Integrating Object Store 2.1.0 with LDAP/AD

Describes how to configure LDAP/AD for Object Store 2.1.0, including how to configure an LDAP/AD test environment.

The Object Store integration uses MinIO LDAP STS to generate temporary credentials when working with an S3 endpoint through a client with a sessionToken. For complete details, see AssumeRoleWithLDAPIdentity.

Note: LDAP/AD integration with Object Store 2.1.0 does not work with Hadoop and Spark because the HPE Ezmeral Data Fabric implementation of Hadoop and Spark does not support sessionToken.

Creating an LDAP/AD Test Environment for Object Store 2.1.0

If you do not have an LDAP/AD environment, you can use a test environment based on the following docker-compose.yaml configuration. The configuration creates the user cn=admin,dc=mapr,dc=local with abc@123 as the password.

version: "3"
services:
  ldap-service:
    image: "osixia/openldap:1.3.0"
    ports:
      - "389:389"
    environment:
      LDAP_ORGANISATION: "MapR"
      LDAP_DOMAIN: "mapr.local"
      LDAP_ADMIN_PASSWORD: "abc@123"
      LDAP_BASE_DN: "dc=mapr,dc=local"
  ldap-ui:
    image: "osixia/phpldapadmin:0.9.0"
    ports:
      - "8443:443"
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: "ldap-service"

Configuring the LDAP/AD Integration for Object Store 2.1.0

The following LDAP/AD configuration is an example based on the test environment in the previous section:

"ldap": {
"serverAddr": "localhost:389",
"usernameFormat": "cn=%s,dc=mapr,dc=local",
"userDNSearchBaseDN": "",
"userDNSearchFilter": "(cn=%s)",
"groupSearchFilter": "(&(objectclass=group)(member=%s))",
"groupSearchBaseDn": "dc=mapr,dc=local",
"lookUpBindDN": "",
"lookUpBindPassword": "",
"stsExpiry": "60h",
"tlsSkipVerify": "on",
"serverStartTls": "",
"serverInsecure": "on"
}

Once you have configured LDAP/AD, apply the policy to users/groups, as shown:

mc admin policy set myminio readwrite user="cn=admin,dc=mapr,dc=local"

CLI Example

Make a POST request to get credentials. In the request, replace special symbols in the password with the %HEX_VALUE of your ASCII symbol. For example, the password abc@123 translates to abc%40123.

The following example shows the POST request using the converted password:

curl -X POST "http://127.0.0.1:9000?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=admin&LDAPPassword=abc%40123&Version=2011-06-15" | xmllint --format -

The request returns a response similar to the following example response:

<?xml version="1.0" encoding="UTF-8"?>
<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleWithLDAPIdentityResult>
<Credentials>
<AccessKeyId>N71HK1WE34R2D7F9FDVP</AccessKeyId>
<SecretAccessKey>NmrkNOXA696CrblWU+eUn0NBwUv+4oUs2u8noJAA</SecretAccessKey>
<UID/>
<GID/>
<Expiration>2021-04-02T23:24:59Z</Expiration>
<SessionToken>eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJONzFISzFXRTM0UjJEN0Y5RkRWUCIsImV4cCI6MTYxNzQwNTg5OSwibGRhcFVzZXIiOiJjbj1hZG1pbixkYz1tYXByLGRjPWxvY2FsIn0.KY0i3DyOM-IKXi_BHADxZksC8x2PDqjDNBQVIfG-uxBKiJdHrRCnwXUy0GSGX4Q_XXvhAO4aKj5IIauDc_UceQ</SessionToken>
</Credentials>
</AssumeRoleWithLDAPIdentityResult>
<ResponseMetadata>
<RequestId>167169A551AF88C8</RequestId>
</ResponseMetadata>
</AssumeRoleWithLDAPIdentityResponse>