Akeyless provides LDAP authentication capability using an existing external LDAP server.
This will eliminate the need to create and maintain users in Akeyless Vault, while the main advantage is gaining decoupling between Akeyless Vault and your system.
Before we start, you should know the following two terms:
LDAP Authentication Method
The ldap auth method provides a way to define ldap authentication. It requires a public key, which belongs to the private key used in the LDAP proxy configuration (ldap_private_key_file_path)
Akeyless LDAP Proxy
The LDAP proxy runs in a centralized location in the organisation (in a docker container), there you can setup and configure your LDAP server, and maintain authentication to it only once. The other Akelyless tools such as the CLI and CURL Proxy will interact with it, to acquire access to Akeyless via the LDAP server.
Configuration
Name | Description | Example |
---|---|---|
ldap_url | The LDAP server to connect to (Mandatory) | ldap_url="ldap://:389" example for secure connection: ldap_url="ldaps://<your.server>:636 |
ldap_bind_dn | Distinguished name of object to bind when performing user and group search (Mandatory) | ldap_bind_dn="cn=admin,dc=,dc=" |
ldap_bind_password (optional) | Password to use with ldap_bind_dn when performing user search | ldap_bind_password="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests. |
ldap_private_key_file_path | A file path to a private key, the proxy will use this key to encrypt tokens for authentication against Akeyless Vault | ldap_private_key_file_path="/var/akeyless/conf/ldap-proxy/rsa.private" |
ldap_access_id (mandatory) | Access ID which belongs to LDAP auth method in Akeyless Vault | ldap_access_id="p-u50qzufrzsso" |
ldap_user_dn (mandatory) | Base DN under which to perform user search | ldap_user_dn="ou=people,dc=planetexpress,dc=com" |
ldap_group_dn (mandatory) | Base DN under which to perform group membership search | ldap_group_dn="ou=people,dc=planetexpress,dc=com" |
ldap_group_filter (optional) | Go template used when constructing the group membership query. The template can access the following context variables: [UserDN, Username] | ldap_group_filter="(&(objectClass=Group))" |
ldap_group_attr (optional) | LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership | For groupfilter queries returning group objects, use: cn. |
ldap_cart_file_path (optional) | CA certificate file path to use when verifying LDAP server certificate. Example: | ldap_cart_file_path="/var/akeyless/conf/ldap-proxy/ldap.crt" |
Authentication
Akeyless CLI
Create Ldap authentication method (use with admin user)
create-auth-method-ldap --public-key-file-path /var/akeyless/conf/ldap-proxy/rsa.public -n ldap_auth
Create role (use with admin user)
akeyless create-role --name=ldap_role
Set role (use with admin user)
akeyless set-role-rule -r ldap_role -p “/*” -c read -c create
Set association between auth method and role (use with admin user)
akeyless assoc-role-am -r ldap_role -a ldap_auth --sub-claims groups=ship_crew,admin_staff
Configure
akeyless configure --access-type ldap --ldap_proxy_url http://api-proxy-ip-address:api-proxy-port --profile ldap --access-id <ldap_auth_method_access_id>
CLI toml file output:
cat ~/.akeyless/akeyless_profiles.toml >>
[ldap]
access_id = "<ldap_auth_method_access_id>"
access_type = "ldap"
ldap_proxy_url = "http://api-proxy-ip-address:api-proxy-port"
Akeyless Curl Proxy
Create Ldap authentication method
curl -d 'cmd=create-auth-method-ldap&public-key-file-path=/var/akeyless/conf/ldap-proxy/rsa.public&name=ldap_auth&token=xxxxxxxx' http://proxy-ip-address:8080
Configure
curl -d 'cmd=configure&access-type=ldap&ldap_proxy_url=http://proxy-ip-address:8080&token=xxxxxxxx' http://127.0.0.1:8080
Set role
curl -d 'cmd=set-role-rule&role-name=ldap_role&path="/*"
&capability=read&capability=create&token=xxxxxxxx' http://proxy-ip-address:8080
UI
In order to create a new LDAP authentication credentials, go to Auth Methods tab, click on new and select LDAP.
Updated 6 months ago