Managing Outbound Connectors

File Storage uses outbound connectors to communicate with an external server, such as an LDAP server.

An outbound connector contains all the information needed to connect, authenticate, and gain authorization to perform the account's required functions. Currently, outbound connectors are only used for communicating with LDAP servers. You specify configuration options for the connector when you add LDAP authentication to a mount target.

When connecting to an LDAP server, a mount target uses the first outbound connector specified in its configuration. If the mount target fails to log in to the LDAP server using the first outbound connector, it uses the second outbound connector.

Multiple mount targets can use the same outbound connector. You can associate an outbound connector with a mount target only when they exist in the same availability domain. You can have up to 32 outbound connectors per availability domain.

See the following topics for detailed instructions related to outbound connector management:

Required IAM policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

For administrators: The policy in Let users create, manage, and delete file systems allows users to manage outbound connectors.

Because outbound connectors also require access to secrets in order to connect to an external server, such as an LDAP server, additional IAM policies for both the user configuring the mount target and the mount target itself are required.

These policies must be created before you can configure mount targets to use LDAP for authorization.

Policy to Enable Mount Target Configuration

Grant the user or group configuring LDAP on a mount target permissions using a policy like the following:
allow <user|group> to read secret-family in compartment <Compartment_ID> where any { = <LDAP_Password_Secret_ID> }

This allows the user to issue File Storage commands that will read the Vault secrets and display parts of the secret for validation during configuration.

Policy to Allow a Mount Target to Retrieve Secrets

The File Storage service requires the ability to read the secrets. File Storage uses resource principals to grant a specific set of mount targets access to the Vault secret. This is a two step process, first the mount targets which need access must be put into a dynamic group, and then the dynamic group is granted access to read the secrets.

  1. Create a dynamic group for the mount targets with a policy such as the following:

    ALL { resource.type='mounttarget', = '<mount_target_compartment_id>' }

    If you have more than one rule in a dynamic group, ensure that you use Match any rules defined below option.
  2. Create an IAM policy that gives the dynamic group of mount targets read access to Vault secrets:

     allow dynamic-group <dynamic_group_name> to read secret-family in compartment <secret_compartment_name>

If you're new to policies, see Getting Started with Policies and Common Policies.

Details About An Outbound Connector

The details page provides the following information about an outbound connector:

Every Oracle Cloud Infrastructure resource has an Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). You need an outbound connector's OCID to use the Command Line Interface (CLI) or the API. You also need the OCID when contacting support. See Resource Identifiers.
The date and time that the outbound connector was created.
When you create an outbound connector, you specify the compartment that it resides in. A compartment is a collection of related resources (such as cloud networks, compute instances, or file systems) that are only accessible to those groups that have been given permission by an administrator in your organization. You need your outbound connector's compartment to use the Command Line Interface (CLI) or the API. For more information, see Managing Compartments.
When you create an outbound connector, you specify the availability domain that it resides in. An availability domain is one or more data centers within a region. You need an outbound connector's availability domain to use the Command Line Interface (CLI) or the API. For more information, see Regions and Availability Domains.
The type of outbound connector. The only supported type is LDAPBIND.
The fully qualified domain name of instance where the LDAP service is running.
The LDAPS port of the LDAP service.
The LDAP Distinguished Name used to log into the LDAP server.
The OCID of the secret in Vault which contains the password associated with the Bind Distinguished Name.
The version number of the LDAP password secret.