Re: [ceph-users] Object gateway and LDAP Auth
Finally got back around to working on this and wanted to provide a solution in case anyone else runs into the same problem. I was able to reproduce the problem using s3cmd, and noticed different calls utilized different signature versions. Doing a GET operation on '/' seemed to use v2 while a 'make bucket' command attempted to use v4. Since the former succeeded and the latter failed, I called s3cmd with '--signature-v2' and now all operations work. I'm still not able to use boto3, but it's no longer an LDAP issue. Josh On Tue, Sep 5, 2017 at 10:26 AM, Josh Haftwrote: > Thanks for your suggestions, Matt. ldapsearch functionality from the rados > gw machines works fine using the same parameters specified in ceph.conf > (uri, binddn, searchdn, ldap_secret). As expected I see network traffic > to/from the ldap host when performing a search as well. > > The only configuration I have in /etc/openldap/ldap.conf is 'TLSREQCERT > demand' and TLS_CACERTDIR pointing at the location of my certdb... is there > something else required here for ceph-rgw or does it look elsewhere? > > Josh > > > > > On Fri, Sep 1, 2017 at 11:15 PM, Matt Benjamin > wrote: > >> Hi Josh, >> >> I'm not certain, but you might try disabling the searchfilter to start >> with. If you're not seeing traffic, I would focus on verifying ldap >> search connectivity using the same credentials, using the openldap >> client, to rule out something low level. >> >> Matt >> >> >> On Thu, Aug 31, 2017 at 3:33 PM, Josh wrote: >> > Hello! >> > >> > I've setup LDAP authentication on an object gateway and am attempting to >> > create a bucket via s3 using python's boto3. It works fine using the >> access >> > and secret key for a radosgw user, but access is denied using a token >> > generated via radosgw-token with the LDAP user's credentials. The user >> does >> > exist in the directory (I'm using Active Directory), and I am able to >> query >> > for that user using the creds specified in rgw_ldap_binddn and >> > rgw_ldap_secret. >> > >> > I've bumped the rgw logging to 20 and can see the request come in, but >> it >> > ultimately gets denied: >> > 2017-08-30 15:44:55.754721 7f4878ff9700 2 req 1:0.76:s3:PUT >> > /foobar:create_bucket:authorizing >> > 2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = >> > 2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format = >> > /20170830/us-east-1/s3/aws4_request >> > 2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = >> > 2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope = >> > 20170830/us-east-1/s3/aws4_request >> > 2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state: >> > rctx=0x7f4878ff2060 obj=default.rgw.users.keys: >> state=0x7f48f40131a8 >> > s->prefetch_data=0 >> > 2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get: >> > name=default.rgw.users.keys+ : miss >> > 2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put: >> > name=default.rgw.users.keys+ info.flags=0 >> > 2017-08-30 15:44:55.755321 7f4878ff9700 10 adding >> > default.rgw.users.keys+ to cache LRU end >> > 2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info, >> uid= >> > can't authenticate >> > 2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request >> > 2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER: >> > err_no=-2028 new_err_no=-2028 >> > 2017-08-30 15:44:55.755393 7f4878ff9700 2 req 1:0.000747:s3:PUT >> > /foobar:create_bucket:op status=0 >> > 2017-08-30 15:44:55.755398 7f4878ff9700 2 req 1:0.000752:s3:PUT >> > /foobar:create_bucket:http status=403 >> > 2017-08-30 15:44:55.755402 7f4878ff9700 1 == req done >> > req=0x7f4878ff3710 op status=0 http_status=403 == >> > 2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned >> -2028 >> > >> > I am also running a tcpdump on the machine while I see these log >> messages, >> > but strangely I see no traffic destined for my configured LDAP server. >> > Here's some info on my setup. It seems like I'm missing something very >> > obvious; any help would be appreciated! >> > >> > # rpm -q ceph-radosgw >> > ceph-radosgw-10.2.9-0.el7.x86_64 >> > >> > # grep rgw /etc/ceph/ceph.conf >> > [client.rgw.hostname] >> > rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/priva >> te/key.pem >> > debug rgw = 20 >> > rgw_s3_auth_use_ldap = true >> > rgw_ldap_secret = "/path/to/creds/file" >> > rgw_ldap_uri = "ldaps://hostname.domain.com:636" >> > rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com" >> > rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com" >> > rgw_ldap_dnattr = "uid" >> > rgw_ldap_searchfilter = "objectclass=user" >> > >> > >> > Thanks, >> > Josh >> > >> > ___ >> > ceph-users mailing list >> > ceph-users@lists.ceph.com >> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> > >> >> >> >> -- >> >> Matt Benjamin
Re: [ceph-users] Object gateway and LDAP Auth
Thanks for your suggestions, Matt. ldapsearch functionality from the rados gw machines works fine using the same parameters specified in ceph.conf (uri, binddn, searchdn, ldap_secret). As expected I see network traffic to/from the ldap host when performing a search as well. The only configuration I have in /etc/openldap/ldap.conf is 'TLSREQCERT demand' and TLS_CACERTDIR pointing at the location of my certdb... is there something else required here for ceph-rgw or does it look elsewhere? Josh On Fri, Sep 1, 2017 at 11:15 PM, Matt Benjaminwrote: > Hi Josh, > > I'm not certain, but you might try disabling the searchfilter to start > with. If you're not seeing traffic, I would focus on verifying ldap > search connectivity using the same credentials, using the openldap > client, to rule out something low level. > > Matt > > > On Thu, Aug 31, 2017 at 3:33 PM, Josh wrote: > > Hello! > > > > I've setup LDAP authentication on an object gateway and am attempting to > > create a bucket via s3 using python's boto3. It works fine using the > access > > and secret key for a radosgw user, but access is denied using a