Chapter 4. Test the Configuration

Once you have configured Ceph Object Gateway to use LDAP to authenticate users, test the configuration.

4.1. Add an S3 User to the LDAP Server

In the administrative console on LDAP server, create at least one S3 user so that an S3 client can use the LDAP user credentials. Make a note of the user name and secret for use when passing the credentials to the S3 client.

4.2. Export an LDAP Token

When running Ceph Object Gateway with LDAP, the access token is all that is required. However, the access token is created from the access key and secret. Export the access key and secret key as an LDAP token.

  1. Export the access key.

    # export RGW_ACCESS_KEY_ID="<username>"
  2. Export the secret.

    # export RGW_SECRET_ACCESS_KEY="<password>"
  3. Export the token. For LDAP, use ldap as the token type (ttype).

    # radosgw-token --encode --ttype=ldap

    For Active Directory, use ad as the token type.

    # radosgw-token --encode --ttype=ad

    The result is a base-64 encoded string, which is the access token. Provide this access token to S3 clients in lieu of the access key. The secret is no longer required.

  4. (Optional) For added convenience, export the base-64 encoded string to the RGW_ACCESS_KEY_ID environment variable if the S3 client uses the environment variable.

    # export RGW_ACCESS_KEY_ID="ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogImNlcGgiLAogICAgICAgICJrZXkiOiAiODAwI0dvcmlsbGEiCiAgICB9Cn0K"

4.3. Test the Configuration with an S3 Client

Pick a Ceph Object Gateway client such as Python Boto. Configure it to use the RGW_ACCESS_KEY_ID environment variable. Alternatively, you may copy the base-64 encoded string and specify it as the access key. Then, run the Ceph client.

Note

The secret is no longer required.