[ceph-users] radosgw + OpenLDAP = Failed the auth strategy, reason=-13

Konstantin Shalygin k0ste at k0ste.ru
Mon Feb 19 07:53:21 PST 2018


Hi cephers.


I try rgw (Luminous 12.2.2) + OpenLDAP. My settings:

     "rgw_ldap_binddn": "cn=cisco,ou=people,dc=example,dc=local",
     "rgw_ldap_dnattr": "uid",
     "rgw_ldap_searchdn": "ou=s3_users,dc=example,dc=local",
     "rgw_ldap_searchfilter": "(objectClass=inetOrgPerson)",
     "rgw_ldap_secret": "/etc/ceph/ldap_secret",
     "rgw_ldap_uri": "ldap://ldap.example.local:389",
     "rgw_s3_auth_use_ldap": "true",


Test with ldapsearch:


# ldapsearch -x -D "cn=cisco,ou=people,dc=example,dc=local" -H 
ldap://ldap.example.local:389 -b "ou=s3_users,dc=example,dc=local" -w 
secret "(&(objectClass=inetOrgPerson)(uid=prometheus))"
# extended LDIF
#
# LDAPv3
# base <ou=s3_users,dc=example,dc=local> with scope subtree
# filter: (&(objectClass=inetOrgPerson)(uid=prometheus))
# requesting: ALL
#

# prometheus, s3_users, example.local
dn: cn=prometheus,ou=s3_users,dc=example,dc=local
sn: Prometheus
givenName: Exporter
uid: prometheus
loginShell: /usr/bin/bash
displayName: Prometheus Exporter
uidNumber: 1129
homeDirectory: /home/prometheus
telephoneNumber: 0
mail: root at k0ste.ru
gidNumber: 1121
objectClass: inetOrgPerson
objectClass: posixAccount
cn: prometheus

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



I was make token as described in docs:


> # export RGW_ACCESS_KEY_ID="prometheus"  # ldap uid/cn
> # export RGW_SECRET_ACCESS_KEY="prometheus" # ldap passwd
> # radosgw-token --encode --ttype=ldap
> ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=



And try to auth with s3cmd:




> access_key = prometheus
> access_token = 
> ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICA
> gICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=


> # s3cmd la
> WARNING: Could not refresh role
> ERROR: S3 error: 403 (AccessDenied)



rgw was successfully binds to OpenLDAP server with this settings, but 
query is not actually made. Queries was rejected by libldap (?) with 
reason='-13'. rgw logs:



>
> 2018-02-19 22:20:43.870254 7f7b9e36c700  2 
> RGWDataChangesLog::ChangesRenewThread: start
> 2018-02-19 22:20:45.562318 7f7b85134700 20 CONTENT_LENGTH=0
> 2018-02-19 22:20:45.562344 7f7b85134700 20 HTTP_ACCEPT_ENCODING=identity
> 2018-02-19 22:20:45.562346 7f7b85134700 20 HTTP_AUTHORIZATION=AWS 
> prometheus:AnbSRUM96QJtSBI32EIco2Go0e4=
> 2018-02-19 22:20:45.562348 7f7b85134700 20 HTTP_HOST=10.10.10.1:7480
> 2018-02-19 22:20:45.562349 7f7b85134700 20 HTTP_X_AMZ_DATE=Mon, 19 Feb 
> 2018 15:20:45 +0000
> 2018-02-19 22:20:45.562351 7f7b85134700 20 
> HTTP_X_AMZ_SECURITY_TOKEN=ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
> 2018-02-19 22:20:45.562356 7f7b85134700 20 REQUEST_METHOD=GET
> 2018-02-19 22:20:45.562357 7f7b85134700 20 REQUEST_URI=/
> 2018-02-19 22:20:45.562358 7f7b85134700 20 SCRIPT_URI=/
> 2018-02-19 22:20:45.562359 7f7b85134700 20 SERVER_PORT=7480
> 2018-02-19 22:20:45.562363 7f7b85134700  1 ====== starting new request 
> req=0x7f7b8512e190 =====
> 2018-02-19 22:20:45.562392 7f7b85134700  2 req 1:0.000029::GET 
> /::initializing for trans_id = 
> tx000000000000000000001-005a8aeb4d-83def65-default
> 2018-02-19 22:20:45.562404 7f7b85134700 10 rgw api priority: s3=1 
> s3website=-1
> 2018-02-19 22:20:45.562406 7f7b85134700 10 host=10.10.10.1
> 2018-02-19 22:20:45.562423 7f7b85134700 20 subdomain= domain= 
> in_hosted_domain=0 in_hosted_domain_s3website=0
> 2018-02-19 22:20:45.562433 7f7b85134700 20 final domain/bucket 
> subdomain= domain= in_hosted_domain=0 in_hosted_domain_s3website=0 
> s->info.domain= s->info.request_uri=/
> 2018-02-19 22:20:45.562449 7f7b85134700 10 meta>> HTTP_X_AMZ_DATE
> 2018-02-19 22:20:45.562457 7f7b85134700 10 meta>> 
> HTTP_X_AMZ_SECURITY_TOKEN
> 2018-02-19 22:20:45.562460 7f7b85134700 10 x>> x-amz-date:Mon, 19 Feb 
> 2018 15:20:45 +0000
> 2018-02-19 22:20:45.562463 7f7b85134700 10 x>> 
> x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
> 2018-02-19 22:20:45.562496 7f7b85134700 20 get_handler 
> handler=26RGWHandler_REST_Service_S3
> 2018-02-19 22:20:45.562510 7f7b85134700 10 
> handler=26RGWHandler_REST_Service_S3
> 2018-02-19 22:20:45.562513 7f7b85134700  2 req 1:0.000150:s3:GET 
> /::getting op 0
> 2018-02-19 22:20:45.562520 7f7b85134700 10 op=26RGWListBuckets_ObjStore_S3
> 2018-02-19 22:20:45.562539 7f7b85134700  2 req 1:0.000164:s3:GET 
> /:list_buckets:verifying requester
> 2018-02-19 22:20:45.562548 7f7b85134700 20 
> rgw::auth::StrategyRegistry::s3_main_strategy_t: trying 
> rgw::auth::s3::AWSAuthStrategy
> 2018-02-19 22:20:45.562550 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine
> 2018-02-19 22:20:45.562556 7f7b85134700 20 
> rgw::auth::s3::S3AnonymousEngine denied with reason=-1
> 2018-02-19 22:20:45.562560 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy: trying 
> rgw::auth::s3::AWSv2ExternalAuthStrategy
> 2018-02-19 22:20:45.562561 7f7b85134700 20 
> rgw::auth::s3::AWSv2ExternalAuthStrategy: trying rgw::auth::s3::LDAPEngine
> 2018-02-19 22:20:45.562601 7f7b85134700 10 get_canon_resource(): dest=/
> 2018-02-19 22:20:45.562610 7f7b85134700 10 string_to_sign:
> GET
>
>
>
> x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
> x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
> /
> 2018-02-19 22:20:45.562745 7f7b85134700 20 rgw::auth::s3::LDAPEngine 
> denied with reason=-13
> 2018-02-19 22:20:45.562764 7f7b85134700 20 
> rgw::auth::s3::AWSv2ExternalAuthStrategy denied with reason=-13
> 2018-02-19 22:20:45.562766 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::LocalEngine
> 2018-02-19 22:20:45.562781 7f7b85134700 10 get_canon_resource(): dest=/
> 2018-02-19 22:20:45.562785 7f7b85134700 10 string_to_sign:
> GET
>
>
>
> x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
> x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
> /
> 2018-02-19 22:20:45.562812 7f7b85134700 20 get_system_obj_state: 
> rctx=0x7f7b8512c730 obj=default.rgw.meta:users.keys:prometheus 