token > > generated via radosgw-token with the LDAP user's credentials. The user > does > > exist in the directory (I'm using Active Directory), and I am able to > query > > for that user using the creds specified in rgw_ldap_binddn and > > rgw_ldap_secret. > > > > I've bumped the rgw logging to 20 and can see the request come in, but it > > ultimately gets denied: > > 2017-08-30 15:44:55.754721 7f4878ff9700 2 req 1:0.76:s3:PUT > > /foobar:create_bucket:authorizing > > 2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = > > 2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format = > > /20170830/us-east-1/s3/aws4_request > > 2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = > > 2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope = > > 20170830/us-east-1/s3/aws4_request > > 2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state: > > rctx=0x7f4878ff2060 obj=default.rgw.users.keys: state=0x7f48f40131a8 > > s->prefetch_data=0 > > 2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get: > > name=default.rgw.users.keys+ : miss > > 2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put: > > name=default.rgw.users.keys+ info.flags=0 > > 2017-08-30 15:44:55.755321 7f4878ff9700 10 adding > > default.rgw.users.keys+ to cache LRU end > > 2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info, > uid= > > can't authenticate > > 2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request > > 2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER: > > err_no=-2028 new_err_no=-2028 > > 2017-08-30 15:44:55.755393 7f4878ff9700 2 req 1:0.000747:s3:PUT > > /foobar:create_bucket:op status=0 > > 2017-08-30 15:44:55.755398 7f4878ff9700 2 req 1:0.000752:s3:PUT > > /foobar:create_bucket:http status=403 > > 2017-08-30 15:44:55.755402 7f4878ff9700 1 == req done > > req=0x7f4878ff3710 op status=0 http_status=403 == > > 2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned > -2028 > > > > I am also running a tcpdump on the machine while I see these log > messages, > > but strangely I see no traffic destined for my configured LDAP server. > > Here's some info on my setup. It seems like I'm missing something very > > obvious; any help would be appreciated! > > > > # rpm -q ceph-radosgw > > ceph-radosgw-10.2.9-0.el7.x86_64 > > > > # grep rgw /etc/ceph/ceph.conf > > [client.rgw.hostname] > > rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/ > private/key.pem > > debug rgw = 20 > > rgw_s3_auth_use_ldap = true > > rgw_ldap_secret = "/path/to/creds/file" > > rgw_ldap_uri = "ldaps://hostname.domain.com:636" > > rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com" > > rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com" > > rgw_ldap_dnattr = "uid" > > rgw_ldap_searchfilter = "objectclass=user" > > > > > > Thanks, > > Josh > > > > ___ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > > > > > -- > > Matt Benjamin > Red Hat, Inc. > 315 West Huron Street, Suite 140A > Ann Arbor, Michigan 48103 > > http://www.redhat.com/en/technologies/storage > > tel. 734-821-5101 > fax. 734-769-8938 > cel. 734-216-5309 > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[ceph-users] Object gateway and LDAP Auth
Hello! I've setup LDAP authentication on an object gateway and am attempting to create a bucket via s3 using python's boto3. It works fine using the access and secret key for a radosgw user, but access is denied using a token generated via radosgw-token with the LDAP user's credentials. The user does exist in the directory (I'm using Active Directory), and I am able to query for that user using the creds specified in rgw_ldap_binddn and rgw_ldap_secret. I've bumped the rgw logging to 20 and can see the request come in, but it ultimately gets denied: 2017-08-30 15:44:55.754721 7f4878ff9700 2 req 1:0.76:s3:PUT /foobar:create_bucket:authorizing 2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = 2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format = /20170830/us-east-1/s3/aws4_request 2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = 2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope = 20170830/us-east-1/s3/aws4_request 2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state: rctx=0x7f4878ff2060 obj=default.rgw.users.keys: state=0x7f48f40131a8 s->prefetch_data=0 2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get: name=default.rgw.users.keys+ : miss 2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put: name=default.rgw.users.keys+ info.flags=0 2017-08-30 15:44:55.755321 7f4878ff9700 10 adding default.rgw.users.keys+ to cache LRU end 2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info, uid= can't authenticate 2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request 2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER: err_no=-2028 new_err_no=-2028 2017-08-30 15:44:55.755393 7f4878ff9700 2 req 1:0.000747:s3:PUT /foobar:create_bucket:op status=0 2017-08-30 15:44:55.755398 7f4878ff9700 2 req 1:0.000752:s3:PUT /foobar:create_bucket:http status=403 2017-08-30 15:44:55.755402 7f4878ff9700 1 == req done req=0x7f4878ff3710 op status=0 http_status=403 == 2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned -2028 I am also running a tcpdump on the machine while I see these log messages, but strangely I see no traffic destined for my configured LDAP server. Here's some info on my setup. It seems like I'm missing something very obvious; any help would be appreciated! # rpm -q ceph-radosgw ceph-radosgw-10.2.9-0.el7.x86_64 # grep rgw /etc/ceph/ceph.conf [client.rgw.hostname] rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/private/key.pem debug rgw = 20 rgw_s3_auth_use_ldap = true rgw_ldap_secret = "/path/to/creds/file" rgw_ldap_uri = "ldaps://hostname.domain.com:636" rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com" rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com" rgw_ldap_dnattr = "uid" rgw_ldap_searchfilter = "objectclass=user" Thanks, Josh ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com