Chapter 2. Configure LDAP and Ceph Object Gateway

Perform the following steps to configure Red Hat Directory Server to authenticate Ceph Object Gateway users.

2.1. Install Red Hat Directory Server

Retrieve the LDAP host’s fully qualified domain name (FQDN) using hostname on the command line. Then, ensure that the host FQDN is resolvable via DNS or in /etc/hosts and resolv.conf before installing.

Red Hat Directory Server should be installed on a Red Hat Enterprise Linux 7 server with a graphical user interface (GUI) in order to use the Java Swing GUI Directory and Administration consoles. However, Red Hat Directory Server can still be serviced exclusively from the command line. To install Red Hat Directory Server, see the _Installation Guide_ for Red Hat Directory Server 10.

2.2. Configure the Directory Server Firewall

On the LDAP host, make sure that the firewall allows access to the Directory Server’s secure (636) port, so that LDAP clients can access the Directory Server. Leave the default unsecure port (389) closed.

# firewall-cmd --zone=public --add-port=636/tcp
# firewall-cmd --zone=public --add-port=636/tcp --permanent

2.3. Label Ports for SELinux

To ensure SELinux does not block requests, label the ports for SELinux. For details see the Changing Directory Server Port Numbers section in the Administration Guide for Red Hat Directory Server 10.

2.4. Configure LDAPS

The Ceph Object Gateway uses a simple ID and password to authenticate with the LDAP server, so the connection requires an SSL certificate for LDAP. To configure Directory Server for LDAP, see the Configuring Secure Connections chapter in the Administration Guide for Red Hat Directory Server 10.

Once the LDAP is working, configure the Ceph Object Gateway servers to trust the Directory Server’s certificate.

  1. Extract/Download a PEM-formatted certificate for the Certificate Authority (CA) that signed the LDAP server’s SSL certificate.
  2. Confirm that /etc/openldap/ldap.conf does not have TLS_REQCERT set.
  3. Confirm that /etc/openldap/ldap.conf contains a TLS_CACERTDIR /etc/openldap/certs setting.
  4. Use the certutil command to add the AD CA to the store at /etc/openldap/certs. For example, if the CA is "msad-frog-MSAD-FROG-CA", and the PEM-formatted CA file is ldap.pem, use the following command:

    # certutil -d /etc/openldap/certs -A -t "TC,," -n "msad-frog-MSAD-FROG-CA" -i /path/to/ldap.pem
  5. Update SELinux on all remote LDAP sites:

    # setsebool -P httpd_can_network_connect on
    Note

    This still has to be set even if SELinux is in permissive mode.

  6. Make the certs database world-readable.

    # chmod 644 /etc/openldap/certs/*

Connect to the server using "ldapwhoami" as a non-root user. For example:

$ ldapwhoami -H ldaps://rh-directory-server.example.com -d 9

The -d 9 option will provide debugging information in case something went wrong with the SSL negotiation.

2.5. Check if the Gateway User Exists

Before creating the gateway user, ensure that the Ceph Object Gateway doesn’t already have the user. For example:

# radosgw-admin metadata list user

The user name should NOT be in this list of users.

2.6. Add a Gateway User

Create an LDAP user for the Ceph Object Gateway, and make a note of the binddn. Since the Ceph object gateway uses the ceph user, consider using ceph as the username. The user needs to have permissions to search the directory.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

The Ceph Object Gateway will bind to this user as specified in the rgw_ldap_binddn.

Test to ensure that the user creation worked. Where ceph is the user ID under People and example.com is the domain, you can perform a search for the user.

# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'

On each gateway node, create a file for the user’s secret. For example, the secret may get stored in a file entitled /etc/bindpass. For security, change the owner of this file to the ceph user and group to ensure it is not globally readable.

On the administrative node for the Ceph cluster, add the rgw_ldap_secret setting in the [global] section of the Ceph configuration file. For example:

[global]
...
rgw_ldap_secret = /etc/bindpass

Finally, copy the updated configuration file to each Ceph node.

# scp /etc/ceph/ceph.conf <node>:/etc/ceph

2.7. Configure the Gateway to use LDAP

On the administrative node for the Ceph cluster, add the following settings in the [global] section of the Ceph configuration file. For example:

[global]
rgw_ldap_uri = ldaps://<fqdn>:636
rgw_ldap_binddn = "<binddn>"
rgw_ldap_secret = "/etc/bindpass"
rgw_ldap_searchdn = "<seachdn>"
rgw_ldap_dnattr = "uid"
rgw_s3_auth_use_ldap = true

For the rgw_ldap_uri setting, substitute <fqdn> with the fully qualified domain name of the LDAP server. If there is more than one LDAP server, specify each domain.

For the rgw_ldap_binddn setting, substitute <binddn> with the bind domain. With a domain of example.com and a ceph user under users and accounts, it should look something like this:

rgw_ldap_binddn = "uid=ceph,cn=users,cn=accounts,dc=example,dc=com"

For the rgw_ldap_searchdn setting, substitute <searchdn> with the search domain. With a domain of example.com and users under users and accounts, it should look something like this:

rgw_ldap_searchdn = "cn=users,cn=accounts,dc=example,dc=com"

Copy the updated configuration file to each Ceph node.

scp /etc/ceph/ceph.conf <hostname>:/etc/ceph

Finally, restart the Ceph Object Gateway. It should be one of:

# systemctl restart ceph-radosgw
# systemctl restart ceph-radosgw@rgw.`hostname -s`

2.8. Using a Custom Search Filter

You can create a custom search filter to limit user access by using the rgw_ldap_searchfilter setting. Specify this setting under the [global] section of the Ceph configuration file (/etc/ceph/ceph.conf). There are two ways to use the rgw_ldap_searchfilter setting:

  1. Specifying a Partial Filter

    Example

    "objectclass=inetorgperson"

    The Ceph Object Gateway will generate the search filter with the user name from the token and the value of rgw_ldap_dnattr. The constructed filter is then combined with the partial filter from the rgw_ldap_searchfilter value. For example, the user name and the settings generate the final search filter:

    Example

    "(&(uid=joe)(objectclass=inetorgperson))"

    User joe will only be granted access if he is found in the LDAP directory, he has an object class of inetorgperson, and he specifies a valid password.

  2. Specifying a Complete Filter

    A complete filter must contain a USERNAME token which will be substituted with the user name during the authentication attempt. The rgw_ldap_dnattr setting is not used in this case. For example, to limit valid users to a specific group, use the following filter:

    Example

    "(&(uid=@USERNAME@)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))"