The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.


Akeyless provides LDAP authentication capability using an existing external LDAP server.
This will eliminate the need to create and maintain users in Akeyless Vault, while the main advantage is gaining decoupling between Akeyless Vault and your system.

In order to configure Akeyless product with your LDAP server, you can use Akeyless GW for internal settings in front of your LDAP server within your organization network, or via Akeyless LDAP Proxy service.

The following configuration settings, are relevant for both options, where on Akeyless GW this can be done directly on Akeyless GW UI.

Before we start, you should know the following two terms:

LDAP Authentication Method
The LDAP auth method provides a way to define LDAP authentication. It requires a public key, which belongs to the private key used in the LDAP proxy configuration (ldap_private_key_file_path)

Akeyless LDAP Proxy
The LDAP proxy runs in a centralized location in the organization (in a docker container), there you can setup and configure your LDAP server, and maintain authentication to it only once. The other Akelyless tools such as the CLI and CURL Proxy will interact with it, to acquire access to Akeyless via the LDAP server.






The LDAP server to connect to (Mandatory)


example for secure connection: ldap_url="ldaps://<your.server>:636


Distinguished name of object to bind when performing user and group search (Mandatory)


ldap_bind_password (optional)

Password to use with ldap_bind_dn when performing user search

ldap_bind_password="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests.


A file path to a private key, the proxy will use this key to encrypt tokens for authentication against Akeyless Vault

Note: please use RSA key, with x509 PEM encoded format.

ldap_access_id (mandatory)

Access ID which belongs to LDAP auth method in Akeyless Vault


ldap_user_dn (mandatory)

Base DN under which to perform user search


ldap_group_dn (mandatory)

Base DN under which to perform group membership search


ldap_group_filter (optional)

Go template used when constructing the group membership query. The template can access the following context variables: [UserDN, Username]


ldap_group_attr (optional)

LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership

For groupfilter queries returning group objects, use: cn.
For queries returning user objects, use: memberOf. The default is cn.

ldap_cart_file_path (optional)

CA certificate file path to use when verifying LDAP server certificate. Example:

Note: please use with x509 PEM encoded format.


Akeyless CLI

Create Ldap authentication method (use with admin user)
create-auth-method-ldap --public-key-file-path /var/akeyless/conf/ldap-proxy/rsa.public -n ldap_auth

Create role (use with admin user)
akeyless create-role --name=ldap_role

Set role (use with admin user)
akeyless set-role-rule -r ldap_role -p “/*” -c read -c create

Set association between auth method and role (use with admin user)
akeyless assoc-role-am -r ldap_role -a ldap_auth --sub-claims groups=ship_crew,admin_staff

akeyless configure --access-type ldap --ldap_proxy_url http://api-proxy-ip-address:api-proxy-port --profile ldap --access-id <ldap_auth_method_access_id>

CLI toml file output:

cat ~/.akeyless/akeyless_profiles.toml >>

access_id = "<ldap_auth_method_access_id>"
access_type = "ldap"
ldap_proxy_url = "http://api-proxy-ip-address:api-proxy-port"

Akeyless Curl Proxy

Create Ldap authentication method
curl -d 'cmd=create-auth-method-ldap&public-key-file-path=/var/akeyless/conf/ldap-proxy/rsa.public&name=ldap_auth&token=xxxxxxxx' http://proxy-ip-address:8080

curl -d 'cmd=configure&access-type=ldap&ldap_proxy_url=http://proxy-ip-address:8080&token=xxxxxxxx'

Set role
curl -d 'cmd=set-role-rule&role-name=ldap_role&path="/*"
&capability=read&capability=create&token=xxxxxxxx' http://proxy-ip-address:8080


In order to create a new LDAP authentication credentials, go to Auth Methods tab, click on new and select LDAP.

Updated 2 months ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.