Akeyless provides LDAP authentication capability using an existing external LDAP server.
This will eliminate the need to create and maintain users in Akeyless Vault, while the main advantage is gaining decoupling between Akeyless Vault and your system.

In order to configure Akeyless product with your LDAP server, you can use Akeyless GW for internal settings in front of your LDAP server within your organization network. The Akeyless Gateway will validate the user login against your LDAP server, and will send a signed and encrypted token to Akeyless SaaS.

LDAP Authentication Method

To create LDAP auth method in Akeyless, first you will need to create an Auth method in Akeyless console. Once you created an authentication method of LDAP on Akeyless console, associate this Auth method, with the relevant Gateway, using your LDAP Auth Access ID with a matching public and private key pair.

The LDAP auth method provides a way to define LDAP authentication. It requires a public key, which belongs to a private key that will be used in the Akeyless Gateway configuration (Private Key File Content ).

Authentication

Akeyless CLI

Create LDAP authentication method :

👍

Tip

Use the matching public key on Akeyless SaaS to validate the signed JWT token

akeyless create-auth-method-ldap \
  --public-key-file-path /path/to/rsa.public \
  -n ldap_auth

Configure the Akeyless CLI to use LDAP as authentication method :

akeyless configure --access-type ldap \
  --ldap_proxy_url https://<akeyless.gw.url:port> \
  --profile ldap  \
  --access-id <ldap_auth_method_access_id>

CLI toml file output:

cat ~/.akeyless/akeyless_profiles.toml >>

[ldap]
  access_id = "<ldap_auth_method_access_id>"
  access_type = "ldap"
  ldap_proxy_url = "https://<akeyless.gw.url:port>"

UI

In order to create a new LDAP authentication credentials, on Akeyless console go to Auth Methods tab, click on new and select LDAP.

The following configuration settings, are relevant for Akeyless GW this can be done directly on Akeyless GW UI.

Configuration

Name

Description

Example

Access ID (mandatory)

Access ID which belongs to LDAP auth method in Akeyless Vault

LDAP Access ID="p-xxxxxxxxx"

Private Key File Content 
(mandatory)

A private key, the Gateway will use this key to encrypt tokens for authentication against Akeyless Vault

Note: please use RSA key, with x509 PEM encoded format.

LDAP Server URL

The LDAP server to connect to (Mandatory)

ldap_url="ldap://:389"

example for secure connection: ldap_url="ldaps://<your.server>:636

CA Certificate File Content (optional)

CA certificate file path to use when verifying LDAP server certificate.

Note: please use with x509 PEM encoded format.

LDAP Bind DN
(optional)

Distinguished name of object to bind when performing user and group search (Mandatory)

LDAP Bind DN="cn=admin,dc=your-server"

Password for LDAP Bind DN (optional)

Password to use withLDAP Bind DN when performing user search

LDAP Bind DN="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests.

Base DN to Preform User Search (mandatory)

Base DN under which to perform user search

Base DN to Preform User Search= "ou=people,dc=planetexpress,dc=com"

LDAP User Attribute
(optional)

LDAP attribute to follow on objects returned by user authentication

Default value CN

Base DN to Preform Group Search (optional)

Base DN under which to perform group membership search

Base DN to Preform Group Search="ou=people,dc=planetexpress,dc=com"

Go Template for Group Membership query
(optional)

Go template used when constructing the group membership query.
The template can access the following context variables UserDN, Username

Example: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))

LDAP Group Attribute (optional)

LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership

For groupfilter queries returning group objects, use: cn.
For queries returning user objects, use: memberOf. The default is cn.
ldap_group_attr="cn"


Did this page help you?