Object gateway and LDAP Auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello!

I've setup LDAP authentication on an object gateway and am attempting to create a bucket via s3 using python's boto3. It works fine using the access and secret key for a radosgw user, but access is denied using a token generated via radosgw-token with the LDAP user's credentials. The user does exist in the directory (I'm using Active Directory), and I am able to query for that user using the creds specified in rgw_ldap_binddn and rgw_ldap_secret.

I've bumped the rgw logging to 20 and can see the request come in, but it ultimately gets denied:
2017-08-30 15:44:55.754721 7f4878ff9700  2 req 1:0.000076:s3:PUT /foobar:create_bucket:authorizing
2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = ****
2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format = ****/20170830/us-east-1/s3/aws4_request
2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = ****
2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope = 20170830/us-east-1/s3/aws4_request
2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state: rctx=0x7f4878ff2060 obj=default.rgw.users.keys:**** state=0x7f48f40131a8 s->prefetch_data=0
2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get: name=default.rgw.users.keys+**** : miss
2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put: name=default.rgw.users.keys+**** info.flags=0
2017-08-30 15:44:55.755321 7f4878ff9700 10 adding default.rgw.users.keys+**** to cache LRU end
2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info, uid=**** can't authenticate
2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request
2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER: err_no=-2028 new_err_no=-2028
2017-08-30 15:44:55.755393 7f4878ff9700  2 req 1:0.000747:s3:PUT /foobar:create_bucket:op status=0
2017-08-30 15:44:55.755398 7f4878ff9700  2 req 1:0.000752:s3:PUT /foobar:create_bucket:http status=403
2017-08-30 15:44:55.755402 7f4878ff9700  1 ====== req done req=0x7f4878ff3710 op status=0 http_status=403 ======
2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned -2028

I am also running a tcpdump on the machine while I see these log messages, but strangely I see no traffic destined for my configured LDAP server. Here's some info on my setup. It seems like I'm missing something very obvious; any help would be appreciated!

# rpm -q ceph-radosgw
ceph-radosgw-10.2.9-0.el7.x86_64

# grep rgw /etc/ceph/ceph.conf
[client.rgw.hostname]
rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/private/key.pem
debug rgw = 20
rgw_s3_auth_use_ldap = true
rgw_ldap_secret = "/path/to/creds/file"
rgw_ldap_uri = "ldaps://hostname.domain.com:636"
rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com"
rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com"
rgw_ldap_dnattr = "uid"
rgw_ldap_searchfilter = "objectclass=user"


Thanks,
Josh
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux