LDAP Dynamic Secret
You can define a dynamic LDAP secret to dynamically generate LDAP access credentials. When a client requests the dynamic secret value, the Akeyless Gateway connects to your LDAP server and generates a temporary set of restricted access credentials.
Prerequisites
-
An Akeyless Gatewaywith network access to the LDAP server.
-
LDAP server with a privileged LDAP User.
Create a Dynamic LDAP Secret from the CLI
Note
We recommend using dynamic secrets with Targets. While it saves time for multiple secret-level configurations by not requiring you to provide an inline connection string each time, it is also important for security streamlining. Using a target allows you to rotate credentials without breaking the credential chain for the objects connected to the server used, using inline will force you to go and change the credentials in each individual item instead of just the target.
To create a dynamic LDAP secret from the CLI using an existing LDAP Target, run the following command:
akeyless dynamic-secret create ldap \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--user-dn <User Base DN> \
--password-length 16
Or using an inline connection string:
akeyless dynamic-secret create akeyless dynamic-secret get-valueldap \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--ldap-url <LDAP server URL> \
--bind-dn <LDAP Bind DN> \
--bind-dn-password <Password>\
--ldap-ca-cert <LDAP base-64 encoded CA Certificate> \
--user-dn <User Base DN>
Where:
-
name
: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash/
separators. If the folder does not exist, it will be created together with the dynamic secret. -
target-name
: A name of the target that enables connection to the LDAP server. The name can include the path to the virtual folder where this target resides. -
gateway-url
: Akeyless Gateway Configuration Manager URL (port8000
). -
user-dn
: User Base DN. -
password-length
: Optional The temporary user password length.
Inline connection string
If you don't have LDAP Target yet, you can use the command with your LDAP target server connection string:
-
ldap-url
: The LDAP server URL. -
bind-dn
: The LDAP Bind DN. -
bind-dn-password
: The password for LDAP Bind DN. -
ldap-ca-cert
: The LDAP base-64 encoded CA Certificate.
You can find the complete list of parameters for this command in the CLI Reference - Dynamic Secrets section.
Fetch a Dynamic LDAP Secret value from the CLI
To fetch a dynamic LDAP secret value from the CLI, run the following command:
akeyless dynamic-secret get-value --name <Path to your dynamic secret>
Create a Dynamic LDAP Secret in the Akeyless Console
Note
To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.
To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.
-
Log in to the Akeyless Console, and go to Items > New > Dynamic Secret.
-
Select the LDAP secret type and click Next.
-
Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash
/
separators. If the folder does not exist, it will be created together with the dynamic secret. -
Define the remaining parameters as follows:
-
Target mode: In this section, you can either select an existing LDAP Target or specify details of the target LDAP server explicitly.
-
Use the Choose an existing target drop-down list to select the existing LDAP Target.
-
Check the Explicitly specify target properties to provide details of the target LDAP Server in the next step.
-
-
User Base DN: Specify user base DN settings.
-
LDAP User Attribute: Specify the default value CN.
-
Externally Provided Username: Select this checkbox to add an existing user based on the user identity which issues the secret value. It is relevant only when authenticating using an external IDP. By default, use the claim
ext_username
configured on your IDP with the value of the relevant user. -
User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.
-
Temporary Password Length Set the length of the temporary password.
-
Time Unit: Select the time unit (seconds, minutes, hours) for the TTL value.
-
Gateway: Select the Gateway through which the dynamic secret will create users.
-
Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge
-
If you selected the Explicitly specify target properties, click Next.
-
Provide details of the target LDAP server connection:
-
LDAP Server URL: Specify the LDAP Server URL.
-
CA Certificate File Content: Provide the base64-encoded CA Certificate to enable the secure connection.
-
LDAP Bind DN: Provide Bind DN for authentication of a privileged user.
-
Password for LDAP Bind DN: Provide the password of the privileged user for authentication.
- Click Finish.
Fetch a Dynamic LDAP Secret value from the Akeyless Console
-
Log in to the Akeyless Console, and go to Items.
-
Browse to the folder where you created a dynamic secret.
-
Select the secret and click Get Dynamic Secret button.
Username Length Policy
To control the temporary username policy, you can add to your Gateway deployment the following environment variable:
LDAP_USERNAME_LEN
Updated about 2 months ago