Akeyless provides LDAP authentication capability using an existing external LDAP server.
This will eliminate the need to create and maintain users in Akeyless Vault, while the main advantage is gaining decoupling between Akeyless Vault and your system.
In order to configure Akeyless product with your LDAP server, you can use Akeyless GW for internal settings in front of your LDAP server within your organization network. The Akeyless Gateway will validate the user login against your LDAP server, and will send a signed and encrypted token to Akeyless SaaS.
LDAP Authentication Method
To create LDAP auth method in Akeyless, first you will need to create an Auth method in Akeyless console. Once you created an authentication method of LDAP on Akeyless console, associate this Auth method, with the relevant Gateway, using your LDAP Auth Access ID with a matching public and private key pair.
The LDAP auth method provides a way to define LDAP authentication. It requires a public key, which belongs to a private key that will be used in the Akeyless Gateway configuration (Private Key File Content ).
Create LDAP authentication method :
Use the matching public key on Akeyless SaaS to validate the signed JWT token
akeyless create-auth-method-ldap \ --public-key-file-path /path/to/rsa.public \ -n ldap_auth
Configure the Akeyless CLI to use LDAP as authentication method :
akeyless configure --access-type ldap \ --ldap_proxy_url https://<akeyless.gw.url:port> \ --profile ldap \ --access-id <ldap_auth_method_access_id>
CLI toml file output:
cat ~/.akeyless/akeyless_profiles.toml >> [ldap] access_id = "<ldap_auth_method_access_id>" access_type = "ldap" ldap_proxy_url = "https://<akeyless.gw.url:port>"
In order to create a new LDAP authentication credentials, on Akeyless console go to Auth Methods tab, click on new and select LDAP.
The following configuration settings, are relevant for Akeyless GW this can be done directly on Akeyless GW UI.
Access ID (mandatory)
Access ID which belongs to LDAP auth method in Akeyless Vault
LDAP Access ID="p-xxxxxxxxx"
Private Key File Content
A private key, the Gateway will use this key to encrypt tokens for authentication against Akeyless Vault
Note: please use RSA key, with x509 PEM encoded format.
LDAP Server URL
The LDAP server to connect to (Mandatory)
example for secure connection: ldap_url="ldaps://<your.server>:636
CA Certificate File Content (optional)
CA certificate file path to use when verifying LDAP server certificate.
Note: please use with x509 PEM encoded format.
LDAP Bind DN
Distinguished name of object to bind when performing user and group search (Mandatory)
LDAP Bind DN="cn=admin,dc=your-server"
Password for LDAP Bind DN (optional)
Password to use withLDAP Bind DN when performing user search
LDAP Bind DN="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests.
Base DN to Preform User Search (mandatory)
Base DN under which to perform user search
Base DN to Preform User Search= "ou=people,dc=planetexpress,dc=com"
LDAP User Attribute
LDAP attribute to follow on objects returned by user authentication
Default value CN
Base DN to Preform Group Search (optional)
Base DN under which to perform group membership search
Base DN to Preform Group Search="ou=people,dc=planetexpress,dc=com"
Go Template for Group Membership query
Go template used when constructing the group membership query.
LDAP Group Attribute (optional)
LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership
For groupfilter queries returning group objects, use: cn.
Updated 3 months ago