Integrating S3 Gateway with LDAP/AD
Describes how to configure LDAP/AD for S3 gateway 2.1.0 and later.
NOTICE The S3 gateway is included in EEP 6.0.0 -
EEP 8.0.0 repositories.
The S3 gateway integration uses MinIO LDAP
STS to generate temporary credentials when working with an S3 endpoint through a client with
a sessionToken. For complete details, see AssumeRoleWithLDAPIdentity.
NOTE LDAP/AD integration with S3 gateway 2.1.0 and later does not work with
Hadoop and Spark because the HPE Ezmeral Data Fabric implementation of Hadoop and Spark does not support
sessionToken.
Configuring the LDAP/AD Integration for S3 gateway
The following LDAP/AD configuration is based on an example test
environment:
"ldap": {
"serverAddr": "localhost:389",
"usernameFormat": "cn=%s,dc=mapr,dc=local",
"userDNSearchBaseDN": "",
"userDNSearchFilter": "(cn=%s)",
"groupSearchFilter": "(&(objectclass=group)(member=%s))",
"groupSearchBaseDn": "dc=mapr,dc=local",
"lookUpBindDN": "",
"lookUpBindPassword": "",
"stsExpiry": "60h",
"tlsSkipVerify": "on",
"serverStartTls": "",
"serverInsecure": "on"
}
Once you have configured LDAP/AD, apply the policy to users/groups, as
shown:
mc admin policy set myminio readwrite user="cn=admin,dc=mapr,dc=local"
CLI Example
Make a POST request to get credentials. In the request, replace special symbols in the
password with the %HEX_VALUE
of your ASCII symbol. For example, the password
abc@123
translates to abc%40123
.
The following example shows the POST request using the converted
password:
curl -X POST "http://127.0.0.1:9000?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=admin&LDAPPassword=abc%40123&Version=2011-06-15" | xmllint --format -
The request returns a response similar to the following example
response:
<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleWithLDAPIdentityResult>
<Credentials>
<AccessKeyId>N71HK1WE34R2D7F9FDVP</AccessKeyId>
<SecretAccessKey>NmrkNOXA696CrblWU+eUn0NBwUv+4oUs2u8noJAA</SecretAccessKey>
<UID/>
<GID/>
<Expiration>2021-04-02T23:24:59Z</Expiration>
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJONzFISzFXRTM0UjJEN0Y5RkRWUCIsImV4cCI6MTYxNzQwNTg5OSwibGRhcFVzZXIiOiJjbj1hZG1pbixkYz1tYXByLGRjPWxvY2FsIn0.KY0i3DyOM-IKXi_BHADxZksC8x2PDqjDNBQVIfG-uxBKiJdHrRCnwXUy0GSGX4Q_XXvhAO4aKj5IIauDc_UceQ</SessionToken>
</Credentials>
</AssumeRoleWithLDAPIdentityResult>
<ResponseMetadata>
<RequestId>167169A551AF88C8</RequestId>
</ResponseMetadata>
</AssumeRoleWithLDAPIdentityResponse>