Akeyless Vault

The Akeyless Dev Hub

If you're looking for help with the only zero-trust, SaaS, unified platform for secrets management - you've come to the right place.

This is our documentation and updates center.

Documentation

LDAP

Suggest Edits

Akeyless provides LDAP authentication capability using an existing external LDAP server.
This will eliminate the need to create and maintain users in Akeyless Vault, while the main advantage is gaining decoupling between Akeyless Vault and your system.

Before we start, you should know the following two terms:

LDAP Authentication Method
The ldap auth method provides a way to define ldap authentication. It requires a public key, which belongs to the private key used in the LDAP proxy configuration (ldap_private_key_file_path)

Akeyless LDAP Proxy
The LDAP proxy runs in a centralized location in the organisation (in a docker container), there you can setup and configure your LDAP server, and maintain authentication to it only once. The other Akelyless tools such as the CLI and CURL Proxy will interact with it, to acquire access to Akeyless via the LDAP server.

Configuration

Name

Description

Example

ldap_url

The LDAP server to connect to (Mandatory)

ldap_url="ldap://:389"

example for secure connection: ldap_url="ldaps://<your.server>:636

ldap_bind_dn

Distinguished name of object to bind when performing user and group search (Mandatory)

ldap_bind_dn="cn=admin,dc=,dc="

ldap_bind_password (optional)

Password to use with ldap_bind_dn when performing user search

ldap_bind_password="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests.

ldap_private_key_file_path
(mandatory)

A file path to a private key, the proxy will use this key to encrypt tokens for authentication against Akeyless Vault

ldap_private_key_file_path="/var/akeyless/conf/ldap-proxy/rsa.private"
Note: please use RSA key, with x509 PEM encoded format.

ldap_access_id (mandatory)

Access ID which belongs to LDAP auth method in Akeyless Vault

ldap_access_id="p-u50qzufrzsso"

ldap_user_dn (mandatory)

Base DN under which to perform user search

ldap_user_dn="ou=people,dc=planetexpress,dc=com"

ldap_group_dn (mandatory)

Base DN under which to perform group membership search

ldap_group_dn="ou=people,dc=planetexpress,dc=com"

ldap_group_filter (optional)

Go template used when constructing the group membership query. The template can access the following context variables: [UserDN, Username]

ldap_group_filter="(&(objectClass=Group))"

ldap_group_attr (optional)

LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership

For groupfilter queries returning group objects, use: cn.
For queries returning user objects, use: memberOf. The default is cn.
ldap_group_attr="cn"

ldap_cart_file_path (optional)

CA certificate file path to use when verifying LDAP server certificate. Example:

ldap_cart_file_path="/var/akeyless/conf/ldap-proxy/ldap.crt"
Note: please use with x509 PEM encoded format.

Authentication

Akeyless CLI

Create Ldap authentication method (use with admin user)
create-auth-method-ldap --public-key-file-path /var/akeyless/conf/ldap-proxy/rsa.public -n ldap_auth

Create role (use with admin user)
akeyless create-role --name=ldap_role

Set role (use with admin user)
akeyless set-role-rule -r ldap_role -p “/*” -c read -c create

Set association between auth method and role (use with admin user)
akeyless assoc-role-am -r ldap_role -a ldap_auth --sub-claims groups=ship_crew,admin_staff

Configure
akeyless configure --access-type ldap --ldap_proxy_url http://api-proxy-ip-address:api-proxy-port --profile ldap --access-id <ldap_auth_method_access_id>

CLI toml file output:

cat ~/.akeyless/akeyless_profiles.toml >>

[ldap]
access_id = "<ldap_auth_method_access_id>"
access_type = "ldap"
ldap_proxy_url = "http://api-proxy-ip-address:api-proxy-port"

Akeyless Curl Proxy

Create Ldap authentication method
curl -d 'cmd=create-auth-method-ldap&public-key-file-path=/var/akeyless/conf/ldap-proxy/rsa.public&name=ldap_auth&token=xxxxxxxx' http://proxy-ip-address:8080

Configure
curl -d 'cmd=configure&access-type=ldap&ldap_proxy_url=http://proxy-ip-address:8080&token=xxxxxxxx' http://127.0.0.1:8080

Set role
curl -d 'cmd=set-role-rule&role-name=ldap_role&path="/*"
&capability=read&capability=create&token=xxxxxxxx' http://proxy-ip-address:8080

UI

In order to create a new LDAP authentication credentials, go to Auth Methods tab, click on new and select LDAP.

Updated 6 months ago

LDAP

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.