> state=0x564fcf4fc040 s->prefetch_data=0
> 2018-02-19 22:20:45.562820 7f7b85134700 10 cache get: 
> name=default.rgw.meta+users.keys+prometheus : miss
> 2018-02-19 22:20:45.563938 7f7b85134700 10 cache put: 
> name=default.rgw.meta+users.keys+prometheus info.flags=0x0
> 2018-02-19 22:20:45.563950 7f7b85134700 10 adding 
> default.rgw.meta+users.keys+prometheus to cache LRU end
> 2018-02-19 22:20:45.563956 7f7b85134700  5 error reading user info, 
> uid=prometheus can't authenticate
> 2018-02-19 22:20:45.563958 7f7b85134700 20 rgw::auth::s3::LocalEngine 
> denied with reason=-2028
> 2018-02-19 22:20:45.563960 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy denied with reason=-13
> 2018-02-19 22:20:45.563961 7f7b85134700 20 
> rgw::auth::StrategyRegistry::s3_main_strategy_t: trying 
> rgw::auth::s3::AWSAuthStrategy
> 2018-02-19 22:20:45.563963 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::S3AnonymousEngine
> 2018-02-19 22:20:45.563965 7f7b85134700 20 
> rgw::auth::s3::S3AnonymousEngine denied with reason=-1
> 2018-02-19 22:20:45.563966 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy: trying 
> rgw::auth::s3::AWSv2ExternalAuthStrategy
> 2018-02-19 22:20:45.563968 7f7b85134700 20 
> rgw::auth::s3::AWSv2ExternalAuthStrategy: trying rgw::auth::s3::LDAPEngine
> 2018-02-19 22:20:45.563982 7f7b85134700 10 get_canon_resource(): dest=/
> 2018-02-19 22:20:45.563986 7f7b85134700 10 string_to_sign:
> GET
>
>
>
> x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
> x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
> /
> 2018-02-19 22:20:45.564018 7f7b85134700 20 rgw::auth::s3::LDAPEngine 
> denied with reason=-13
> 2018-02-19 22:20:45.564024 7f7b85134700 20 
> rgw::auth::s3::AWSv2ExternalAuthStrategy denied with reason=-13
> 2018-02-19 22:20:45.564026 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::LocalEngine
> 2018-02-19 22:20:45.564037 7f7b85134700 10 get_canon_resource(): dest=/
> 2018-02-19 22:20:45.564040 7f7b85134700 10 string_to_sign:
> GET
>
>
>
> x-amz-date:Mon, 19 Feb 2018 15:20:45 +0000
> x-amz-security-token:ewogICAgIlJHV19UT0tFTiI6IHsKICAgICAgICAidmVyc2lvbiI6IDEsCiAgICAgICAgInR5cGUiOiAibGRhcCIsCiAgICAgICAgImlkIjogInByb21ldGhldXMiLAogICAgICAgICJrZXkiOiAicHJvbWV0aGV1cyIKICAgIH0KfQo=
> /
> 2018-02-19 22:20:45.564045 7f7b85134700 20 get_system_obj_state: 
> rctx=0x7f7b8512c730 obj=default.rgw.meta:users.keys:prometheus 
> state=0x564fcf4fc040 s->prefetch_data=0
> 2018-02-19 22:20:45.564052 7f7b85134700 10 cache get: 
> name=default.rgw.meta+users.keys+prometheus : type miss 
> (requested=0x6, cached=0x0)
> 2018-02-19 22:20:45.564414 7f7b85134700 10 cache put: 
> name=default.rgw.meta+users.keys+prometheus info.flags=0x0
> 2018-02-19 22:20:45.564421 7f7b85134700 10 moving 
> default.rgw.meta+users.keys+prometheus to cache LRU end
> 2018-02-19 22:20:45.564429 7f7b85134700  5 error reading user info, 
> uid=prometheus can't authenticate
> 2018-02-19 22:20:45.564431 7f7b85134700 20 rgw::auth::s3::LocalEngine 
> denied with reason=-2028
> 2018-02-19 22:20:45.564432 7f7b85134700 20 
> rgw::auth::s3::AWSAuthStrategy denied with reason=-13
> 2018-02-19 22:20:45.564433 7f7b85134700  5 Failed the auth strategy, 
> reason=-13
> 2018-02-19 22:20:45.564436 7f7b85134700 10 failed to authorize request
> 2018-02-19 22:20:45.564441 7f7b85134700 20 handler->ERRORHANDLER: 
> err_no=-13 new_err_no=-13
> 2018-02-19 22:20:45.564536 7f7b85134700  2 req 1:0.002173:s3:GET 
> /:list_buckets:op status=0
> 2018-02-19 22:20:45.564545 7f7b85134700  2 req 1:0.002182:s3:GET 
> /:list_buckets:http status=403
> 2018-02-19 22:20:45.564550 7f7b85134700  1 ====== req done 
> req=0x7f7b8512e190 op status=0 http_status=403 ======
> 2018-02-19 22:20:45.564560 7f7b85134700 20 process_request() returned -13
> 2018-02-19 22:20:45.564595 7f7b85134700  1 civetweb: 0x564fce8fd000: 
> 10.10.10.254 - - [19/Feb/2018:22:20:45 +0700] "GET / HTTP/1.1" 1 0 - -



