Radosgw ldap user authentication issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have been following this instruction, except for doing this ldap 
token.
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/2/html-single/ceph_object_gateway_with_ldapad_guide/

With ldapsearch I am able to query the ldap server and list the 
userPassword. 

I guess I can use a simpleSecurityObject that has a uid and 
userPassword?


But with this in global in ceph.conf.

rgw_ldap_uri = ldap://ldap1.local
rgw_ldap_binddn = cn=rgw,xxxx
rgw_ldap_secret = /etc/ceph/ldapsecret
rgw_ldap_searchdn = ou=storageaccounts,xxxxx
rgw_ldap_dnattr = uid
#rgw_search_filter =
rgw_s3_auth_use_ldap = true


Ldap log seems to show a good connection on rgw startup:


Mar 17 22:33:06 slapd[30880]: connection_get(61): got connid=18622
Mar 17 22:33:06 slapd[30880]: connection_read(61): checking for input on 
id=18622
Mar 17 22:33:06 slapd[30880]: ber_get_next on fd 61 failed errno=0 
(Success)
Mar 17 22:33:06 slapd[30880]: connection_close: conn=18622 sd=61
Mar 17 22:33:10 slapd[30880]: slap_listener_activate(7):
Mar 17 22:33:10 slapd[30880]: >>> slap_listener(ldap:///)
Mar 17 22:33:10 slapd[30880]: connection_get(61): got connid=18634
Mar 17 22:33:10 slapd[30880]: connection_read(61): checking for input on 
id=18634
Mar 17 22:33:10 slapd[30880]: op tag 0x60, time 1521322390
Mar 17 22:33:10 slapd[30880]: conn=18634 op=0 do_bind
Mar 17 22:33:10 slapd[30880]: >>> dnPrettyNormal: <cn=rgw,xxxxx>
Mar 17 22:33:10 slapd[30880]: <<< dnPrettyNormal: <cn=rgw,xxxxx>, 
<cn=rgw,xxxxx>
Mar 17 22:33:10 slapd[30880]: do_bind: version=3 dn="cn=rgw,xxxxx" 
method=128
Mar 17 22:33:10 slapd[30880]: bdb_dn2entry("cn=rgw,xxxxx")
Mar 17 22:33:10 slapd[30880]: >>> dnNormalize: <cn=rgw,xxxxxl>
Mar 17 22:33:10 slapd[30880]: <<< dnNormalize: <cn=rgw,xxxxx>
Mar 17 22:33:10 slapd[30880]: do_bind: v3 bind: "cn=rgw,xxxxx" to 
cn=rgw,xxxxx"
Mar 17 22:33:10 slapd[30880]: send_ldap_result: conn=18634 op=0 p=3
Mar 17 22:33:10 slapd[30880]: send_ldap_response: msgid=1 tag=97 err=0
Mar 17 22:33:33 slapd[30880]: connection_get(53): got connid=11815
Mar 17 22:33:33 slapd[30880]: connection_read(53): checking for input on 
id=11815
Mar 17 22:33:33 slapd[30880]: ber_get_next on fd 53 failed errno=0 
(Success)
Mar 17 22:33:33 slapd[30880]: connection_close: conn=11815 sd=53

When I try to authenticate with an ldap user, I get an error:

s3cmd -c .s3cfg ls
ERROR: S3 error: 403 (AccessDenied)


This is shown in the radosgw log, but nothing is logged on the ldap 
server, looks like no search is being done there.

x-amz-date:Sat, 17 Mar 2018 21:37:42 +0000
/
2018-03-17 22:37:42.727962 7fdf2ec09700 20 get_system_obj_state: 
rctx=0x7fdf2ec01720 obj=default.rgw.meta:users.keys:1admin 
state=0x55a917103100 s->prefetch_data=0
2018-03-17 22:37:42.727966 7fdf2ec09700 10 cache get: 
name=default.rgw.meta+users.keys+1admin : type miss (requested=0x6, 
cached=0x0)
2018-03-17 22:37:42.728609 7fdf2ec09700 10 cache put: 
name=default.rgw.meta+users.keys+1admin info.flags=0x0
2018-03-17 22:37:42.728614 7fdf2ec09700 10 moving 
default.rgw.meta+users.keys+1admin to cache LRU end
2018-03-17 22:37:42.728622 7fdf2ec09700  5 error reading user info, 
uid=1admin can't authenticate
2018-03-17 22:37:42.728624 7fdf2ec09700 20 rgw::auth::s3::LocalEngine 
denied with reason=-2028
2018-03-17 22:37:42.728625 7fdf2ec09700 20 
rgw::auth::s3::AWSAuthStrategy denied with reason=-13
2018-03-17 22:37:42.728626 7fdf2ec09700  5 Failed the auth strategy, 
reason=-13
2018-03-17 22:37:42.728635 7fdf2ec09700 10 failed to authorize request
2018-03-17 22:37:42.728638 7fdf2ec09700 20 handler->ERRORHANDLER: 
err_no=-13 new_err_no=-13
2018-03-17 22:37:42.728649 7fdf2ec09700 30 
AccountingFilter::send_status: e=0, sent=24, total=0
2018-03-17 22:37:42.728658 7fdf2ec09700 30 
AccountingFilter::send_header: e=0, sent=0, total=0
2018-03-17 22:37:42.728687 7fdf2ec09700 30 
AccountingFilter::send_content_length: e=0, sent=21, total=0
2018-03-17 22:37:42.728693 7fdf2ec09700 30 
AccountingFilter::send_header: e=0, sent=0, total=0
2018-03-17 22:37:42.728698 7fdf2ec09700 30 
AccountingFilter::send_header: e=0, sent=0, total=0
2018-03-17 22:37:42.728738 7fdf2ec09700 30 
AccountingFilter::complete_header: e=0, sent=161, total=0
2018-03-17 22:37:42.728745 7fdf2ec09700 30 
AccountingFilter::set_account: e=1
2018-03-17 22:37:42.728753 7fdf2ec09700 30 AccountingFilter::send_body: 
e=1, sent=189, total=0
2018-03-17 22:37:42.728761 7fdf2ec09700 30 
AccountingFilter::complete_request: e=1, sent=0, total=189
2018-03-17 22:37:42.728775 7fdf2ec09700  2 req 1:0.002311:s3:GET 
/:list_buckets:op status=0
2018-03-17 22:37:42.728779 7fdf2ec09700  2 req 1:0.002322:s3:GET 
/:list_buckets:http status=403
2018-03-17 22:37:42.728783 7fdf2ec09700  1 ====== req done 
req=0x7fdf2ec03190 op status=0 http_status=403 ======
2018-03-17 22:37:42.728795 7fdf2ec09700 20 process_request() returned 
-13
2018-03-17 22:37:42.728832 7fdf2ec09700  1 civetweb: 0x55a916c28000: 
192.168.10.2 - - [17/Mar/2018:22:37:42 +0100] "GET / HTTP/1.1" 1 0 - -


 
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux