Chapter 4. Test the Configuration
Once you have configured Ceph Object Gateway to use LDAP to authenticate users, test the configuration.
4.1. Add an S3 User to the LDAP Server
In the administrative console on LDAP server, create at least one S3 user so that an S3 client can use the LDAP user credentials. Make a note of the user name and secret for use when passing the credentials to the S3 client.
4.2. Export an LDAP Token
When running Ceph Object Gateway with LDAP, the access token is all that is required. However, the access token is created from the access key and secret. Export the access key and secret key as an LDAP token.
Export the access key.
# export RGW_ACCESS_KEY_ID="<username>"
Export the secret.
# export RGW_SECRET_ACCESS_KEY="<password>"
Export the token. For LDAP, use
ldapas the token type (
# radosgw-token --encode --ttype=ldap
For Active Directory, use
adas the token type.
# radosgw-token --encode --ttype=ad
The result is a base-64 encoded string, which is the access token. Provide this access token to S3 clients in lieu of the access key. The secret is no longer required.
(Optional) For added convenience, export the base-64 encoded string to the
RGW_ACCESS_KEY_IDenvironment variable if the S3 client uses the environment variable.
# export RGW_ACCESS_KEY_ID="ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogImNlcGgiLAogICAgICAgICJrZXkiOiAiODAwI0dvcmlsbGEiCiAgICB9Cn0K"
4.3. Test the Configuration with an S3 Client
Pick a Ceph Object Gateway client such as Python Boto. Configure it to use the
RGW_ACCESS_KEY_ID environment variable. Alternatively, you may copy the base-64 encoded string and specify it as the access key. Then, run the Ceph client.
The secret is no longer required.