LDAP
Akeyless provides LDAP authentication capability using an existing LDAP server.
Eliminate the need to create and maintain users in the Akeyless Vault Platform, while the main advantage is gaining decoupling between the Akeyless Vault Platform and your existing systems.
To configure the Akeyless Vault Platform with your LDAP server, use the Akeyless GW for internal settings in front of your LDAP server within your organization network.
The Akeyless Gateway will validate the user login against your LDAP server and send a signed and encrypted token to Akeyless SaaS services.
To create an LDAP auth method in Akeyless, you must create an Auth method in the Akeyless console or via the CLI.
Once you created an authentication method of LDAP on the Akeyless console, associate this Auth method with the relevant Gateway, using your LDAP authentication Access ID.
To ensure safe communication between Akeyelss SaaS and your internal LDAP server, the Akeyless Gateway acts as an internal trusted server.
Avoid any sensitive information exposure from your LDAP server, this Authentication Methods requires a public key to be located on Akeyless SaaS, which belongs to a private key that will be used in the Akeyless Gateway configuration (Private Key File Content ).
Generate the public / Private key pair in PEM format
openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem
Info
Use the matching public key on Akeyless SaaS to validate the signed JWT token
Create LDAP Authentication Method from the CLI
Let's create a new LDAP authentication method using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.
akeyless create-auth-method-ldap \
--public-key-file-path /path/to/rsa.public \
--name ldap_auth
Where:
- name: A unique name for the authentication method. The name can include the path to the virtual folder in which you want to create the new authentication method, using slash
/separators. If the folder does not exist, it will be created together with the authentication method. - public-key-file-path A path to a private key to validate requests from Akeyless GW.
Configure the Akeyless CLI to use LDAP as an authentication method :
akeyless configure --access-type ldap \
--ldap_proxy_url https://<akeyless.gw.url:default-port-8000> \
--profile ldap \
--access-id <ldap_auth_method_access_id>
CLI toml file output:
cat ~/.akeyless/profiles/ldap.toml >>
[ldap]
access_id = "<ldap_auth_method_access_id>"
access_type = "ldap"
ldap_proxy_url = "https://<akeyless.gw.url:default-port-8000>"
Create LDAP authentication method from the Akeyless Console
-
Log in to the Akeyless Console and go to Auth Methods > New > LDAP.
-
Define a Name for the authentication method, and specify the Location as a path to the virtual folder in which you want to create the new authentication method, using slash
/separators. If the folder does not exist, it will be created together with the authentication method.
- public-key-file-path A public key to validate requests from Akeyless GW.
- Expiration Date: Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.
- Select Save.
Setting LDAP authentication method on the Akeyless Gateway
The following configuration settings are relevant for Akeyless GW this can be done directly on Akeyless GW UI.
Configuration
| Name | Description | Example |
|---|---|---|
| Access ID (mandatory) | Access ID which belongs to LDAP auth method in Akeyless Vault | LDAP Access ID="p-xxxxxxxxx" |
| Private Key File Content (mandatory) | A private key, the Gateway will use this key to encrypt tokens for authentication against Akeyless Vault | Note: please use RSA key, with x509 PEM encoded format. |
| LDAP Server URL | The LDAP server to connect to (Mandatory) | ldap_url="ldap://:389" example for secure connection: ldap_url="ldaps://<your.server>:636 |
| CA Certificate File Content (optional) | CA certificate file path to use when verifying LDAP server certificate. | Note: please use with x509 PEM encoded format. |
| LDAP Bind DN (optional) | Distinguished name of object to bind when performing user and group search (Mandatory) | LDAP Bind DN="cn=admin,dc=your-server" |
| Password for LDAP Bind DN (optional) | Password to use withLDAP Bind DN when performing user search | LDAP Bind DN="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests. |
| Base DN to Preform User Search (mandatory) | Base DN under which to perform user search | Base DN to Preform User Search= "ou=people,dc=planetexpress,dc=com" |
| LDAP User Attribute (optional) | LDAP attribute to follow on objects returned by user authentication | Default value CN |
| Base DN to Preform Group Search (optional) | Base DN under which to perform group membership search | Base DN to Preform Group Search="ou=people,dc=planetexpress,dc=com" |
| Go Template for Group Membership query (optional) | Go template used when constructing the group membership query. The template can access the following context variables UserDN, Username | Example: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) |
| LDAP Group Attribute (optional) | LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership | For groupfilter queries returning group objects, use: cn. For queries returning user objects, use: memberOf. The default is cn. ldap_group_attr="cn" |
What's next?
Make sure to associate your new Authentication Method with an Access Role to grant the relevant permissions within Akeyless
Updated 3 months ago