[ceph-users] radosgw + OpenLDAP = Failed the auth strategy, reason=-13

Mon, 19 Feb 2018 07:53:54 -0800 

Hi cephers.


I try rgw (Luminous 12.2.2) + OpenLDAP. My settings:

    "rgw_ldap_binddn": "cn=cisco,ou=people,dc=example,dc=local",
    "rgw_ldap_dnattr": "uid",
    "rgw_ldap_searchdn": "ou=s3_users,dc=example,dc=local",
    "rgw_ldap_searchfilter": "(objectClass=inetOrgPerson)",
    "rgw_ldap_secret": "/etc/ceph/ldap_secret",
    "rgw_ldap_uri": "ldap://ldap.example.local:389";,
    "rgw_s3_auth_use_ldap": "true",


Test with ldapsearch:
# ldapsearch -x -D "cn=cisco,ou=people,dc=example,dc=local" -H ldap://ldap.example.local:389 -b "ou=s3_users,dc=example,dc=local" -w secret "(&(objectClass=inetOrgPerson)(uid=prometheus))" 
# extended LDIF
#
# LDAPv3
# base <ou=s3_users,dc=example,dc=local> with scope subtree
# filter: (&(objectClass=inetOrgPerson)(uid=prometheus))
# requesting: ALL
#

# prometheus, s3_users, example.local
dn: cn=prometheus,ou=s3_users,dc=example,dc=local
sn: Prometheus
givenName: Exporter
uid: prometheus
loginShell: /usr/bin/bash
displayName: Prometheus Exporter
uidNumber: 1129
homeDirectory: /home/prometheus
telephoneNumber: 0
mail: r...@k0ste.ru
gidNumber: 1121
objectClass: inetOrgPerson
objectClass: posixAccount
cn: prometheus

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



I was make token as described in docs:



# export RGW_ACCESS_KEY_ID="prometheus"  # ldap uid/cn
# export RGW_SECRET_ACCESS_KEY="prometheus" # ldap passwd
# radosgw-token --encode --ttype=ldap
ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=




And try to auth with s3cmd:





access_key = prometheus
access_token = ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICA 
gICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=




# s3cmd la
WARNING: Could not refresh role
ERROR: S3 error: 403 (AccessDenied)
rgw was successfully binds to OpenLDAP server with this settings, but query is not actually made. Queries was rejected by libldap (?) with reason='-13'. rgw logs:
2018-02-19 22:20:43.870254 7f7b9e36c700  2 RGWDataChangesLog::ChangesRenewThread: start 
2018-02-19 22:20:45.562318 7f7b85134700 20 CONTENT_LENGTH=0
2018-02-19 22:20:45.562344 7f7b85134700 20 HTTP_ACCEPT_ENCODING=identity
2018-02-19 22:20:45.562346 7f7b85134700 20 HTTP_AUTHORIZATION=AWS prometheus:AnbSRUM96QJtSBI32EIco2Go0e4= 
2018-02-19 22:20:45.562348 7f7b85134700 20 HTTP_HOST=10.10.10.1:7480
2018-02-19 22:20:45.562349 7f7b85134700 20 HTTP_X_AMZ_DATE=Mon, 19 Feb 2018 15:20:45 +0000 2018-02-19 22:20:45.562351 7f7b85134700 20 HTTP_X_AMZ_SECURITY_TOKEN=ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo= 
2018-02-19 22:20:45.562356 7f7b85134700 20 REQUEST_METHOD=GET
2018-02-19 22:20:45.562357 7f7b85134700 20 REQUEST_URI=/
2018-02-19 22:20:45.562358 7f7b85134700 20 SCRIPT_URI=/
2018-02-19 22:20:45.562359 7f7b85134700 20 SERVER_PORT=7480
2018-02-19 22:20:45.562363 7f7b85134700  1 ====== starting new request req=0x7f7b8512e190 ===== 2018-02-19 22:20:45.562392 7f7b85134700  2 req 1:0.000029::GET /::initializing for trans_id = tx000000000000000000001-005a8aeb4d-83def65-default 2018-02-19 22:20:45.562404 7f7b85134700 10 rgw api priority: s3=1 s3website=-1 
2018-02-19 22:20:45.562406 7f7b85134700 10 host=10.10.10.1
2018-02-19 22:20:45.562423 7f7b85134700 20 subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 2018-02-19 22:20:45.562433 7f7b85134700 20 final domain/bucket subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 s->info.domain= s->info.request_uri=/ 
2018-02-19 22:20:45.562449 7f7b85134700 10 meta>> HTTP_X_AMZ_DATE
2018-02-19 22:20:45.562457 7f7b85134700 10 meta>> HTTP_X_AMZ_SECURITY_TOKEN 2018-02-19 22:20:45.562460 7f7b85134700 10 x>> x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000 2018-02-19 22:20:45.562463 7f7b85134700 10 x>> x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo= 2018-02-19 22:20:45.562496 7f7b85134700 20 get_handler handler=26RGWHandler_REST_Service_S3 2018-02-19 22:20:45.562510 7f7b85134700 10 handler=26RGWHandler_REST_Service_S3 2018-02-19 22:20:45.562513 7f7b85134700  2 req 1:0.000150:s3:GET /::getting op 0 
2018-02-19 22:20:45.562520 7f7b85134700 10 op=26RGWListBuckets_ObjStore_S3
2018-02-19 22:20:45.562539 7f7b85134700  2 req 1:0.000164:s3:GET /:list_buckets:verifying requester 2018-02-19 22:20:45.562548 7f7b85134700 20 rgw::auth::StrategyRegistry::s3_main_strategy_t: trying rgw::auth::s3::AWSAuthStrategy 2018-02-19 22:20:45.562550 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine 2018-02-19 22:20:45.562556 7f7b85134700 20 rgw::auth::s3::S3AnonymousEngine denied with reason=-1 2018-02-19 22:20:45.562560 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::AWSv2ExternalAuthStrategy 2018-02-19 22:20:45.562561 7f7b85134700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy: trying rgw::auth::s3::LDAPEngine 
2018-02-19 22:20:45.562601 7f7b85134700 10 get_canon_resource(): dest=/
2018-02-19 22:20:45.562610 7f7b85134700 10 string_to_sign:
GET