I was looking to source code of libldap and found mapping 
'13':'LDAP_CONTROL_NOT_FOUND'. Not sure what this actually mean. May be 
my libldap is incompatible version... Write simple example code to check it:



> #include <stdio.h>
> #include <stdlib.h>
> #include <ldap.h>
> #include <lber.h>
>
> int main() {
>   LDAP *ldap = ldap_init("ldap.example.local", LDAP_PORT);
>   LDAPMessage *msg, *entry;
>   BerElement *ber;
>
>   char *version = LDAP_VERSION3;
>   int e = 0;
>   int result;
>   char *k;
>   char **v;
>
>   if (ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
>                       &version) != LDAP_OPT_SUCCESS) {
>       ldap_perror(ldap, "Can't set LDAP option.");
>       exit(1);
>   }
>
>   result = ldap_simple_bind_s(ldap, 
> "cn=prometheus,ou=s3_users,dc=example,dc=local",
>                                       "prometheus");
>   if (result != LDAP_SUCCESS) {
>     fprintf(stderr, "Can't bind: %s.\n", ldap_err2string(result));
>     exit(1);
>   }
>
>   result = ldap_search_s(ldap, "ou=s3_users,dc=example,dc=local",
>                          LDAP_SCOPE_SUBTREE, "(uid=prometheus)", NULL, 
> 0, &msg);
>   if (result != LDAP_SUCCESS) {
>     fprintf(stderr, "Search failed: %s.\n", ldap_err2string(result));
>     exit(1);
>   }
>
>   if (ldap_count_entries(ldap, msg) == 0) {
>     printf("LDAP search did not return any data.\n");
>     exit(1);
>   } else {
>     printf("LDAP search returned %d objects.\n\n",
> ldap_count_entries(ldap, msg));
>   }
>
>   entry = ldap_first_entry(ldap, msg);
>   for ( k = ldap_first_attribute(ldap, entry, &ber);
>         k != NULL;
>         k = ldap_next_attribute(ldap, entry, ber) ) {
>           v = ldap_get_values(ldap, entry, k);
>           printf("%s: %s\n", k, v[0]);
>         }
>
>   ldap_value_free(v);
>   ldap_memfree(k);
>
>   if (ber != NULL) {
>     ber_free(ber, 0);
>   }
>
>   ldap_msgfree(msg);
>
>   result = ldap_unbind(ldap);
>   if (result != 0) {
>     fprintf(stderr, "Failed unbind: %s.\n", ldap_err2string(result));
>     exit(1);
>    }
>
>   return(0);
> }


Compile it. And this works flawless:



> LDAP search returned 1 objects.
>
> sn: Prometheus
> givenName: Exporter
> uid: prometheus
> userPassword: {MD5}5PAGOLihDmmU5nry+DLVHA==
> loginShell: /usr/bin/bash
> displayName: Prometheus Exporter
> uidNumber: 1129
> homeDirectory: /home/prometheus
> telephoneNumber: 0
> mail: root at k0ste.ru
> gidNumber: 1121
> objectClass: inetOrgPerson
> cn: prometheus



So, with this OpenLDAP server works dozens of applications from various 
suppliers: oVirt, Postfix, Dovecot, Atlassian, Cisco, etc...

Suggestions?




k

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ceph.com/pipermail/ceph-users-ceph.com/attachments/20180219/f07cc02d/attachment.html>


More information about the ceph-users mailing list