Akeyless provides LDAP authentication capability using an existing external LDAP server.
This will eliminate the need to create and maintain users in Akeyless Vault, while the main advantage is gaining decoupling between Akeyless Vault and your system.
In order to configure Akeyless product with your LDAP server, you can use Akeyless GW for internal settings in front of your LDAP server within your organization network, or via Akeyless LDAP Proxy service.
The following configuration settings, are relevant for both options, where on Akeyless GW this can be done directly on Akeyless GW UI.
Before we start, you should know the following two terms:
LDAP Authentication Method
The LDAP auth method provides a way to define LDAP authentication. It requires a public key, which belongs to the private key used in the LDAP proxy configuration (ldap_private_key_file_path)
Akeyless LDAP Proxy
The LDAP proxy runs in a centralized location in the organization (in a docker container), there you can setup and configure your LDAP server, and maintain authentication to it only once. The other Akelyless tools such as the CLI and CURL Proxy will interact with it, to acquire access to Akeyless via the LDAP server.
The LDAP server to connect to (Mandatory)
example for secure connection: ldap_url="ldaps://<your.server>:636
Distinguished name of object to bind when performing user and group search (Mandatory)
Password to use with ldap_bind_dn when performing user search
ldap_bind_password="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests.
A file path to a private key, the proxy will use this key to encrypt tokens for authentication against Akeyless Vault
Access ID which belongs to LDAP auth method in Akeyless Vault
Base DN under which to perform user search
Base DN under which to perform group membership search
Go template used when constructing the group membership query. The template can access the following context variables: [UserDN, Username]
LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership
For groupfilter queries returning group objects, use: cn.
CA certificate file path to use when verifying LDAP server certificate. Example:
Create Ldap authentication method (use with admin user)
create-auth-method-ldap --public-key-file-path /var/akeyless/conf/ldap-proxy/rsa.public -n ldap_auth
Create role (use with admin user)
akeyless create-role --name=ldap_role
Set role (use with admin user)
akeyless set-role-rule -r ldap_role -p “/*” -c read -c create
Set association between auth method and role (use with admin user)
akeyless assoc-role-am -r ldap_role -a ldap_auth --sub-claims groups=ship_crew,admin_staff
akeyless configure --access-type ldap --ldap_proxy_url http://api-proxy-ip-address:api-proxy-port --profile ldap --access-id <ldap_auth_method_access_id>
CLI toml file output:
cat ~/.akeyless/akeyless_profiles.toml >>
access_id = "<ldap_auth_method_access_id>"
access_type = "ldap"
ldap_proxy_url = "http://api-proxy-ip-address:api-proxy-port"
Akeyless Curl Proxy
Create Ldap authentication method
curl -d 'cmd=create-auth-method-ldap&public-key-file-path=/var/akeyless/conf/ldap-proxy/rsa.public&name=ldap_auth&token=xxxxxxxx' http://proxy-ip-address:8080
curl -d 'cmd=set-role-rule&role-name=ldap_role&path="/*"
In order to create a new LDAP authentication credentials, go to Auth Methods tab, click on new and select LDAP.
Updated 2 months ago