LDAP config - cniackz/public GitHub Wiki

Steps:

  1. Set the environment variables for LDAP
  2. Attach policy to LDAP user
  3. Login with LDAP user in Console

LDAP config

  • Credentials are in 1Password, look for it as LDAP in your personal Vault.

  • First clear MinIO folders:

clearMinIO

  • Then start MinIO

  • NOTE: Siempre que reconfigures, abre una nueva ventana o dale unset a todas las variables setiadas en el ambiente!

export MINIO_IDENTITY_LDAP_SERVER_ADDR=ldap.jumpcloud.com:636
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN='uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'
  • Change <1password> for your real password.
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD=<1password>
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN='ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER='(uid=%s)'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD=minio123 minio server /Volumes/data{1...4} --address :9000 --console-address :9001
$ mc admin idp ldap info myminio <--- OLD Command!
$ mc idp ldap info myminio <---- New command!
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│        lookup_bind_dn: uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com  (environment)│
│  lookup_bind_password: <1password>  (environment).                                                       │
│           server_addr: ldap.jumpcloud.com:636  (environment)                                             │
│       tls_skip_verify: on  (environment)                                                                 │
│user_dn_search_base_dn: ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com  (environment)            │
│ user_dn_search_filter: (uid=%s)  (environment)                                                           │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────╯
$ mc idp ldap list myminio
╭─────────────────────────╮
│ On?    Name     RoleARN │
│ 🟢   (default)          │
╰─────────────────────────╯
Expecting a policy to be set for user `uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com` or one of their groups: `` - rejecting this request

$ mc admin policy list myminio
consoleAdmin
diagnostics
readonly
readwrite
writeonly
mc idp ldap policy attach myminio consoleAdmin --user='uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'

$ mc idp ldap policy attach myminio consoleAdmin --user='uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'
Attached Policies: [consoleAdmin]
To User: uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com

http://127.0.0.1:9001/login

Username: cniackz

Password: <1password>

k8s:

spec:
  env:
    - name: MINIO_IDENTITY_LDAP_SERVER_ADDR
      value: "ldap.jumpcloud.com:636"
    - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
      value: "uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com"
    - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
      value: <1password>
    - name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
      value: "ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com"
    - name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER
      value: "(uid=%s)"
    - name: MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY
      value: "on"
ldap.jumpcloud.com:636

uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com

<1password>

ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com

(uid=%s)

Or:

mc admin config set myminio/ identity_ldap \
   server_addr="ldap.jumpcloud.com:636" \
   lookup_bind_dn="uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
   lookup_bind_password=<1password> \
   user_dn_search_base_dn="ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
   user_dn_search_filter="(uid=%s)" \
   tls_skip_verify=on --insecure

Expected:

$ mc admin config set myminio/ identity_ldap \
>    server_addr="ldap.jumpcloud.com:636" \
>    lookup_bind_dn="uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
>    lookup_bind_password=<1password> \
>    user_dn_search_base_dn="ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
>    user_dn_search_filter="(uid=%s)" \
>    tls_skip_verify=on --insecure
Successfully applied new settings.
Please restart your server 'mc admin service restart myminio/'.

Then re-start:

$ mc admin service restart myminio/ --insecure
Restart command successfully sent to `myminio/`. Type Ctrl-C to quit or wait to follow the status of the restart process.
...
Restarted `myminio/` successfully in 1 seconds
Screenshot 2023-05-20 at 7 09 23 AM Screenshot 2023-05-20 at 7 09 37 AM

Screenshot 2023-06-01 at 9 52 45 AM

UI Configuration:

  • Server Address: ldap.jumpcloud.com:636

  • Lookup Bind DN: uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com

  • Lookup Bind Password: <1password>

  • User DN Search Base: ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com

  • User DN Search Filter: (uid=%s)

Additional Info:

  • To see the user and its policy:
$ mc admin user list myminio 
enabled    uid=cniackz,ou=Us...  consoleAdmin
  • To see env variables:
mc admin config export alias/

  • "AcceptSecurityContext error, data 52e" means: invalid credentials. This means your username or password is incorrect. If you are sure your password is correct, or fix and use the correct bind DN for the user.

  • For the LDAP Password use a secret:

kubectl create secret generic ldap-config --from-literal=lookup-bind-password='some-password' -n default
spec:
  env:
    - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
      valueFrom:
        secretKeyRef:
          name: ldap-config
          key: lookup-bind-password
⚠️ **GitHub.com Fallback** ⚠️