x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
/
2018-02-19 22:20:45.562745 7f7b85134700 20 rgw::auth::s3::LDAPEngine denied with reason=-13 2018-02-19 22:20:45.562764 7f7b85134700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy denied with reason=-13 2018-02-19 22:20:45.562766 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::LocalEngine 
2018-02-19 22:20:45.562781 7f7b85134700 10 get_canon_resource(): dest=/
2018-02-19 22:20:45.562785 7f7b85134700 10 string_to_sign:
GET



x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
/
2018-02-19 22:20:45.562812 7f7b85134700 20 get_system_obj_state: rctx=0x7f7b8512c730 obj=default.rgw.meta:users.keys:prometheus state=0x564fcf4fc040 s->prefetch_data=0 2018-02-19 22:20:45.562820 7f7b85134700 10 cache get: name=default.rgw.meta+users.keys+prometheus : miss 2018-02-19 22:20:45.563938 7f7b85134700 10 cache put: name=default.rgw.meta+users.keys+prometheus info.flags=0x0 2018-02-19 22:20:45.563950 7f7b85134700 10 adding default.rgw.meta+users.keys+prometheus to cache LRU end 2018-02-19 22:20:45.563956 7f7b85134700  5 error reading user info, uid=prometheus can't authenticate 2018-02-19 22:20:45.563958 7f7b85134700 20 rgw::auth::s3::LocalEngine denied with reason=-2028 2018-02-19 22:20:45.563960 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy denied with reason=-13 2018-02-19 22:20:45.563961 7f7b85134700 20 rgw::auth::StrategyRegistry::s3_main_strategy_t: trying rgw::auth::s3::AWSAuthStrategy 2018-02-19 22:20:45.563963 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine 2018-02-19 22:20:45.563965 7f7b85134700 20 rgw::auth::s3::S3AnonymousEngine denied with reason=-1 2018-02-19 22:20:45.563966 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::AWSv2ExternalAuthStrategy 2018-02-19 22:20:45.563968 7f7b85134700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy: trying rgw::auth::s3::LDAPEngine 
2018-02-19 22:20:45.563982 7f7b85134700 10 get_canon_resource(): dest=/
2018-02-19 22:20:45.563986 7f7b85134700 10 string_to_sign:
GET



x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
/
2018-02-19 22:20:45.564018 7f7b85134700 20 rgw::auth::s3::LDAPEngine denied with reason=-13 2018-02-19 22:20:45.564024 7f7b85134700 20 rgw::auth::s3::AWSv2ExternalAuthStrategy denied with reason=-13 2018-02-19 22:20:45.564026 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::LocalEngine 
2018-02-19 22:20:45.564037 7f7b85134700 10 get_canon_resource(): dest=/
2018-02-19 22:20:45.564040 7f7b85134700 10 string_to_sign:
GET



