-
Notifications
You must be signed in to change notification settings - Fork 0
LDAP config
- Set the environment variables for LDAP
- Attach policy to LDAP user
- Login with LDAP user in Console
-
Credentials are in
1Password
, look for it asLDAP
in your personal Vault. -
First clear MinIO folders:
clearMinIO
-
Then start MinIO
-
NOTE: Siempre que reconfigures, abre una nueva ventana o dale unset a todas las variables setiadas en el ambiente!
export MINIO_IDENTITY_LDAP_SERVER_ADDR=ldap.jumpcloud.com:636
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN='uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'
- Change
<1password>
for your real password.
export MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD=<1password>
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN='ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'
export MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER='(uid=%s)'
export MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY=on
MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD=minio123 minio server /Volumes/data{1...4} --address :9000 --console-address :9001
$ mc admin idp ldap info myminio <--- OLD Command!
$ mc idp ldap info myminio <---- New command!
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ lookup_bind_dn: uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com (environment)│
│ lookup_bind_password: <1password> (environment). │
│ server_addr: ldap.jumpcloud.com:636 (environment) │
│ tls_skip_verify: on (environment) │
│user_dn_search_base_dn: ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com (environment) │
│ user_dn_search_filter: (uid=%s) (environment) │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────╯
$ mc idp ldap list myminio
╭─────────────────────────╮
│ On? Name RoleARN │
│ 🟢 (default) │
╰─────────────────────────╯
Expecting a policy to be set for user `uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com` or one of their groups: `` - rejecting this request
$ mc admin policy list myminio
consoleAdmin
diagnostics
readonly
readwrite
writeonly
mc idp ldap policy attach myminio consoleAdmin --user='uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'
$ mc idp ldap policy attach myminio consoleAdmin --user='uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com'
Attached Policies: [consoleAdmin]
To User: uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com
Username: cniackz
Password: <1password>
spec:
env:
- name: MINIO_IDENTITY_LDAP_SERVER_ADDR
value: "ldap.jumpcloud.com:636"
- name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
value: "uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com"
- name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
value: <1password>
- name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
value: "ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com"
- name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER
value: "(uid=%s)"
- name: MINIO_IDENTITY_LDAP_TLS_SKIP_VERIFY
value: "on"
ldap.jumpcloud.com:636
uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com
<1password>
ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com
(uid=%s)
Or:
mc admin config set myminio/ identity_ldap \
server_addr="ldap.jumpcloud.com:636" \
lookup_bind_dn="uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
lookup_bind_password=<1password> \
user_dn_search_base_dn="ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
user_dn_search_filter="(uid=%s)" \
tls_skip_verify=on --insecure
Expected:
$ mc admin config set myminio/ identity_ldap \
> server_addr="ldap.jumpcloud.com:636" \
> lookup_bind_dn="uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
> lookup_bind_password=<1password> \
> user_dn_search_base_dn="ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com" \
> user_dn_search_filter="(uid=%s)" \
> tls_skip_verify=on --insecure
Successfully applied new settings.
Please restart your server 'mc admin service restart myminio/'.
Then re-start:
$ mc admin service restart myminio/ --insecure
Restart command successfully sent to `myminio/`. Type Ctrl-C to quit or wait to follow the status of the restart process.
...
Restarted `myminio/` successfully in 1 seconds
-
Server Address
:ldap.jumpcloud.com:636
-
Lookup Bind DN
:uid=cniackz,ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com
-
Lookup Bind Password
:<1password>
-
User DN Search Base
:ou=Users,o=64678734a355340072e048a0,dc=jumpcloud,dc=com
-
User DN Search Filter
:(uid=%s)
- To see the user and its policy:
$ mc admin user list myminio
enabled uid=cniackz,ou=Us... consoleAdmin
- To see env variables:
mc admin config export alias/
-
"AcceptSecurityContext error, data 52e" means: invalid credentials. This means your username or password is incorrect. If you are sure your password is correct, or fix and use the correct bind DN for the user.
-
For the LDAP Password use a secret:
kubectl create secret generic ldap-config --from-literal=lookup-bind-password='some-password' -n default
spec:
env:
- name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: ldap-config
key: lookup-bind-password