Ceph Object Gateway with LDAP/AD Guide

Red Hat Ceph Storage 2

Configuring Ceph Object Gateway to use LDAP and AD to authenticate object gateway users.

Red Hat Ceph Storage Documentation Team

Abstract

This document describes how to configure Directory Server or Active Directory and the Ceph Object Gateway to use LDAP to authenticate Ceph Object Gateway users.

Preface

Ceph v2.0 and beyond supports Light-weight Directory Access Protocol (LDAP) servers for authenticating Ceph Object Gateway users. Configuring a cluster for use with LDAP requires the following:

  1. A Ceph Object Gateway server and Ceph Storage cluster.
  2. An LDAP server.
  3. An SSL certificate for LDAPS.
  4. An LDAP user for authenticating the Ceph Object Gateway.
  5. At least one LDAP user for authenticating S3 clients.

Chapter 1. Configuring LDAP and Ceph Object Gateway

1.1. Installing Red Hat Directory Server

Retrieve the LDAP host’s fully qualified domain name (FQDN) using hostname on the command line. Then, ensure that the host FQDN is resolvable via DNS or in /etc/hosts and resolv.conf before installing.

Red Hat Directory Server should be installed on a RHEL 7 server with a graphical user interface (GUI) in order to use the Java Swing GUI Directory and Administration consoles. However,Red Hat Directory Server can still be serviced exclusively from the command line. To install Red Hat Directory Server, see the Red Hat Directory Server Quick Start for details.

1.2. Configuring the Directory Server Firewall

On the LDAP host, make sure that the firewall allows access to the Directory Server’s secure (636) port, so that LDAP clients can access the Directory Server. Leave the default unsecure port (389) closed.

# firewall-cmd --zone=public --add-port=636/tcp
# firewall-cmd --zone=public --add-port=636/tcp --permanent

1.3. Labeling Ports for SELinux

To ensure SELinux doesn’t block requests, label the ports for SELinux. See Labelling SSL Ports for details.

1.4. Configuring LDAPS

The Ceph Object Gateway uses a simple ID and password to authenticate with the LDAP server, so the connection requires an SSL certificate for LDAPS. To configure Directory Server for LDAPs, see Secure Connections for details.

Once the LDAPs is working, configure the Ceph Object Gateway server(s) to trust the Directory Server’s certificate.

For RHEL 7, perform the following steps:

  1. Extract/Download a PEM-formatted certificate for the Certificate Authority (CA) that signed the LDAP server’s SSL certificate.
  2. Confirm that /etc/openldap/ldap.conf does not have TLS_REQCERT set.
  3. Confirm that /etc/openldap/ldap.conf contains a TLS_CACERTDIR /etc/openldap/certs setting.
  4. Use the certutil command to add the AD CA to the store at /etc/openldap/certs. For example, if the CA was named "msad-frog-MSAD-FROG-CA", and the PEM-formatted CA file is ldap.pem, you would run the following:

    # certutil -d /etc/openldap/certs -A -t "TC,," -n "msad-frog-MSAD-FROG-CA" -i /path/to/ldap.pem
  5. Make the certs database world-readable.

    # chmod 644 /etc/openldap/certs/*

At this point you should be able to connect to the server using "ldapwhoami" as a non-root user. For example:

$ ldapwhoami -H ldaps://rh-directory-server.example.com -d 9

The -d 9 option will provide debugging information in case something went wrong with the SSL negotiation.

For Ubuntu Xenial, perform the following steps:

  1. Extract/Download a PEM-formatted certificate for the Certificate Authority (CA) that signed the LDAP server’s SSL certificate. This step is identical to RHEL 7 above.
  2. Confirm that /etc/ldap/ldap.conf does not have TLS_REQCERT set. This step is similar to RHEL 7, but note that the file path on Ubuntu is /etc/ldap/ldap.conf, not /etc/openldap.
  3. Place the PEM-formatted CA cert at /usr/local/share/ca-certificates/ldap-ca.crt and ensure that its permissions are 0644 (world-readable).
  4. Set TLS_CACERT /usr/local/share/ca-certificates/ldap-ca.crt in /etc/ldap/ldap.conf.

At this point you should be able to connect to the server using ldapwhoami as a non-root user. For example:

$ ldapwhoami -H ldaps://rh-directory-server.example.com -d 9

The -d 9 option will provide debugging information in case something went wrong with the SSL negotiation.

1.5. Checking if the Gateway User Exists

Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:

# radosgw-admin metadata list user

The user name should NOT be in this list of users.

1.6. Adding a Gateway User

On your LDAP node, create a user for the gateway in the Directory Server console. Since the Ceph object gateway uses the ceph user, consider using ceph as the username. The user needs to have permissions to search the directory.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass. For security, change the owner of this file to the ceph user and group to ensure it is not globally readable.

On the administrative node for the Ceph cluster, add the rgw_ldap_secret setting in the [global] section of the Ceph configuration file. For example:

[global]
...
rgw_ldap_secret = /etc/bindpass

Finally, copy the updated configuration file to each Ceph node.

# scp /etc/ceph/ceph.conf <node>:/etc/ceph

1.7. Configuring the Gateway to use LDAP

On the administrative node for the Ceph cluster, add the following settings in the [global] section of the Ceph configuration file. For example:

[global]
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_secret = "/etc/bindpass"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "uid"
rgw_s3_auth_use_ldap = true

For the rgw_ldap_uri setting, substitute <fqdn> with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.