x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
/
2018-02-19 22:20:45.564045 7f7b85134700 20 get_system_obj_state: rctx=0x7f7b8512c730 obj=default.rgw.meta:users.keys:prometheus state=0x564fcf4fc040 s->prefetch_data=0 2018-02-19 22:20:45.564052 7f7b85134700 10 cache get: name=default.rgw.meta+users.keys+prometheus : type miss (requested=0x6, cached=0x0) 2018-02-19 22:20:45.564414 7f7b85134700 10 cache put: name=default.rgw.meta+users.keys+prometheus info.flags=0x0 2018-02-19 22:20:45.564421 7f7b85134700 10 moving default.rgw.meta+users.keys+prometheus to cache LRU end 2018-02-19 22:20:45.564429 7f7b85134700  5 error reading user info, uid=prometheus can't authenticate 2018-02-19 22:20:45.564431 7f7b85134700 20 rgw::auth::s3::LocalEngine denied with reason=-2028 2018-02-19 22:20:45.564432 7f7b85134700 20 rgw::auth::s3::AWSAuthStrategy denied with reason=-13 2018-02-19 22:20:45.564433 7f7b85134700  5 Failed the auth strategy, reason=-13 
2018-02-19 22:20:45.564436 7f7b85134700 10 failed to authorize request
2018-02-19 22:20:45.564441 7f7b85134700 20 handler->ERRORHANDLER: err_no=-13 new_err_no=-13 2018-02-19 22:20:45.564536 7f7b85134700  2 req 1:0.002173:s3:GET /:list_buckets:op status=0 2018-02-19 22:20:45.564545 7f7b85134700  2 req 1:0.002182:s3:GET /:list_buckets:http status=403 2018-02-19 22:20:45.564550 7f7b85134700  1 ====== req done req=0x7f7b8512e190 op status=0 http_status=403 ====== 
2018-02-19 22:20:45.564560 7f7b85134700 20 process_request() returned -13
2018-02-19 22:20:45.564595 7f7b85134700  1 civetweb: 0x564fce8fd000: 10.10.10.254 - - [19/Feb/2018:22:20:45 +0700] "GET / HTTP/1.1" 1 0 - -
I was looking to source code of libldap and found mapping '13':'LDAP_CONTROL_NOT_FOUND'. Not sure what this actually mean. May be my libldap is incompatible version... Write simple example code to check it: 




#include <stdio.h>
#include <stdlib.h>
#include <ldap.h>
#include <lber.h>

int main() {
  LDAP *ldap = ldap_init("ldap.example.local", LDAP_PORT);
  LDAPMessage *msg, *entry;
  BerElement *ber;

  char *version = LDAP_VERSION3;
  int e = 0;
  int result;
  char *k;
  char **v;

  if (ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
                      &version) != LDAP_OPT_SUCCESS) {
      ldap_perror(ldap, "Can't set LDAP option.");
      exit(1);
  }
  result = ldap_simple_bind_s(ldap, "cn=prometheus,ou=s3_users,dc=example,dc=local", 
                                      "prometheus");
  if (result != LDAP_SUCCESS) {
    fprintf(stderr, "Can't bind: %s.\n", ldap_err2string(result));
    exit(1);
  }

  result = ldap_search_s(ldap, "ou=s3_users,dc=example,dc=local",
                         LDAP_SCOPE_SUBTREE, "(uid=prometheus)", NULL, 0, &msg); 
  if (result != LDAP_SUCCESS) {
    fprintf(stderr, "Search failed: %s.\n", ldap_err2string(result));
    exit(1);
  }

  if (ldap_count_entries(ldap, msg) == 0) {
    printf("LDAP search did not return any data.\n");
    exit(1);
  } else {
    printf("LDAP search returned %d objects.\n\n",
ldap_count_entries(ldap, msg));
  }

  entry = ldap_first_entry(ldap, msg);
  for ( k = ldap_first_attribute(ldap, entry, &ber);
        k != NULL;
        k = ldap_next_attribute(ldap, entry, ber) ) {
          v = ldap_get_values(ldap, entry, k);
          printf("%s: %s\n", k, v[0]);
        }

  ldap_value_free(v);
  ldap_memfree(k);

  if (ber != NULL) {
    ber_free(ber, 0);
  }

  ldap_msgfree(msg);

  result = ldap_unbind(ldap);
  if (result != 0) {
    fprintf(stderr, "Failed unbind: %s.\n", ldap_err2string(result));
    exit(1);
   }

  return(0);
}



Compile it. And this works flawless:




LDAP search returned 1 objects.

sn: Prometheus
givenName: Exporter
uid: prometheus
userPassword: {MD5}5PAGOLihDmmU5nry+DLVHA==
loginShell: /usr/bin/bash
displayName: Prometheus Exporter
uidNumber: 1129
homeDirectory: /home/prometheus
telephoneNumber: 0
mail: r...@k0ste.ru
gidNumber: 1121
objectClass: inetOrgPerson
cn: prometheus
So, with this OpenLDAP server works dozens of applications from various suppliers: oVirt, Postfix, Dovecot, Atlassian, Cisco, etc... 

Suggestions?




k


_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

Reply via email to