Setting Up LDAP for Authorization
Learn how to set up LDAP for authorization with File Storage.
- Ensure that you have the LDAP infrastructure required and gathered the required information. See Prerequisites for more information.
- Add the required IAM policies.
- Upload the LDAP password to OCI Vault in plain-text format. For more information, see Overview of Vault.
- Create two outbound connectors to contact the LDAP server.Note
Using LDAP for authorization requires at least one outbound connector. A second outbound connector can be used as a backup or for failover. See Secondary Group Lookup and Caching for details on how File Storage responds when it can't reach an LDAP server. - Add LDAP communication details to a mount target.
- Create or update a file system that uses the LDAP-enabled mount target.
- Enable LDAP on the file system export.
- Set any optional NFS export options.
- Mount the file system.
Configuring LDAP for a Mount Target
Add LDAP information to a mount target for use in authorization.
When you update an existing mount target to use LDAP, it can take some time for the updates to be fully reflected throughout File Storage.
- Open the navigation menu and select Storage. Under File Storage, select Mount Targets.
- In the List scope section, under Compartment, select a compartment.
- Find the mount target you're interested in, click the Actions menu (
), and then click View details. - Click the NFS tab to view or edit the existing NFS settings for the mount target.
- Next to LDAP, click Manage.
-
In the Manage LDAP window, provide the following details:
- Schema type: The schema type of the LDAP account.
The only allowed value is RFC2307.
- Cache refresh interval in seconds: How often the mount target should contact the LDAP server for updates.
- Cache lifetime in seconds: How long cached entries may be used.
- Negative cache lifetime in seconds: How long to cache if ID mapping information is missing.
- Search base for users: All LDAP searches are recursive starting at this user.
- Search base for groups: All LDAP searches are recursive starting at this group.
- Outbound Connector 1: The first connector to use to communicate with the LDAP server.
- Outbound Connector 2: The second connector to use to communicate with the LDAP server.
- Enable LDAP: Enable this option to require the mount target to use an LDAP server for secondary group lookup. The file system's export must also have Use LDAP for group list enabled.
- Schema type: The schema type of the LDAP account.
- Click Save.
Use the
oci fs mount-target createcommand with the--idmap-typeand--ldap-idmapoptions to create a mount target and provide LDAP details.oci fs mount-target create --availability-domain <availability_domain> --compartment-id <compartment_id> --subnet-id <subnet_id> --idmap-type LDAP --ldap-idmap <file://ldap.json>Use the
oci fs mount-target updatecommand with the--idmap-typeand--ldap-idmapoptions to update an existing mount target with LDAP details.oci fs mount-target update --mount-target-id <mount_target_id> --idmap-type LDAP --ldap-idmap <file://ldap.json>An example
ldap.jsonfile follows:{ "cacheLifetimeSeconds": 300, "cacheRefreshIntervalSeconds": 300, "groupSearchBase": "cn=accounts,dc=example,dc=com", "negativeCacheLifetimeSeconds": 300, "outboundConnector1Id": "ocid1.outboundconnector.oc1.exampleuniqueID", "outboundConnector2Id": "ocid1.outboundconnector.oc1.exampleuniqueID", "userSearchBase": "cn=accounts,dc=example,dc=com", "schemaType": "RFC2307" }For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Use CreateMountTarget or UpdateMountTarget with the
idMapTypeandldapIdmapoptions to create or update a mount target with LDAP details.For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.