Re: [ceph-users] Object gateway and LDAP Auth

2017-11-13 Thread Josh Haft 
Finally got back around to working on this and wanted to provide a solution
in case anyone else runs into the same problem.

I was able to reproduce the problem using s3cmd, and noticed different
calls utilized different signature versions. Doing a GET operation on '/'
seemed to use v2 while a 'make bucket' command attempted to use v4. Since
the former succeeded and the latter failed, I called s3cmd with
'--signature-v2' and now all operations work. I'm still not able to use
boto3, but it's no longer an LDAP issue.

Josh



On Tue, Sep 5, 2017 at 10:26 AM, Josh Haft  wrote:

> Thanks for your suggestions, Matt. ldapsearch functionality from the rados
> gw machines works fine using the same parameters specified in ceph.conf
> (uri, binddn, searchdn, ldap_secret). As expected I see network traffic
> to/from the ldap host when performing a search as well.
>
> The only configuration I have in /etc/openldap/ldap.conf is 'TLSREQCERT
> demand' and TLS_CACERTDIR pointing at the location of my certdb... is there
> something else required here for ceph-rgw or does it look elsewhere?
>
> Josh
>
>
>
>
> On Fri, Sep 1, 2017 at 11:15 PM, Matt Benjamin 
> wrote:
>
>> Hi Josh,
>>
>> I'm not certain, but you might try disabling the searchfilter to start
>> with.  If you're not seeing traffic, I would focus on verifying ldap
>> search connectivity using the same credentials, using the openldap
>> client, to rule out something low level.
>>
>> Matt
>>
>>
>> On Thu, Aug 31, 2017 at 3:33 PM, Josh  wrote:
>> > Hello!
>> >
>> > I've setup LDAP authentication on an object gateway and am attempting to
>> > create a bucket via s3 using python's boto3. It works fine using the
>> access
>> > and secret key for a radosgw user, but access is denied using a token
>> > generated via radosgw-token with the LDAP user's credentials. The user
>> does
>> > exist in the directory (I'm using Active Directory), and I am able to
>> query
>> > for that user using the creds specified in rgw_ldap_binddn and
>> > rgw_ldap_secret.
>> >
>> > I've bumped the rgw logging to 20 and can see the request come in, but
>> it
>> > ultimately gets denied:
>> > 2017-08-30 15:44:55.754721 7f4878ff9700  2 req 1:0.76:s3:PUT
>> > /foobar:create_bucket:authorizing
>> > 2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = 
>> > 2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format =
>> > /20170830/us-east-1/s3/aws4_request
>> > 2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = 
>> > 2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope =
>> > 20170830/us-east-1/s3/aws4_request
>> > 2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state:
>> > rctx=0x7f4878ff2060 obj=default.rgw.users.keys:
>> state=0x7f48f40131a8
>> > s->prefetch_data=0
>> > 2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get:
>> > name=default.rgw.users.keys+ : miss
>> > 2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put:
>> > name=default.rgw.users.keys+ info.flags=0
>> > 2017-08-30 15:44:55.755321 7f4878ff9700 10 adding
>> > default.rgw.users.keys+ to cache LRU end
>> > 2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info,
>> uid=
>> > can't authenticate
>> > 2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request
>> > 2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER:
>> > err_no=-2028 new_err_no=-2028
>> > 2017-08-30 15:44:55.755393 7f4878ff9700  2 req 1:0.000747:s3:PUT
>> > /foobar:create_bucket:op status=0
>> > 2017-08-30 15:44:55.755398 7f4878ff9700  2 req 1:0.000752:s3:PUT
>> > /foobar:create_bucket:http status=403
>> > 2017-08-30 15:44:55.755402 7f4878ff9700  1 == req done
>> > req=0x7f4878ff3710 op status=0 http_status=403 ==
>> > 2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned
>> -2028
>> >
>> > I am also running a tcpdump on the machine while I see these log
>> messages,
>> > but strangely I see no traffic destined for my configured LDAP server.
>> > Here's some info on my setup. It seems like I'm missing something very
>> > obvious; any help would be appreciated!
>> >
>> > # rpm -q ceph-radosgw
>> > ceph-radosgw-10.2.9-0.el7.x86_64
>> >
>> > # grep rgw /etc/ceph/ceph.conf
>> > [client.rgw.hostname]
>> > rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/priva
>> te/key.pem
>> > debug rgw = 20
>> > rgw_s3_auth_use_ldap = true
>> > rgw_ldap_secret = "/path/to/creds/file"
>> > rgw_ldap_uri = "ldaps://hostname.domain.com:636"
>> > rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com"
>> > rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com"
>> > rgw_ldap_dnattr = "uid"
>> > rgw_ldap_searchfilter = "objectclass=user"
>> >
>> >
>> > Thanks,
>> > Josh
>> >
>> > ___
>> > ceph-users mailing list
>> > ceph-users@lists.ceph.com
>> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>> >
>>
>>
>>
>> --
>>
>> Matt Benjamin

