I think you're a bit confused. Then again, when it comes to LDAP, I'm
usually more than a bit confused myself.
Generally, there are 2 ways to authenticate to LDAP:
1. Connect via a binddn and do an LDAP lookup
2. Connect via a user search to test for found/not-found
Option 1 requires a "universal" binding, which should be either the
admin dn (not the best choice), an anonymous account that has lookup
rights or a special lookup dn which corresponds to an LDAP userid which
has appropriate retrieval rights.
Option 2 requires (I think!) a default anonymous user dn that has
appropriate retrieval rights. Option 2 is often the choice for generic
go/no-go login lookups.
To use Option 1, you need an appropriate dn to log into the LDAP server
itself, plus you have to supply the necessary lookup base path and the
userid to be searched for. You may have to define the lookup search
arguments and the attribute containing the userid to be searched for.
You've probably been to this page (perhaps even too many times!) but it
does define the necessary options, so here it is in case you missed it:
https://docs.ceph.com/en/reef/radosgw/ldap-auth/
Note that if you're searching for Windows user IDs in Active directory,
the attribute you need to match on isn't "uid", although unfortunately I
cannot remember what it actually is. The "uid" attribute" is the
standard for Unix/Linux LDAP user accounts, whereas Windows accounts use
a different schema specific to Windows.
On 6/10/25 10:46, Albert Shih wrote:
Hi,
I'm currently running ceph 18.2.7 and I try to connect my RGW to my LDAP
After many hours to battle with that I end up to turn on every debug flag I
can find.
It seem the RGW try to bind anonymously to my ldap server, here the log on
my ldap server (openldap)
Jun 10 16:32:02 ldaps2-m2 slapd[453]: conn=836633 op=1 SRCH base="dc=obspm,dc=fr" scope=2
deref=0
filter="(&(&(objectClass=inetOrgPerson)(memberOf=cn=s3storage,ou=groups,ou=services_centraux,dc=obspm,dc=fr))(uid=jas))"
Jun 10 16:32:02 ldaps2-m2 slapd[453]: conn=836633 op=1 SRCH attr=uid
Jun 10 16:32:02 ldaps2-m2 slapd[453]: ==> limits_get: conn=836633 op=1
self="[anonymous]" this="dc=obspm,dc=fr"
We don't want to allow the anonymous bind here.
I set
ceph config set client.rgw rgw_ldap_binddn
"cn=s3storage,ou=dsa,ou=services_centraux,dc=obspm,dc=fr"
ceph config set client.rgw rgw_ldap_secret "/etc/ceph/ldappw.txt"
ceph config set client.rgw rgw_ldap_searchdn "dc=obspm,dc=fr"
I check the file /etc/ceph/ldappw.txt, give it to root:root, to ceph:ceph,
change the right 600/644 but whatever I does it'still trying to bind
anonymously.
I can even find the string s3storage,ou=dsa inside the debug log of my ldap
server. It's like rgw don't even try ton bind with the binddn I give it to
him
I try to run a shell inside the podman container but was unable to find
where the rgw config is «instanciated» inside the container (to see what it
get).
Any clue ?
Regards
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
