Chapter 2. Configure LDAP and Ceph Object Gateway

Retrieve the LDAP host’s fully qualified domain name (FQDN) using hostname on the command line. Then, ensure that the host FQDN is resolvable via DNS or in /etc/hosts and resolv.conf before installing.

Red Hat Directory Server should be installed on a Red Hat Enterprise Linux 7 server with a graphical user interface (GUI) in order to use the Java Swing GUI Directory and Administration consoles. However, Red Hat Directory Server can still be serviced exclusively from the command line. To install Red Hat Directory Server, see the _Installation Guide_ for Red Hat Directory Server 10.

On the LDAP host, make sure that the firewall allows access to the Directory Server’s secure (636) port, so that LDAP clients can access the Directory Server. Leave the default unsecure port (389) closed.

firewall-cmd --zone=public --add-port=636/tcp
firewall-cmd --zone=public --add-port=636/tcp --permanent

# firewall-cmd --zone=public --add-port=636/tcp
# firewall-cmd --zone=public --add-port=636/tcp --permanent

To ensure SELinux does not block requests, label the ports for SELinux. For details see the Changing Directory Server Port Numbers section in the Administration Guide for Red Hat Directory Server 10.

The Ceph Object Gateway uses a simple ID and password to authenticate with the LDAP server, so the connection requires an SSL certificate for LDAP. To configure Directory Server for LDAP, see the Configuring Secure Connections chapter in the Administration Guide for Red Hat Directory Server 10.

Once the LDAP is working, configure the Ceph Object Gateway servers to trust the Directory Server’s certificate.

Connect to the server using "ldapwhoami" as a non-root user. For example:

ldapwhoami -H ldaps://rh-directory-server.example.com -d 9

$ ldapwhoami -H ldaps://rh-directory-server.example.com -d 9

The -d 9 option will provide debugging information in case something went wrong with the SSL negotiation.

Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:

radosgw-admin metadata list user

# radosgw-admin metadata list user

The user name should NOT be in this list of users.

Create an LDAP user for the Ceph Object Gateway, and make a note of the binddn. Since the Ceph object gateway uses the ceph user, consider using ceph as the username. The user needs to have permissions to search the directory.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

The Ceph Object Gateway will bind to this user as specified in the rgw_ldap_binddn.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass. For security, change the owner of this file to the ceph user and group to ensure it is not globally readable.

On the administrative node for the Ceph cluster, add the rgw_ldap_secret setting in the [global] section of the Ceph configuration file. For example:

[global]
...
rgw_ldap_secret = /etc/bindpass

[global]
...
rgw_ldap_secret = /etc/bindpass

Finally, copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <node>:/etc/ceph

# scp /etc/ceph/ceph.conf <node>:/etc/ceph

On the administrative node for the Ceph cluster, add the following settings in the [global] section of the Ceph configuration file. For example:

[global]
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_secret = "/etc/bindpass"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "uid"
rgw_s3_auth_use_ldap = true

[global]
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_secret = "/etc/bindpass"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "uid"
rgw_s3_auth_use_ldap = true

For the rgw_ldap_uri setting, substitute <fqdn> with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.

For the rgw_ldap_binddn setting, substitute <binddn> with the bind domain. With a domain of example.com and a ceph user under users and accounts, it should look something like this:

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

For the rgw_ldap_searchdn setting, substitute <searchdn> with the search domain. With a domain of example.com and users under users and accounts, it should look something like this:

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

Copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

Finally, restart the Ceph Object Gateway. It should be one of:

systemctl restart ceph-radosgw
systemctl restart ceph-radosgw@rgw.`hostname -s`

# systemctl restart ceph-radosgw
# systemctl restart ceph-radosgw@rgw.`hostname -s`

You can create a custom search filter to limit user access by using the rgw_ldap_searchfilter setting. Specify this setting under the [global] section of the Ceph configuration file (/etc/ceph/ceph.conf). There are two ways to use the rgw_ldap_searchfilter setting: