Red Hat Training
A Red Hat training course is available for Red Hat Ceph Storage
Chapter 3. Configure AD and Ceph Object Gateway
Perform the following steps to configure an Active Directory server to authenticate Ceph Object Gateway users.
3.1. Using Microsoft Active Directory
Ceph Object Gateway LDAP authentication is compatible with any LDAP-compliant directory service that can be configured for simple bind, including Microsoft Active Directory. Using Active Directory is similar to using RH Directory server in that the Ceph object gateway binds as the user configured in the rgw_ldap_binddn
setting, and using LDAPs to ensure security.
The process for configuring Active Directory is essentially identical with Configuring LDAP and Ceph Object Gateway, but may have some Windows-specific usage.
3.2. Configuring Active Directory for LDAPS
Active Directory LDAP servers are configured to use LDAPs by default. Windows Server 2012 and higher can use Active Directory Certificate Services. Instructions for generating and installing SSL certificates for use with Active Directory LDAP are available in the following MS TechNet article: LDAP over SSL (LDAPS) Certificate.
Ensure that port 636
is open on the Active Directory host.
3.3. Check if the Gateway User Exists
Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:
# radosgw-admin metadata list user
The user name should NOT be in this list of users.
3.4. Add a Gateway User
Create an LDAP user for the Ceph Object Gateway, and make a note of the binddn
. Since the Ceph object gateway uses the ceph
user, consider using ceph
as the username. The user needs to have permissions to search the directory.
Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.
The Ceph Object Gateway will bind to this user as specified in the rgw_ldap_binddn
.
Test to ensure that the user creation worked. Where ceph
is the user ID under People
and example.com
is the domain, you can perform a search for the user.
# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'
On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass
. For security, change the owner of this file to the ceph
user and group to ensure it is not globally readable.
On the administrative node for the Ceph cluster, add the rgw_ldap_secret
setting in the [global]
section of the Ceph configuration file. For example:
[global] ... rgw_ldap_secret = /etc/bindpass
Finally, copy the updated configuration file to each Ceph node.
# scp /etc/ceph/ceph.conf <node>:/etc/ceph
3.5. Configuring the Gateway to use Active Directory
On the administrative node for the Ceph cluster, add the following settings in the [global]
section of the Ceph configuration file after the rgw_ldap_secret
setting. For example:
[global] rgw_ldap_secret = "/etc/bindpass" ... rgw_ldap_uri = ldaps://<fqdn>:636 rgw_ldap_binddn = "<binddn>" rgw_ldap_searchdn = "<seachdn>" rgw_ldap_dnattr = "cn" rgw_s3_auth_use_ldap = true
For the rgw_ldap_uri
setting, substitute <fqdn>
with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.
For the rgw_ldap_binddn
setting, substitute <binddn>
with the bind domain. With a domain of example.com
and a ceph
user under users
and accounts
, it should look something like this:
rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"
For the rgw_ldap_searchdn
setting, substitute <searchdn>
with the search domain. With a domain of example.com
and users under users
and accounts
, it should look something like this:
rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"
Copy the updated configuration file to each Ceph node.
scp /etc/ceph/ceph.conf <hostname>:/etc/ceph
Finally, restart the Ceph Object Gateway. It should be one of:
# systemctl restart ceph-radosgw # systemctl restart ceph-radosgw@rgw.`hostname -s`