Table of Contents
MinIO supports using an Active Directory or LDAP (AD/LDAP) service for external management of user identities. Configuring an external IDentity Provider (IDP) enables Single-Sign On (SSO) workflows, where applications authenticate against the external IDP before accessing MinIO.
MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Users managed by an AD/LDAP provider must specify the necessary policies as part of the user profile data. See Access Control for AD/LDAP Managed Identities for more information.
See Configure MinIO for Authentication using Active Directory / LDAP for instructions on enabling external identity management using an AD/LDAP service.
MinIO Supports At Most One Configured IDentity Provider
Configuring an external IDP disables the MinIO internal IDP and prevents the configuration of any other external IDP.
MinIO queries the configured Active Directory / LDAP server to verify the credentials specified by the application and optionally return a list of groups in which the user has membership. MinIO supports two modes for performing these queries:
Lookup-Bind Mode - Use a special read-only account for querying the LDAP server.
Username-Bind Mode - Use the credentials specified by the application to login to the LDAP server.
MinIO recommends using Lookup-Bind mode as the preferred method for verifying AD/LDAP credentials. Username-Bind mode is a legacy method retained for backwards compatibility only.
In Lookup-Bind mode, MinIO uses a read-only AD/LDAP account with the minimum privileges required to authenticate to the AD/LDAP server and perform user and group lookups.
The following tabs provide a reference of the environment variables and configuration settings required for enabling Lookup-Bind mode.
Lookup-Bind is incompatible and mutually exclusive with Username-Bind Mode.
In Username-Bind mode, MinIO uses the AD/LDAP credentials provided by the client attempting authentication to login to the AD/LDAP server and perform and group lookups.
Username-Bind mode is preserved for compatibility only. MinIO recommends using Lookup-Bind Mode wherever possible.
The following tabs provide a reference of the environment variables and configuration settings required for enabling Username-Bind mode.
Username-bind is incompatible and mutually exclusive with Lookup-Bind Mode.
MinIO uses Policy Based Access Control (PBAC) to define the actions and resources to which an authenticated user has access. MinIO supports creating and managing policies which an externally managed user can claim.
For identities managed by the external Active Directory / LDAP server, MinIO attempts to match existing policies to the authenticated user’s Distinguished Name (DN).
MinIO also supports querying for the user’s AD/LDAP group membership. MinIO attempts to match existing policies to the DN for each of the user’s groups. See Group Lookup for more information.
For example, consider the following user and group DNs:
MinIO attaches the policies with names matching the full DN for the user and group to the authenticated user.
The authenticated users complete set of permissions consists of its explicitly assigned and inherited policies. If the user DN and group DNs do not match any policies on the MinIO deployment, MinIO denies authorization for any and all operations issued by that user.
MinIO provides built-in policies for basic access
control. You can create new policies using the
mc admin policy command.
You can create new groups using the
mc admin group command and assign
policies to that group using
mc admin policy set.
MinIO supports querying the Active Directory / LDAP server for a list of groups in which the authenticated user has membership. MinIO attempts to match existing policies to each group DN and assigns each matching policy to the authenticated user.
The following tabs provide a reference of the environment variables and configuration settings required for enabling group lookups: