Chapter 3. Configure AD and Ceph Object Gateway

Ceph Object Gateway LDAP authentication is compatible with any LDAP-compliant directory service that can be configured for simple bind, including Microsoft Active Directory. Using Active Directory is similar to using RH Directory server in that the Ceph object gateway binds as the user configured in the rgw_ldap_binddn setting, and using LDAPs to ensure security.

The process for configuring Active Directory is essentially identical with Configuring LDAP and Ceph Object Gateway, but may have some Windows-specific usage.

Active Directory LDAP servers are configured to use LDAPs by default. Windows Server 2012 and higher can use Active Directory Certificate Services. Instructions for generating and installing SSL certificates for use with Active Directory LDAP are available in the following MS TechNet article: LDAP over SSL (LDAPS) Certificate.

Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:

# radosgw-admin metadata list user

The user name should NOT be in this list of users.

Create an LDAP user for the Ceph Object Gateway, and make a note of the binddn. Since the Ceph object gateway uses the ceph user, consider using ceph as the username. The user needs to have permissions to search the directory.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

The Ceph Object Gateway will bind to this user as specified in the rgw_ldap_binddn.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass. For security, change the owner of this file to the ceph user and group to ensure it is not globally readable.

On the administrative node for the Ceph cluster, add the rgw_ldap_secret setting in the [global] section of the Ceph configuration file. For example:

[global]
...
rgw_ldap_secret = /etc/bindpass

Finally, copy the updated configuration file to each Ceph node.

# scp /etc/ceph/ceph.conf <node>:/etc/ceph

On the administrative node for the Ceph cluster, add the following settings in the [global] section of the Ceph configuration file after the rgw_ldap_secret setting. For example:

[global]
rgw_ldap_secret = "/etc/bindpass"
...
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "cn"
rgw_s3_auth_use_ldap = true

For the rgw_ldap_uri setting, substitute <fqdn> with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.

For the rgw_ldap_binddn setting, substitute <binddn> with the bind domain. With a domain of example.com and a ceph user under users and accounts, it should look something like this:

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

For the rgw_ldap_searchdn setting, substitute <searchdn> with the search domain. With a domain of example.com and users under users and accounts, it should look something like this:

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

Copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

Finally, restart the Ceph Object Gateway. It should be one of:

# systemctl restart ceph-radosgw
# systemctl restart ceph-radosgw@rgw.`hostname -s`