Integrating S3 Gateway with LDAP/AD

Describes how to configure LDAP/AD for S3 gateway 2.1.0 and later.

NOTICE The S3 gateway is included in EEP 6.0.0 - EEP 8.0.0 repositories.

The S3 gateway integration uses MinIO LDAP STS to generate temporary credentials when working with an S3 endpoint through a client with a sessionToken. For complete details, see AssumeRoleWithLDAPIdentity.

NOTE LDAP/AD integration with S3 gateway 2.1.0 and later does not work with Hadoop and Spark because the HPE Ezmeral Data Fabric implementation of Hadoop and Spark does not support sessionToken.

Configuring the LDAP/AD Integration for S3 gateway

The following LDAP/AD configuration is based on an example test environment:

"ldap": {
"serverAddr": "localhost:389",
"usernameFormat": "cn=%s,dc=mapr,dc=local",
"userDNSearchBaseDN": "",
"userDNSearchFilter": "(cn=%s)",
"groupSearchFilter": "(&(objectclass=group)(member=%s))",
"groupSearchBaseDn": "dc=mapr,dc=local",
"lookUpBindDN": "",
"lookUpBindPassword": "",
"stsExpiry": "60h",
"tlsSkipVerify": "on",
"serverStartTls": "",
"serverInsecure": "on"
}

Once you have configured LDAP/AD, apply the policy to users/groups, as shown:

mc admin policy set myminio readwrite user="cn=admin,dc=mapr,dc=local"

CLI Example

Make a POST request to get credentials. In the request, replace special symbols in the password with the %HEX_VALUE of your ASCII symbol. For example, the password abc@123 translates to abc%40123.

The following example shows the POST request using the converted password:

curl -X POST "http://127.0.0.1:9000?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=admin&LDAPPassword=abc%40123&Version=2011-06-15" | xmllint --format -

The request returns a response similar to the following example response:

<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleWithLDAPIdentityResult>
<Credentials>
<AccessKeyId>N71HK1WE34R2D7F9FDVP</AccessKeyId>
<SecretAccessKey>NmrkNOXA696CrblWU+eUn0NBwUv+4oUs2u8noJAA</SecretAccessKey>
<UID/>
<GID/>
<Expiration>2021-04-02T23:24:59Z</Expiration>
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJONzFISzFXRTM0UjJEN0Y5RkRWUCIsImV4cCI6MTYxNzQwNTg5OSwibGRhcFVzZXIiOiJjbj1hZG1pbixkYz1tYXByLGRjPWxvY2FsIn0.KY0i3DyOM-IKXi_BHADxZksC8x2PDqjDNBQVIfG-uxBKiJdHrRCnwXUy0GSGX4Q_XXvhAO4aKj5IIauDc_UceQ</SessionToken>
</Credentials>
</AssumeRoleWithLDAPIdentityResult>
<ResponseMetadata>
<RequestId>167169A551AF88C8</RequestId>
</ResponseMetadata>
</AssumeRoleWithLDAPIdentityResponse>