished Name of the client-specified username into the search string.

For example:

(&(objectclass=groupOfNames)(memberUid=%s))

Group Search Base DN

Optional

MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN
identity_ldap group_search_base_dn

Specify a semicolon-separated (;) list of group search base Distinguished Names MinIO uses when performing group lookups.

For example:

cn=miniogroups,dc=myldapserver,dc=net;ou=swengg,dc=min,dc=io

TLS Skip Verify

Optional

MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY
identity_ldap tls_skip_verify

Specify on to trust the AD/LDAP server TLS certificates without verification. This option may be required if the AD/LDAP server TLS certificates are signed by an untrusted Certificate Authority (e.g. self-signed).

Defaults to off

Server Insecure

Optional

MINIO_IDENTITY_LDAP_SERVER_INSECURE
identity_ldap server_insecure

Specify on to allow unsecured (non-TLS encrypted) connections to the AD/LDAP server.

MinIO sends AD/LDAP user credentials in plain text to the AD/LDAP server, such that enabling TLS is required to prevent reading credentials over the wire. Using this option presents a security risk where any user with access to network traffic can observe the unencrypted plaintext credentials.

Defaults to off.

Server Start TLS

Optional

MINIO_IDENTITY_LDAP_SERVER_STARTTLS
identity_ldap server_starttls

Specify on to enable StartTLS connections to an AD/LDAP server.

Defaults to off

For more about StartTLS, refer to section 4.14 of the LDAP RFC 4511 specification.

SRV Record Name

Optional

New in version RELEASE.2022-12-12T19-27-27Z.

MINIO_IDENTITY_LDAP_SRV_RECORD_NAME
identity_ldap srv_record_name

Specify the appropriate value to enable MinIO to select an AD/LDAP server using a DNS SRV record request.

When enabled, MinIO selects an AD/LDAP server by:

  • Constructing the target SRV record name following standard naming conventions.

  • Requesting a list of available AD/LDAP servers.

  • Choosing an appropriate target based on priority and weight.

The configuration examples below presume the AD/LDAP server address is set to example.com and the SRV record protocol is _tcp.

For SRV record names beginning with _ldap, specify ldap. The constructed DNS SRV record name resembles the following:

_ldap._tcp.example.com

For SRV record names with beginning with _ldaps, specify ldaps. The constructed DNS SRV record name resembles the following:

_ldaps._tcp.example.com

If your DNS SRV record name uses alternate service or protocol names, specify on and provide the full record name as your LDAP server address. Example: _ldapserver._specialtcp.example.com

For more about DNS SRV records, see DNS SRV Records for LDAP.

Server address for DNS SRV record configurations

The specified server name must not include a port number. This is different from a standard AD/LDAP configuration, where the port number is required.

See server_addr or MINIO_IDENTITY_LDAP_SERVER_ADDR for more about configuring an AD/LDAP server address.

Comment

Optional

MINIO_IDENTITY_LDAP_COMMENT
identity_ldap identity_ldap comment

Specify a comment to associate to the AD/LDAP configuration.

This work is licensed under a Creative Commons Attribution 4.0 International License. 2020-Present, MinIO, Inc. Creative Commons License