Akeyless provides LDAP authentication capability using an existing LDAP server.

Eliminate the need to create and maintain users in the Akeyless Vault Platform, while the main advantage is gaining decoupling between the Akeyless Vault Platform and your existing systems.

To configure the Akeyless Vault Platform with your LDAP server, use the Akeyless GW for internal settings in front of your LDAP server within your organization network.

The Akeyless Gateway will validate the user login against your LDAP server and send a signed and encrypted token to Akeyless SaaS services.

To create an LDAP auth method in Akeyless, you must create an Auth method in the Akeyless console or via the CLI.

Once you created an authentication method of LDAP on the Akeyless console, associate this Auth method with the relevant Gateway, using your LDAP authentication Access ID.

To ensure safe communication between Akeyelss SaaS and your internal LDAP server, the Akeyless Gateway acts as an internal trusted server.

Avoid any sensitive information exposure from your LDAP server, this Authentication Methods requires a public key to be located on Akeyless SaaS, which belongs to a private key that will be used in the Akeyless Gateway configuration (Private Key File Content ).

Generate the public / Private key pair in PEM format

openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem

👍

Info

Use the matching public key on Akeyless SaaS to validate the signed JWT token

Create an LDAP Authentication Method from the CLI

Let's create a new LDAP authentication method using the Akeyless CLI. If you’d prefer, see how to do this from the Akeyless Console instead.

akeyless create-auth-method-ldap \
  --public-key-file-path /path/to/rsa.public \
  --name ldap_auth

Where:

  • name: A unique name for the authentication method. The name can include the path to the virtual folder in which you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.
  • public-key-file-path A path to a private key to validate requests from Akeyless GW.

Authenticate from the Akeyless CLI using LDAP as an authentication method :

akeyless auth --access-type ldap \
  --ldap_proxy_url https://<akeyless.gw.url:default-port-8000> \
  --profile ldap  \
  --access-id <ldap_auth_method_access_id>

👍

LDAP with Akeyless CLI

LDAP Auth is not supporting CLI profiles due to profile creds nature, to work with LDAP using Akeyless CLI simply use the auth enpoint.

Create LDAP authentication method from the Akeyless Console

  1. Log in to the Akeyless Console and go to Users & Auth Methods > New > LDAP.

  2. Define a Name for the authentication method, and specify the Location as a path to the virtual folder in which you want to create the new authentication method, using slash / separators. If the folder does not exist, it will be created together with the authentication method.

  • public-key-file-path A public key to validate requests from Akeyless GW.
  • Expiration Date: Select the access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.
  1. Select Save.

Setting LDAP authentication method on the Akeyless Gateway

The following configuration settings are relevant for Akeyless GW this can be done directly on Akeyless GW UI.

Configuration

NameDescriptionExample
Access ID (mandatory)Access ID which belongs to LDAP auth method in Akeyless VaultLDAP Access ID="p-xxxxxxxxx"
Private Key File Content 
(mandatory)
A private key, the Gateway will use this key to encrypt tokens for authentication against Akeyless VaultNote: please use RSA key, with x509 PEM encoded format.
LDAP Server URLThe LDAP server to connect to (Mandatory)ldap_url="ldap://:389"

_example for secure connection: _ldap_url="ldaps://<your.server>:636
CA Certificate File Content (optional)CA certificate file path to use when verifying LDAP server certificate.Note: please use with x509 PEM encoded format.
LDAP Bind DN
(optional)
Distinguished name of object to bind when performing user and group search (Mandatory)LDAP Bind DN="cn=admin,dc=your-server"
Password for LDAP Bind DN (optional)Password to use withLDAP Bind DN when performing user searchLDAP Bind DN="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests.
Base DN to Preform User Search (mandatory)Base DN under which to perform user searchBase DN to Preform User Search= "ou=people,dc=planetexpress,dc=com"
LDAP User Attribute
(optional)
LDAP attribute to follow on objects returned by user authenticationDefault value CN
Base DN to Preform Group Search (optional)Base DN under which to perform group membership searchBase DN to Preform Group Search="ou=people,dc=planetexpress,dc=com"
Go Template for Group Membership query
(optional)
Go template used when constructing the group membership query.
The template can access the following context variables UserDN, Username
Example: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))
LDAP Group Attribute (optional)LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membershipFor groupfilter queries returning group objects, use: cn.
For queries returning user objects, use: memberOf. The default is cn.
ldap_group_attr="cn"

👍

What's next?

Make sure to associate your new Authentication Method with an Access Role to grant the relevant permissions within Akeyless