Managing Outbound Connectors
File Storage uses outbound connectors to communicate with an external server, such as an LDAP server.
An outbound connector contains all the information needed to connect, authenticate, and gain authorization to perform the account's required functions. Currently, outbound connectors are only used for communicating with LDAP servers. You specify configuration options for the connector when you add LDAP authentication to a mount target.
When connecting to an LDAP server, a mount target uses the first outbound connector specified in its configuration. If the mount target fails to log in to the LDAP server using the first outbound connector, it uses the second outbound connector.
Multiple mount targets can use the same outbound connector. You can associate an outbound connector with a mount target only when they exist in the same availability domain. You can have up to 32 outbound connectors per availability domain.
See the following topics for detailed instructions related to outbound connector management:
Required IAM policy
To use Oracle Cloud Infrastructure, you must be granted security access in a policy by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment to work in.
For administrators: The policy in Let users create, manage, and delete file systems allows users to manage outbound connectors.
These policies must be created before you can configure mount targets to use LDAP for authorization.
Policy to Enable Mount Target Configuration
Grant the user or group configuring LDAP on a mount target permissions using a policy like the following:allow <user|group> to read secret-family in compartment <Compartment_ID> where any { target.secret.id = <LDAP_Password_Secret_ID> }
This allows the user to issue File Storage commands that will read the Vault secrets and display parts of the secret for validation during configuration.
Policy to Allow a Mount Target to Retrieve Secrets
The File Storage service requires the ability to read the secrets. File Storage uses resource principals to grant a specific set of mount targets access to the Vault secret. This is a two step process, first the mount targets which need access must be put into a dynamic group, and then the dynamic group is granted access to read the secrets.
-
Create a dynamic group for the mount targets with a policy such as the following:
ALL { resource.type='mounttarget', resource.compartment.id = '<mount_target_compartment_id>' }
Note
If you have more than one rule in a dynamic group, ensure that you useMatch any rules defined below
option. -
Create an IAM policy that gives the dynamic group of mount targets read access to Vault secrets:
allow dynamic-group <dynamic_group_name> to read secret-family in compartment <secret_compartment_name>
If you're new to policies, see Getting Started with Policies and Common Policies.
Details About An Outbound Connector
The details page provides the following information about an outbound connector:
- OCID
- Every Oracle Cloud Infrastructure resource has an Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). You need an outbound connector's OCID to use the Command Line Interface (CLI) or the API. You also need the OCID when contacting support. See Resource Identifiers.
- CREATED
- The date and time that the outbound connector was created.
- COMPARTMENT
- When you create an outbound connector, you specify the compartment that it resides in. A compartment is a collection of related resources (such as cloud networks, compute instances, or file systems) that are only accessible to those groups that have been given permission by an administrator in your organization. You need your outbound connector's compartment to use the Command Line Interface (CLI) or the API. For more information, see Managing Compartments.
- AVAILABILITY DOMAIN
- When you create an outbound connector, you specify the availability domain that it resides in. An availability domain is one or more data centers within a region. You need an outbound connector's availability domain to use the Command Line Interface (CLI) or the API. For more information, see Regions and Availability Domains.
- CONNECTOR TYPE
- The type of outbound connector. The only supported type is LDAPBIND.
- SERVER DNS NAME
- The fully qualified domain name of instance where the LDAP service is running.
- PORT
- The LDAPS port of the LDAP service.
- BIND DISTINGUISHED NAME
- The LDAP Distinguished Name used to log into the LDAP server.
- SECRET OCID
- The OCID of the secret in Vault which contains the password associated with the Bind Distinguished Name.
- SECRET VERSION
- The version number of the LDAP password secret.