Oracle Cloud Infrastructure Documentation

Setting Up LDAP for Authorization

Learn how to set up LDAP for authorization with File Storage.

  1. Ensure that you have the LDAP infrastructure required and gathered the required information. See Prerequisites for more information.
  2. Add the required IAM policies.
  3. Upload the LDAP password to OCI Vault in plain-text format. For more information, see Overview of Vault.
  4. Create two outbound connectors to contact the LDAP server.
    Note

    Using LDAP for authorization requires at least one outbound connector. A second outbound connector can be used as a backup or for failover. See Secondary Group Lookup and Caching for details on how File Storage responds when it can't reach an LDAP server.
  5. Add LDAP communication details to a mount target.
  6. Create or update a file system that uses the LDAP-enabled mount target.
  7. Enable LDAP on the file system export.
  8. Set any optional NFS export options.
  9. Mount the file system.

Configuring LDAP for a Mount Target

Add LDAP information to a mount target for use in authorization.

Note

When you update an existing mount target to use LDAP, it can take some time for the updates to be fully reflected throughout File Storage.
    1. Open the navigation menu and click Storage. Under File Storage, click Mount Targets.
    2. In the List scope section, under Compartment, select a compartment.
    3. Find the mount target you're interested in, click the Actions menu (Actions Menu), and then click View details.
    4. Click the NFS tab to view or edit the existing NFS settings for the mount target.
    5. Next to LDAP, click Manage.

    6. In the Manage LDAP window, provide the following details:

      • Schema type: The schema type of the LDAP account.

        The only allowed value is RFC2307.

      • Cache refresh interval in seconds: How often the mount target should contact the LDAP server for updates.
      • Cache lifetime in seconds: How long cached entries may be used.
      • Negative cache lifetime in seconds: How long to cache if ID mapping information is missing.
      • Search base for users: All LDAP searches are recursive starting at this user.
      • Search base for groups: All LDAP searches are recursive starting at this group.
      • Outbound Connector 1: The first connector to use to communicate with the LDAP server.
      • Outbound Connector 2: The second connector to use to communicate with the LDAP server.
      • Enable LDAP: Enable this option to require the mount target to use an LDAP server for secondary group lookup. The file system's export must also have Use LDAP for group list enabled.
    7. Click Save.

  • Use the oci fs mount-target create command with the --idmap-type and --ldap-idmap options to create a mount target and provide LDAP details.

    oci fs mount-target create --availability-domain <availability_domain> --compartment-id <compartment_id> --subnet-id <subnet_id> --idmap-type LDAP --ldap-idmap <file://ldap.json>

    Use the oci fs mount-target update command with the --idmap-type and --ldap-idmap options to update an existing mount target with LDAP details.

    oci fs mount-target update --mount-target-id <mount_target_id> --idmap-type LDAP --ldap-idmap <file://ldap.json>

    An example ldap.json file follows:

    {
  "cacheLifetimeSeconds": 300,
  "cacheRefreshIntervalSeconds": 300,
  "groupSearchBase": "cn=accounts,dc=example,dc=com",
  "negativeCacheLifetimeSeconds": 300,
  "outboundConnector1Id": "ocid1.outboundconnector.oc1.exampleuniqueID",
  "outboundConnector2Id": "ocid1.outboundconnector.oc1.exampleuniqueID",
  "userSearchBase": "cn=accounts,dc=example,dc=com",
  "schemaType": "RFC2307"
}

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Use CreateMountTarget or UpdateMountTarget with the idMapType and ldapIdmap options to create or update a mount target with LDAP details.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.