Re: [ceph-users] Object gateway and LDAP Auth

2017-09-05 Thread Josh Haft 
Thanks for your suggestions, Matt. ldapsearch functionality from the rados
gw machines works fine using the same parameters specified in ceph.conf
(uri, binddn, searchdn, ldap_secret). As expected I see network traffic
to/from the ldap host when performing a search as well.

The only configuration I have in /etc/openldap/ldap.conf is 'TLSREQCERT
demand' and TLS_CACERTDIR pointing at the location of my certdb... is there
something else required here for ceph-rgw or does it look elsewhere?

Josh




On Fri, Sep 1, 2017 at 11:15 PM, Matt Benjamin  wrote:

> Hi Josh,
>
> I'm not certain, but you might try disabling the searchfilter to start
> with.  If you're not seeing traffic, I would focus on verifying ldap
> search connectivity using the same credentials, using the openldap
> client, to rule out something low level.
>
> Matt
>
>
> On Thu, Aug 31, 2017 at 3:33 PM, Josh  wrote:
> > Hello!
> >
> > I've setup LDAP authentication on an object gateway and am attempting to
> > create a bucket via s3 using python's boto3. It works fine using the
> access
> > and secret key for a radosgw user, but access is denied using a token
> > generated via radosgw-token with the LDAP user's credentials. The user
> does
> > exist in the directory (I'm using Active Directory), and I am able to
> query
> > for that user using the creds specified in rgw_ldap_binddn and
> > rgw_ldap_secret.
> >
> > I've bumped the rgw logging to 20 and can see the request come in, but it
> > ultimately gets denied:
> > 2017-08-30 15:44:55.754721 7f4878ff9700  2 req 1:0.76:s3:PUT
> > /foobar:create_bucket:authorizing
> > 2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = 
> > 2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format =
> > /20170830/us-east-1/s3/aws4_request
> > 2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = 
> > 2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope =
> > 20170830/us-east-1/s3/aws4_request
> > 2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state:
> > rctx=0x7f4878ff2060 obj=default.rgw.users.keys: state=0x7f48f40131a8
> > s->prefetch_data=0
> > 2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get:
> > name=default.rgw.users.keys+ : miss
> > 2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put:
> > name=default.rgw.users.keys+ info.flags=0
> > 2017-08-30 15:44:55.755321 7f4878ff9700 10 adding
> > default.rgw.users.keys+ to cache LRU end
> > 2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info,
> uid=
> > can't authenticate
> > 2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request
> > 2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER:
> > err_no=-2028 new_err_no=-2028
> > 2017-08-30 15:44:55.755393 7f4878ff9700  2 req 1:0.000747:s3:PUT
> > /foobar:create_bucket:op status=0
> > 2017-08-30 15:44:55.755398 7f4878ff9700  2 req 1:0.000752:s3:PUT
> > /foobar:create_bucket:http status=403
> > 2017-08-30 15:44:55.755402 7f4878ff9700  1 == req done
> > req=0x7f4878ff3710 op status=0 http_status=403 ==
> > 2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned
> -2028
> >
> > I am also running a tcpdump on the machine while I see these log
> messages,
> > but strangely I see no traffic destined for my configured LDAP server.
> > Here's some info on my setup. It seems like I'm missing something very
> > obvious; any help would be appreciated!
> >
> > # rpm -q ceph-radosgw
> > ceph-radosgw-10.2.9-0.el7.x86_64
> >
> > # grep rgw /etc/ceph/ceph.conf
> > [client.rgw.hostname]
> > rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/
> private/key.pem
> > debug rgw = 20
> > rgw_s3_auth_use_ldap = true
> > rgw_ldap_secret = "/path/to/creds/file"
> > rgw_ldap_uri = "ldaps://hostname.domain.com:636"
> > rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com"
> > rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com"
> > rgw_ldap_dnattr = "uid"
> > rgw_ldap_searchfilter = "objectclass=user"
> >
> >
> > Thanks,
> > Josh
> >
> > ___
> > ceph-users mailing list
> > ceph-users@lists.ceph.com
> > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> >
>
>
>
> --
>
> Matt Benjamin
> Red Hat, Inc.
> 315 West Huron Street, Suite 140A
> Ann Arbor, Michigan 48103
>
> http://www.redhat.com/en/technologies/storage
>
> tel.  734-821-5101
> fax.  734-769-8938
> cel.  734-216-5309
>
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

