Finally got back around to working on this and wanted to provide a solution in case anyone else runs into the same problem.
I was able to reproduce the problem using s3cmd, and noticed different calls utilized different signature versions. Doing a GET operation on '/' seemed to use v2 while a 'make bucket' command attempted to use v4. Since the former succeeded and the latter failed, I called s3cmd with '--signature-v2' and now all operations work. I'm still not able to use boto3, but it's no longer an LDAP issue. On Tue, Sep 5, 2017 at 10:26 AM, Josh Haft <paccrap@xxxxxxxxx> wrote:
JoshThanks for your suggestions, Matt. ldapsearch functionality from the rados gw machines works fine using the same parameters specified in ceph.conf (uri, binddn, searchdn, ldap_secret). As expected I see network traffic to/from the ldap host when performing a search as well.The only configuration I have in /etc/openldap/ldap.conf is 'TLSREQCERT demand' and TLS_CACERTDIR pointing at the location of my certdb... is there something else required here for ceph-rgw or does it look elsewhere?On Fri, Sep 1, 2017 at 11:15 PM, Matt Benjamin <mbenjami@xxxxxxxxxx> wrote:Hi Josh,
I'm not certain, but you might try disabling the searchfilter to start
with. If you're not seeing traffic, I would focus on verifying ldap
search connectivity using the same credentials, using the openldap
client, to rule out something low level.
Matt
> ______________________________
On Thu, Aug 31, 2017 at 3:33 PM, Josh <paccrap@xxxxxxxxx> wrote:
> Hello!
>
> I've setup LDAP authentication on an object gateway and am attempting to
> create a bucket via s3 using python's boto3. It works fine using the access
> and secret key for a radosgw user, but access is denied using a token
> generated via radosgw-token with the LDAP user's credentials. The user does
> exist in the directory (I'm using Active Directory), and I am able to query
> for that user using the creds specified in rgw_ldap_binddn and
> rgw_ldap_secret.
>
> I've bumped the rgw logging to 20 and can see the request come in, but it
> ultimately gets denied:
> 2017-08-30 15:44:55.754721 7f4878ff9700 2 req 1:0.000076:s3:PUT
> /foobar:create_bucket:authorizing
> 2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = ****
> 2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format =
> ****/20170830/us-east-1/s3/aws4_request
> 2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = ****
> 2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope =
> 20170830/us-east-1/s3/aws4_request
> 2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state:
> rctx=0x7f4878ff2060 obj=default.rgw.users.keys:**** state=0x7f48f40131a8
> s->prefetch_data=0
> 2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get:
> name=default.rgw.users.keys+**** : miss
> 2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put:
> name=default.rgw.users.keys+**** info.flags=0
> 2017-08-30 15:44:55.755321 7f4878ff9700 10 adding
> default.rgw.users.keys+**** to cache LRU end
> 2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info, uid=****
> can't authenticate
> 2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request
> 2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER:
> err_no=-2028 new_err_no=-2028
> 2017-08-30 15:44:55.755393 7f4878ff9700 2 req 1:0.000747:s3:PUT
> /foobar:create_bucket:op status=0
> 2017-08-30 15:44:55.755398 7f4878ff9700 2 req 1:0.000752:s3:PUT
> /foobar:create_bucket:http status=403
> 2017-08-30 15:44:55.755402 7f4878ff9700 1 ====== req done
> req=0x7f4878ff3710 op status=0 http_status=403 ======
> 2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned -2028
>
> I am also running a tcpdump on the machine while I see these log messages,
> but strangely I see no traffic destined for my configured LDAP server.
> Here's some info on my setup. It seems like I'm missing something very
> obvious; any help would be appreciated!
>
> # rpm -q ceph-radosgw
> ceph-radosgw-10.2.9-0.el7.x86_64
>
> # grep rgw /etc/ceph/ceph.conf
> [client.rgw.hostname]
> rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/private/key.pem
> debug rgw = 20
> rgw_s3_auth_use_ldap = true
> rgw_ldap_secret = "/path/to/creds/file"
> rgw_ldap_uri = "ldaps://hostname.domain.com:636 "
> rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com"
> rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com"
> rgw_ldap_dnattr = "uid"
> rgw_ldap_searchfilter = "objectclass=user"
>
>
> Thanks,
> Josh
>
_________________
> ceph-users mailing list
> ceph-users@xxxxxxxxxxxxxx
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>
--
Matt Benjamin
Red Hat, Inc.
315 West Huron Street, Suite 140A
Ann Arbor, Michigan 48103
http://www.redhat.com/en/technologies/storage
tel. 734-821-5101
fax. 734-769-8938
cel. 734-216-5309
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
