LDAP
Akeyless provides LDAP authentication capability using an existing external LDAP server.
This will eliminate the need to create and maintain users in Akeyless Vault, while the main advantage is gaining decoupling between Akeyless Vault and your system.
In order to configure Akeyless product with your LDAP server, you can use Akeyless GW for internal settings in front of your LDAP server within your organization network. The Akeyless Gateway will validate the user login against your LDAP server, and will send a signed and encrypted token to Akeyless SaaS.
LDAP Authentication Method
To create LDAP auth method in Akeyless, first you will need to create an Auth method in Akeyless console. Once you created an authentication method of LDAP on Akeyless console, associate this Auth method, with the relevant Gateway, using your LDAP Auth Access ID with a matching public and private key pair.
The LDAP auth method provides a way to define LDAP authentication. It requires a public key, which belongs to a private key that will be used in the Akeyless Gateway configuration (Private Key File Content ).
Authentication
Akeyless CLI
Create LDAP authentication method :
Tip
Use the matching public key on Akeyless SaaS to validate the signed JWT token
akeyless create-auth-method-ldap \
--public-key-file-path /path/to/rsa.public \
-n ldap_auth
Configure the Akeyless CLI to use LDAP as authentication method :
akeyless configure --access-type ldap \
--ldap_proxy_url https://<akeyless.gw.url:port> \
--profile ldap \
--access-id <ldap_auth_method_access_id>
CLI toml file output:
cat ~/.akeyless/akeyless_profiles.toml >>
[ldap]
access_id = "<ldap_auth_method_access_id>"
access_type = "ldap"
ldap_proxy_url = "https://<akeyless.gw.url:port>"
UI
In order to create a new LDAP authentication credentials, on Akeyless console go to Auth Methods tab, click on new and select LDAP.
The following configuration settings, are relevant for Akeyless GW this can be done directly on Akeyless GW UI.
Configuration
Name | Description | Example |
|---|---|---|
Access ID (mandatory) | Access ID which belongs to LDAP auth method in Akeyless Vault | LDAP Access ID="p-xxxxxxxxx" |
Private Key File Content | A private key, the Gateway will use this key to encrypt tokens for authentication against Akeyless Vault | Note: please use RSA key, with x509 PEM encoded format. |
LDAP Server URL | The LDAP server to connect to (Mandatory) | ldap_url="ldap://:389" example for secure connection: ldap_url="ldaps://<your.server>:636 |
CA Certificate File Content (optional) | CA certificate file path to use when verifying LDAP server certificate. | Note: please use with x509 PEM encoded format. |
LDAP Bind DN | Distinguished name of object to bind when performing user and group search (Mandatory) | LDAP Bind DN="cn=admin,dc=your-server" |
Password for LDAP Bind DN (optional) | Password to use withLDAP Bind DN when performing user search | LDAP Bind DN="GoodNewsEveryone". When absent, make sure your LDAP server can accept anonymous requests. |
Base DN to Preform User Search (mandatory) | Base DN under which to perform user search | Base DN to Preform User Search= "ou=people,dc=planetexpress,dc=com" |
LDAP User Attribute | LDAP attribute to follow on objects returned by user authentication | Default value CN |
Base DN to Preform Group Search (optional) | Base DN under which to perform group membership search | Base DN to Preform Group Search="ou=people,dc=planetexpress,dc=com" |
Go Template for Group Membership query | Go template used when constructing the group membership query. | Example: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) |
LDAP Group Attribute (optional) | LDAP attribute to follow on objects returned by ldap_group_filter in order to enumerate user group membership | For groupfilter queries returning group objects, use: cn. |
Updated 3 months ago