From 7da45d65be36d36b880cc55c5036e96c24b53f00 Mon Sep 17 00:00:00 2001 From: Qiaowei Ren Date: Thu, 1 Mar 2018 14:38:11 +0800 Subject: remove ceph code This patch removes initial ceph code, due to license issue. Change-Id: I092d44f601cdf34aed92300fe13214925563081c Signed-off-by: Qiaowei Ren --- src/ceph/doc/radosgw/ldap-auth.rst | 138 ------------------------------------- 1 file changed, 138 deletions(-) delete mode 100644 src/ceph/doc/radosgw/ldap-auth.rst (limited to 'src/ceph/doc/radosgw/ldap-auth.rst') diff --git a/src/ceph/doc/radosgw/ldap-auth.rst b/src/ceph/doc/radosgw/ldap-auth.rst deleted file mode 100644 index c67da04..0000000 --- a/src/ceph/doc/radosgw/ldap-auth.rst +++ /dev/null @@ -1,138 +0,0 @@ -=================== -LDAP Authentication -=================== - -.. versionadded:: Jewel - -You can delegate the Ceph Object Gateway authentication to an LDAP server. - -How it works -============ - -The Ceph Object Gateway extracts the users LDAP credentials from a token. A -search filter is constructed with the user name. The Ceph Object Gateway uses -the configured service account to search the directory for a matching entry. If -an entry is found, the Ceph Object Gateway attempts to bind to the found -distinguished name with the password from the token. If the credentials are -valid, the bind will succeed, and the Ceph Object Gateway will grant access. - -You can limit the allowed users by setting the base for the search to a -specific organizational unit or by specifying a custom search filter, for -example requiring specific group membership, custom object classes, or -attributes. - -Requirements -============ - -- **LDAP or Active Directory:** A running LDAP instance accessible by the Ceph - Object Gateway -- **Service account:** LDAP credentials to be used by the Ceph Object Gateway - with search permissions -- **User account:** At least one user account in the LDAP directory -- **Do not overlap LDAP and local users:** You should not use the same user - names for local users and for users being authenticated by using LDAP. The - Ceph Object Gateway cannot distinguish them and it treats them as the same - user. - -Sanity checks -============= - -Use the ``ldapsearch`` utility to verify the service account or the LDAP connection: - -:: - - # ldapsearch -x -D "uid=ceph,ou=system,dc=example,dc=com" -W \ - -H ldaps://example.com -b "ou=users,dc=example,dc=com" 'uid=*' dn - -.. note:: Make sure to use the same LDAP parameters like in the Ceph configuration file to - eliminate possible problems. - -Configuring the Ceph Object Gateway to use LDAP authentication -============================================================== - -The following parameters in the Ceph configuration file are related to the LDAP -authentication: - -- ``rgw_ldap_uri``: Specifies the LDAP server to use. Make sure to use the - ``ldaps://:`` parameter to not transmit clear text credentials - over the wire. -- ``rgw_ldap_binddn``: The Distinguished Name (DN) of the service account used - by the Ceph Object Gateway -- ``rgw_ldap_secret``: The password for the service account -- ``rgw_ldap_searchdn``: Specifies the base in the directory information tree - for searching users. This might be your users organizational unit or some - more specific Organizational Unit (OU). -- ``rgw_ldap_dnattr``: The attribute being used in the constructed search - filter to match a username. Depending on your Directory Information Tree - (DIT) this would probably be ``uid`` or ``cn``. -- ``rgw_search_filter``: If not specified, the Ceph Object Gateway - automatically constructs the search filter with the ``rgw_ldap_dnattr`` - setting. Use this parameter to narrow the list of allowed users in very - flexible ways. Consult the *Using a custom search filter to limit user access - section* for details - -Using a custom search filter to limit user access -================================================= - -There are two ways to use the ``rgw_search_filter`` parameter: - -Specifying a partial filter to further limit the constructed search filter --------------------------------------------------------------------------- - -An example for a partial filter: - -:: - - "objectclass=inetorgperson" - -The Ceph Object Gateway will generate the search filter as usual with the -user name from the token and the value of ``rgw_ldap_dnattr``. The constructed -filter is then combined with the partial filter from the ``rgw_search_filter`` -attribute. Depending on the user name and the settings the final search filter -might become: - -:: - - "(&(uid=hari)(objectclass=inetorgperson))" - -So user ``hari`` will only be granted access if he is found in the LDAP -directory, has an object class of ``inetorgperson``, and did specify a valid -password. - -Specifying a complete filter ----------------------------- - -A complete filter must contain a ``USERNAME`` token which will be substituted -with the user name during the authentication attempt. The ``rgw_ldap_dnattr`` -parameter is not used anymore in this case. For example, to limit valid users -to a specific group, use the following filter: - -:: - - "(&(uid=USERNAME)(memberOf=cn=ceph-users,ou=groups,dc=mycompany,dc=com))" - -.. note:: Using the ``memberOf`` attribute in LDAP searches requires server side - support from you specific LDAP server implementation. - -Generating an access token for LDAP authentication -================================================== - -The ``radosgw-token`` utility generates the access token based on the LDAP -user name and password. It will output a base-64 encoded string which is the -access token. - -:: - - # export RGW_ACCESS_KEY_ID="" - # export RGW_SECRET_ACCESS_KEY="" - # radosgw-token --encode --ttype=ldap - -.. note:: For Active Directroy use the ``--ttype=ad`` parameter. - -.. important:: The access token is a base-64 encoded JSON struct and contains - the LDAP credentials as a clear text. - -Testing access -============== - -Use your favorite S3 client and specify the token as the access key. -- cgit 1.2.3-korg