Ceph Object Gateway with LDAP/AD Guide

Retrieve the LDAP host’s fully qualified domain name (FQDN) using hostname on the command line. Then, ensure that the host FQDN is resolvable via DNS or in /etc/hosts and resolv.conf before installing.

Red Hat Directory Server should be installed on a RHEL 7 server with a graphical user interface (GUI) in order to use the Java Swing GUI Directory and Administration consoles. However, Red Hat Directory Server can still be serviced exclusively from the command line. To install Red Hat Directory Server, see the Installation Guide for Red Hat Directory Server 10.

On the LDAP host, make sure that the firewall allows access to the Directory Server’s secure (636) port, so that LDAP clients can access the Directory Server. Leave the default unsecure port (389) closed.

# firewall-cmd --zone=public --add-port=636/tcp
# firewall-cmd --zone=public --add-port=636/tcp --permanent

To ensure SELinux does not block requests, label the ports for SELinux. For details see the Changing Directory Server Port Numbers section in the Administration Guide for Red Hat Directory Server 10.

The Ceph Object Gateway uses a simple ID and password to authenticate with the LDAP server, so the connection requires an SSL certificate for LDAP. To configure Directory Server for LDAP, see the Configuring Secure Connections chapter in the Administration Guide for Red Hat Directory Server 10.

Once the LDAP is working, configure the Ceph Object Gateway servers to trust the Directory Server’s certificate.

Connect to the server using "ldapwhoami" as a non-root user. For example:

$ ldapwhoami -H ldaps://rh-directory-server.example.com -d 9

The -d 9 option will provide debugging information in case something went wrong with the SSL negotiation.

At this point you should be able to connect to the server using ldapwhoami as a non-root user. For example:

$ ldapwhoami -H ldaps://rh-directory-server.example.com -d 9

The -d 9 option will provide debugging information in case something went wrong with the SSL negotiation.

Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:

# radosgw-admin metadata list user

The user name should NOT be in this list of users.

Create an LDAP user for the Ceph Object Gateway, and make a note of the binddn. Since the Ceph object gateway uses the ceph user, consider using ceph as the username. The user needs to have permissions to search the directory.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

The Ceph Object Gateway will bind to this user as specified in the rgw_ldap_binddn.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass. For security, change the owner of this file to the ceph user and group to ensure it is not globally readable.

On the administrative node for the Ceph cluster, add the rgw_ldap_secret setting in the [global] section of the Ceph configuration file. For example:

[global]
...
rgw_ldap_secret = /etc/bindpass

Finally, copy the updated configuration file to each Ceph node.

# scp /etc/ceph/ceph.conf <node>:/etc/ceph

On the administrative node for the Ceph cluster, add the following settings in the [global] section of the Ceph configuration file. For example:

[global]
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_secret = "/etc/bindpass"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "uid"
rgw_s3_auth_use_ldap = true

For the rgw_ldap_uri setting, substitute <fqdn> with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.

For the rgw_ldap_binddn setting, substitute <binddn> with the bind domain. With a domain of example.com and a ceph user under users and accounts, it should look something like this:

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

For the rgw_ldap_searchdn setting, substitute <searchdn> with the search domain. With a domain of example.com and users under users and accounts, it should look something like this:

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

Copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

Finally, restart the Ceph Object Gateway. It should be one of:

# systemctl restart ceph-radosgw
# systemctl restart ceph-radosgw@rgw.`hostname -s`

You can create a custom search filter to limit user access by using the rgw_ldap_searchfilter setting. Specify this setting under the [global] section of the Ceph configuration file (/etc/ceph/ceph.conf). There are two ways to use the rgw_ldap_searchfilter setting:

Ceph Object Gateway LDAP authentication is compatible with any LDAP-compliant directory service that can be configured for simple bind, including Microsoft Active Directory. Using Active Directory is similar to using RH Directory server in that the Ceph object gateway binds as the user configured in the rgw_ldap_binddn setting, and using LDAPs to ensure security.

The process for configuring Active Directory is essentially identical with Configuring LDAP and Ceph Object Gateway, but may have some Windows-specific usage.

Active Directory LDAP servers are configured to use LDAPs by default. Windows Server 2012 and higher can use Active Directory Certificate Services. Instructions for generating and installing SSL certificates for use with Active Directory LDAP are available in the following MS TechNet article: LDAP over SSL (LDAPS) Certificate.

Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:

# radosgw-admin metadata list user

The user name should NOT be in this list of users.

Create an LDAP user for the Ceph Object Gateway, and make a note of the binddn. Since the Ceph object gateway uses the ceph user, consider using ceph as the username. The user needs to have permissions to search the directory.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

The Ceph Object Gateway will bind to this user as specified in the rgw_ldap_binddn.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass. For security, change the owner of this file to the ceph user and group to ensure it is not globally readable.

On the administrative node for the Ceph cluster, add the rgw_ldap_secret setting in the [global] section of the Ceph configuration file. For example:

[global]
...
rgw_ldap_secret = /etc/bindpass

Finally, copy the updated configuration file to each Ceph node.

# scp /etc/ceph/ceph.conf <node>:/etc/ceph

On the administrative node for the Ceph cluster, add the following settings in the [global] section of the Ceph configuration file after the rgw_ldap_secret setting. For example:

[global]
rgw_ldap_secret = "/etc/bindpass"
...
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "cn"
rgw_s3_auth_use_ldap = true

For the rgw_ldap_uri setting, substitute <fqdn> with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.

For the rgw_ldap_binddn setting, substitute <binddn> with the bind domain. With a domain of example.com and a ceph user under users and accounts, it should look something like this:

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

For the rgw_ldap_searchdn setting, substitute <searchdn> with the search domain. With a domain of example.com and users under users and accounts, it should look something like this:

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

Copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

Finally, restart the Ceph Object Gateway. It should be one of:

# systemctl restart ceph-radosgw
# systemctl restart ceph-radosgw@rgw.`hostname -s`

In the administrative console on LDAP server, create at least one S3 user so that an S3 client can use the LDAP user credentials. Make a note of the user name and secret for use when passing the credentials to the S3 client.

When running Ceph Object Gateway with LDAP, the access token is all that is required. However, the access token is created from the access key and secret. Export the access key and secret key as an LDAP token.

Pick a Ceph Object Gateway client such as Python Boto. Configure it to use the RGW_ACCESS_KEY_ID environment variable. Alternatively, you may copy the base-64 encoded string and specify it as the access key. Then, run the Ceph client.