For the rgw_ldap_binddn setting, substitute <binddn> with the bind domain. With a domain of example.com and a ceph user under users and accounts, it should look something like this:

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

For the rgw_ldap_searchdn setting, substitute <searchdn> with the search domain. With a domain of example.com and users under users and accounts, it should look something like this:

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

Copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

Finally, restart the Ceph Object Gateway. It should be one of:

# systemctl restart ceph-radosgw
# systemctl restart ceph-radosgw@rgw.`hostname -s`

1.8. Using a Custom Search Filter

You can create a custom search filter to limit user access by using the rgw_ldap_searchfilter setting. Specify this setting under the [global] section of the Ceph configuration file (/etc/ceph/ceph.conf). There are two ways to use the rgw_ldap_searchfilter setting:

  1. Specifying a Partial Filter

    Example

    "objectclass=inetorgperson"

    The Ceph Object Gateway will generate the search filter with the user name from the token and the value of rgw_ldap_dnattr. The constructed filter is then combined with the partial filter from the rgw_ldap_searchfilter value. For example, the user name and the settings generate the final search filter:

    Example

    "(&(uid=joe)(objectclass=inetorgperson))"

    User joe will only be granted access if he is found in the LDAP directory, he has an object class of inetorgperson, and he specifies a valid password.

  2. Specifying a Complete Filter

    A complete filter must contain a USERNAME token which will be substituted with the user name during the authentication attempt. The rgw_ldap_dnattr setting is not used in this case. For example, to limit valid users to a specific group, use the following filter:

    Example

    "(&(uid=@USERNAME@)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))"

Chapter 2. Configuring Active Directory and Ceph Object Gateway

2.1. Using Microsoft Active Directory

Ceph Object Gateway LDAP authentication is compatible with any LDAP-compliant directory service that can be configured for simple bind, including Microsoft Active Directory. Using Active Directory is similar to using RH Directory server in that the Ceph object gateway binds as the user configured in the rgw_ldap_binddn setting, and using LDAPs to ensure security.

The process for configuring Active Directory is essentially identical with Configuring LDAP and Ceph Object Gateway, but may have some Windows-specific usage.

2.2. Configuring Active Directory for LDAPS

Active Directory LDAP servers are configured to use LDAPs by default. Windows Server 2012 and higher can use Active Directory Certificate Services. Instructions for generating and installing SSL certificates for use with Active Directory LDAP are available in the following MS TechNet article: LDAP over SSL (LDAPS) Certificate.

Note

Ensure that port 636 is open on the Active Directory host.

2.3. Check if the Gateway User Exists

Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:

# radosgw-admin metadata list user

The user name should NOT be in this list of users.

2.4. Adding a Gateway User

Create an Active Directory user for the Ceph Object Gateway, and make a note of the binddn. The Ceph Object Gateway will bind to this user as specified in the rgw_ldap_binddn.

Like Add a Gateway User, test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass. For security, change the owner of this file to the ceph user and group to ensure it is not globally readable.

On the administrative node for the Ceph cluster, add the rgw_ldap_secret setting in the [global] section of the Ceph configuration file. For example:

[global]
...
rgw_ldap_secret = /etc/bindpass

Finally, copy the updated configuration file to each Ceph node.

# scp /etc/ceph/ceph.conf <node>:/etc/ceph

2.5. Configuring the Gateway to use Active Directory

On the administrative node for the Ceph cluster, add the following settings in the [global] section of the Ceph configuration file after the rgw_ldap_secret setting. For example:

[global]
rgw_ldap_secret = "/etc/bindpass"
...
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "cn"
rgw_s3_auth_use_ldap = true

For the rgw_ldap_uri setting, substitute <fqdn> with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.

For the rgw_ldap_binddn setting, substitute <binddn> with the bind domain. With a domain of example.com and a ceph user under users and accounts, it should look something like this:

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

For the rgw_ldap_searchdn setting, substitute <searchdn> with the search domain. With a domain of example.com and users under users and accounts, it should look something like this:

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

Copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

Finally, restart the Ceph Object Gateway. It should be one of:

# systemctl restart ceph-radosgw
# systemctl restart ceph-radosgw@rgw.`hostname -s`

Chapter 3. Testing the Configuration

3.1. Adding an S3 User to LDAP Server

In the administrative console on LDAP server, create at least one S3 user so that an S3 client can use the LDAP user credentials. Make a note of the user name and secret for use when passing the credentials to the S3 client.

3.2. Export an LDAP Token

When running Ceph Object Gateway with LDAP, the access token is all that is required. However, the access token is created from the access key and secret. Export the access key and secret key as an LDAP token.

  1. Export the access key.

    # export RGW_ACCESS_KEY_ID="<username>"
  2. Export the secret.

    # export RGW_SECRET_ACCESS_KEY="<password>"
  3. Export the token. For LDAP, use ldap as the token type (ttype).

    # radosgw-token --encode --ttype=ldap

    For Active Directory, use ad as the token type.

    # radosgw-token --encode --ttype=ad

    The result is a base-64 encoded string, which is the access token. Provide this access token to S3 clients in lieu of the access key. The secret is no longer required.

  4. (Optional) For added convenience, export the base-64 encoded string to the RGW_ACCESS_KEY_ID environment variable if the S3 client uses the environment variable.

    # export RGW_ACCESS_KEY_ID="ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogImNlcGgiLAogICAgICAgICJrZXkiOiAiODAwI0dvcmlsbGEiCiAgICB9Cn0K"

3.3. Test the Configuration with an S3 Client

Pick a Ceph Object Gateway client such as Python Boto. Configure it to use the RGW_ACCESS_KEY_ID environment variable. Alternatively, you may copy the base-64 encoded string and specify it as the access key. Then, run the Ceph client.

Note

The secret is no longer required.

Legal Notice

Copyright © 2017 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.