[ceph-users] Object gateway and LDAP Auth

Josh Haft

2017-09-05 15:26:05 UTC

Thanks for your suggestions, Matt. ldapsearch functionality from the rados
gw machines works fine using the same parameters specified in ceph.conf
(uri, binddn, searchdn, ldap_secret). As expected I see network traffic
to/from the ldap host when performing a search as well.

The only configuration I have in /etc/openldap/ldap.conf is 'TLSREQCERT
demand' and TLS_CACERTDIR pointing at the location of my certdb... is there
something else required here for ceph-rgw or does it look elsewhere?

Josh

Hi Josh,
I'm not certain, but you might try disabling the searchfilter to start
with. If you're not seeing traffic, I would focus on verifying ldap
search connectivity using the same credentials, using the openldap
client, to rule out something low level.
Matt

Post by Josh
Hello!
I've setup LDAP authentication on an object gateway and am attempting to
create a bucket via s3 using python's boto3. It works fine using the

access

Post by Josh
and secret key for a radosgw user, but access is denied using a token
generated via radosgw-token with the LDAP user's credentials. The user

does

Post by Josh
exist in the directory (I'm using Active Directory), and I am able to

query

Post by Josh
for that user using the creds specified in rgw_ldap_binddn and
rgw_ldap_secret.
I've bumped the rgw logging to 20 and can see the request come in, but it
2017-08-30 15:44:55.754721 7f4878ff9700 2 req 1:0.000076:s3:PUT
/foobar:create_bucket:authorizing
2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = ****
2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format =
****/20170830/us-east-1/s3/aws4_request
2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = ****
2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope =
20170830/us-east-1/s3/aws4_request
rctx=0x7f4878ff2060 obj=default.rgw.users.keys:**** state=0x7f48f40131a8
s->prefetch_data=0
name=default.rgw.users.keys+**** : miss
name=default.rgw.users.keys+**** info.flags=0
2017-08-30 15:44:55.755321 7f4878ff9700 10 adding
default.rgw.users.keys+**** to cache LRU end
2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info,

uid=****

Post by Josh
can't authenticate
2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request
err_no=-2028 new_err_no=-2028
2017-08-30 15:44:55.755393 7f4878ff9700 2 req 1:0.000747:s3:PUT
/foobar:create_bucket:op status=0
2017-08-30 15:44:55.755398 7f4878ff9700 2 req 1:0.000752:s3:PUT
/foobar:create_bucket:http status=403
2017-08-30 15:44:55.755402 7f4878ff9700 1 ====== req done
req=0x7f4878ff3710 op status=0 http_status=403 ======
2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned

-2028

Post by Josh
I am also running a tcpdump on the machine while I see these log

messages,

Post by Josh
but strangely I see no traffic destined for my configured LDAP server.
Here's some info on my setup. It seems like I'm missing something very
obvious; any help would be appreciated!
# rpm -q ceph-radosgw
ceph-radosgw-10.2.9-0.el7.x86_64
# grep rgw /etc/ceph/ceph.conf
[client.rgw.hostname]
rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/

private/key.pem

Post by Josh
debug rgw = 20
rgw_s3_auth_use_ldap = true
rgw_ldap_secret = "/path/to/creds/file"
rgw_ldap_uri = "ldaps://hostname.domain.com:636"
rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com"
rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com"
rgw_ldap_dnattr = "uid"
rgw_ldap_searchfilter = "objectclass=user"
Thanks,
Josh
_______________________________________________
ceph-users mailing list
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

--
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103
http://www.redhat.com/en/technologies/storage
tel. 734-821-5101
fax. 734-769-8938
cel. 734-216-5309