[ceph-users] Object gateway and LDAP Auth

2017-08-31 Thread Josh 
Hello!

I've setup LDAP authentication on an object gateway and am attempting to
create a bucket via s3 using python's boto3. It works fine using the access
and secret key for a radosgw user, but access is denied using a token
generated via radosgw-token with the LDAP user's credentials. The user does
exist in the directory (I'm using Active Directory), and I am able to query
for that user using the creds specified in rgw_ldap_binddn and
rgw_ldap_secret.

I've bumped the rgw logging to 20 and can see the request come in, but it
ultimately gets denied:
2017-08-30 15:44:55.754721 7f4878ff9700  2 req 1:0.76:s3:PUT
/foobar:create_bucket:authorizing
2017-08-30 15:44:55.754738 7f4878ff9700 10 v4 signature format = 
2017-08-30 15:44:55.754746 7f4878ff9700 10 v4 credential format =
/20170830/us-east-1/s3/aws4_request
2017-08-30 15:44:55.754750 7f4878ff9700 10 access key id = 
2017-08-30 15:44:55.754755 7f4878ff9700 10 credential scope =
20170830/us-east-1/s3/aws4_request
2017-08-30 15:44:55.754769 7f4878ff9700 20 get_system_obj_state:
rctx=0x7f4878ff2060 obj=default.rgw.users.keys: state=0x7f48f40131a8
s->prefetch_data=0
2017-08-30 15:44:55.754778 7f4878ff9700 10 cache get:
name=default.rgw.users.keys+ : miss
2017-08-30 15:44:55.755312 7f4878ff9700 10 cache put:
name=default.rgw.users.keys+ info.flags=0
2017-08-30 15:44:55.755321 7f4878ff9700 10 adding
default.rgw.users.keys+ to cache LRU end
2017-08-30 15:44:55.755328 7f4878ff9700 10 error reading user info,
uid= can't authenticate
2017-08-30 15:44:55.755330 7f4878ff9700 10 failed to authorize request
2017-08-30 15:44:55.755331 7f4878ff9700 20 handler->ERRORHANDLER:
err_no=-2028 new_err_no=-2028
2017-08-30 15:44:55.755393 7f4878ff9700  2 req 1:0.000747:s3:PUT
/foobar:create_bucket:op status=0
2017-08-30 15:44:55.755398 7f4878ff9700  2 req 1:0.000752:s3:PUT
/foobar:create_bucket:http status=403
2017-08-30 15:44:55.755402 7f4878ff9700  1 == req done
req=0x7f4878ff3710 op status=0 http_status=403 ==
2017-08-30 15:44:55.755409 7f4878ff9700 20 process_request() returned -2028

I am also running a tcpdump on the machine while I see these log messages,
but strangely I see no traffic destined for my configured LDAP server.
Here's some info on my setup. It seems like I'm missing something very
obvious; any help would be appreciated!

# rpm -q ceph-radosgw
ceph-radosgw-10.2.9-0.el7.x86_64

# grep rgw /etc/ceph/ceph.conf
[client.rgw.hostname]
rgw_frontends = civetweb port=8081s ssl_certificate=/path/to/private/key.pem
debug rgw = 20
rgw_s3_auth_use_ldap = true
rgw_ldap_secret = "/path/to/creds/file"
rgw_ldap_uri = "ldaps://hostname.domain.com:636"
rgw_ldap_binddn = "CN=valid_user,OU=Accounts,DC=domain,DC=com"
rgw_ldap_searchdn = "ou=Accounts,dc=domain,dc=com"
rgw_ldap_dnattr = "uid"
rgw_ldap_searchfilter = "objectclass=user"


Thanks,
Josh
___
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com