Le 10/06/2025 à 13:22:40-0400, Tim Holloway a écrit Hi, > I think you're a bit confused. Then again, when it comes to LDAP, I'm > usually more than a bit confused myself. > > Generally, there are 2 ways to authenticate to LDAP: > > 1. Connect via a binddn and do an LDAP lookup > > 2. Connect via a user search to test for found/not-found
They are a third method : 3. Connect «anonymously» and do the exact samething as 1. Historically the default configuration of openldap was the third, meaning openldap accept a anonymous binding before searching. One big default of this method is, as admin, you cannot known between two daemons running on the same server which one goes bad (like 200 000 connection/s). So we don't allow the anonymous binding now. The «correct» way to do it is to bind with some pseudo dumb account ceph config set client.rgw rgw_s3_auth_use_ldap true ceph config set client.rgw rgw_ldap_uri "Your list of server" ceph config set client.rgw rgw_ldap_binddn "cn=s3storage,ou=dsa,dc=obspm,dc=fr" ceph config set client.rgw rgw_ldap_secret "/etc/ceph/ldappw.txt" ceph config set client.rgw rgw_ldap_searchdn "dc=obspm,dc=fr" ceph config set client.rgw rgw_ldap_dnattr "uid" ceph config set client.rgw rgw_ldap_searchfilter "&(objectClass=inetOrgPerson)(memberOf=cn=s3storage,ou=groups,dc=obspm,dc=fr)" The dn of the binddn is not in the regular branch (ou=people) and is not a inetOrgPerson you are 99.99999% sure no software will use this dn as person. All my linux server, application, etc... are using this bind method, so I'm pretty sure it's working. > You've probably been to this page (perhaps even too many times!) but it does > define the necessary options, so here it is in case you missed it: > > https://docs.ceph.com/en/reef/radosgw/ldap-auth/ Yes I do. My point if the rgw don't seem to follow the binddn I give him. In the LDAP log rgw try to do a anonymous bind, and that cannot work on our openldap. > Note that if you're searching for Windows user IDs in Active directory, the > attribute you need to match on isn't "uid", although unfortunately I cannot > remember what it actually is. The "uid" attribute" is the standard for > Unix/Linux LDAP user accounts, whereas Windows accounts use a different > schema specific to Windows. No i'm full linux. Thanks for you help Regards. > > On 6/10/25 10:46, Albert Shih wrote: > > Hi, > > > > I'm currently running ceph 18.2.7 and I try to connect my RGW to my LDAP > > > > After many hours to battle with that I end up to turn on every debug flag I > > can find. > > > > It seem the RGW try to bind anonymously to my ldap server, here the log on > > my ldap server (openldap) > > > > Jun 10 16:32:02 ldaps2-m2 slapd[453]: conn=836633 op=1 SRCH > > base="dc=obspm,dc=fr" scope=2 deref=0 > > filter="(&(&(objectClass=inetOrgPerson)(memberOf=cn=s3storage,ou=groups,ou=services_centraux,dc=obspm,dc=fr))(uid=jas))" > > Jun 10 16:32:02 ldaps2-m2 slapd[453]: conn=836633 op=1 SRCH attr=uid > > Jun 10 16:32:02 ldaps2-m2 slapd[453]: ==> limits_get: conn=836633 op=1 > > self="[anonymous]" this="dc=obspm,dc=fr" > > > > > > We don't want to allow the anonymous bind here. > > > > I set > > > > ceph config set client.rgw rgw_ldap_binddn > > "cn=s3storage,ou=dsa,ou=services_centraux,dc=obspm,dc=fr" > > ceph config set client.rgw rgw_ldap_secret "/etc/ceph/ldappw.txt" > > ceph config set client.rgw rgw_ldap_searchdn "dc=obspm,dc=fr" > > > > I check the file /etc/ceph/ldappw.txt, give it to root:root, to ceph:ceph, > > change the right 600/644 but whatever I does it'still trying to bind > > anonymously. > > > > I can even find the string s3storage,ou=dsa inside the debug log of my ldap > > server. It's like rgw don't even try ton bind with the binddn I give it to > > him > > > > I try to run a shell inside the podman container but was unable to find > > where the rgw config is «instanciated» inside the container (to see what it > > get). > > > > Any clue ? > > > > Regards > > > _______________________________________________ > ceph-users mailing list -- ceph-users@ceph.io > To unsubscribe send an email to ceph-users-le...@ceph.io -- Albert SHIH 🦫 🐸 Observatoire de Paris France Heure locale/Local time: mar. 10 juin 2025 21:40:31 CEST _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
