欢迎来到即将发布的 MinIO 文档版本! 此页面上的内容正在积极开发中 可能随时更改。 如果找不到您要找的内容,请查看我们的 历史文档。 感谢您的耐心等待。 我们期待您贡献自己强大的力量,帮助更多的中国技术开发者![翻译]

Active Directory / LDAP External Identity Management

Overview

MinIO supports using an Active Directory or LDAP (AD/LDAP) service for external management of user identities. Configuring an external IDentity Provider (IDP) enables Single-Sign On (SSO) workflows, where applications authenticate against the external IDP before accessing MinIO.

MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Users managed by an AD/LDAP provider must specify the necessary policies as part of the user profile data. See Access Control for AD/LDAP Managed Identities for more information.

See Configure MinIO for Authentication using Active Directory / LDAP for instructions on enabling external identity management using an AD/LDAP service.

MinIO Supports At Most One Configured IDentity Provider

Configuring an external IDP disables the MinIO internal IDP and prevents the configuration of any other external IDP.

The external IDP must have at least one configured user identity with the required policy claims. If no such user exists, the MinIO server is effectively inaccessible outside of using the root user.

Authentication and Authorization Flow

The login flow for an application using Active Directory / LDAP credentials is as follows:

  1. Specify the AD/LDAP credentials to the MinIO Security Token Service (STS) AssumeRoleWithLDAPIDentity API endpoint.

  2. MinIO verifies the provided credentials against the AD/LDAP server.

  3. MinIO checks for any policy whose name matches the user Distinguished Name (DN) and assigns that policy to the authenticated user.

    If configured to perform group queries, MinIO also queries for a list of AD/LDAP groups in which the user has membership. MinIO checks for any policy whose name matches a returned group DN and assigns that policy to the authenticated user.

  4. MinIO returns temporary credentials in the STS API response in the form of an access key, secret key, and session token. The credentials have permissions matching those policies whose name matches either the authenticated user DN or a group DN.

MinIO provides an example Go application ldap.go that handles the full login flow.

As an alternative to implementing this application flow, application owners can log into the MinIO Console using their external user credentials and create service accounts for their applications. Service accounts are long-lived credentials which inherit their privileges from the parent user. The parent user can further restrict those privileges while creating the service account.

Querying the Active Directory / LDAP Service

MinIO queries the configured Active Directory / LDAP server to verify the credentials specified by the application and optionally return a list of groups in which the user has membership. MinIO supports two modes for performing these queries:

  • Lookup-Bind Mode - Use a special read-only account for querying the LDAP server.

  • Username-Bind Mode - Use the credentials specified by the application to login to the LDAP server.

MinIO recommends using Lookup-Bind mode as the preferred method for verifying AD/LDAP credentials. Username-Bind mode is a legacy method retained for backwards compatibility only.

Lookup-Bind Mode

In Lookup-Bind mode, MinIO uses a read-only AD/LDAP account with the minimum privileges required to authenticate to the AD/LDAP server and perform user and group lookups.

The following tabs provide a reference of the environment variables and configuration settings required for enabling Lookup-Bind mode.

See the identity_ldap reference documentation for more information on these settings. The Configure MinIO for Authentication using OpenID tutorial includes complete instructions on setting these variables.

Lookup-Bind is incompatible and mutually exclusive with Username-Bind Mode.

Username-Bind Mode

In Username-Bind mode, MinIO uses the AD/LDAP credentials provided by the client attempting authentication to login to the AD/LDAP server and perform and group lookups.

Username-Bind mode is preserved for compatibility only. MinIO recommends using Lookup-Bind Mode wherever possible.

The following tabs provide a reference of the environment variables and configuration settings required for enabling Username-Bind mode.

See the 活动目录/LDAP 身份管理 reference documentation for more information on this variable.

See the identity_ldap reference documentation for more information on this setting.

Username-bind is incompatible and mutually exclusive with Lookup-Bind Mode.

Access Control for Externally Managed Identities

MinIO uses Policy Based Access Control (PBAC) to define the actions and resources to which an authenticated user has access. MinIO supports creating and managing policies which an externally managed user can claim.

For identities managed by the external Active Directory / LDAP server, MinIO attempts to match existing policies to the authenticated user’s Distinguished Name (DN).

MinIO also supports querying for the user’s AD/LDAP group membership. MinIO attempts to match existing policies to the DN for each of the user’s groups. See Group Lookup for more information.

For example, consider the following user and group DNs:

cn=applicationUser,cn=users,dc=example,dc=com
cn=applicationGroup,cn=groups,dc=example,dc=com

MinIO attaches the policies with names matching the full DN for the user and group to the authenticated user.

The authenticated users complete set of permissions consists of its explicitly assigned and inherited policies. If the user DN and group DNs do not match any policies on the MinIO deployment, MinIO denies authorization for any and all operations issued by that user.

MinIO provides built-in policies for basic access control. You can create new policies using the mc admin policy command. You can create new groups using the mc admin group command and assign policies to that group using mc admin policy set.

Group Lookup

MinIO supports querying the Active Directory / LDAP server for a list of groups in which the authenticated user has membership. MinIO attempts to match existing policies to each group DN and assigns each matching policy to the authenticated user.

The following tabs provide a reference of the environment variables and configuration settings required for enabling group lookups:

See the 活动目录/LDAP 身份管理 reference documentation for more information on these variables. The Configure MinIO for Authentication using OpenID tutorial includes complete instructions on setting these values.

See the identity_ldap reference documentation for more information on these settings. The Configure MinIO for Authentication using OpenID tutorial includes complete instructions on setting these variables.