Create an LDAP user for the Ceph Object Gateway.
Before you begin
Before creating the gateway user, ensure that the Ceph Object
Gateway does not already have the user.radosgw-admin metadata list user
For
example,[ceph: root@host01 /]# radosgw-admin metadata list user
Look in the output
to be sure that the username is not in this list of users.
Procedure
- Create an LDAP user for the Ceph Object Gateway, and make note of
the
binddn.Since the Ceph Object Gateway uses the ceph
user, consider using ceph as the username. The user needs to have permission to
search the directory. The Ceph Object Gateway binds to this user as specified in
rgw_ldap_binddn.
- Test to verify that the user creation worked.
You can run a
search for the user, when the user ID (
uid) is
ceph for
People with the
example.com
domain.
# ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'
- On each gateway node, create a file for the user’s
secret.
For example, the secret might get stored in a file entitled
/etc/bindpass.
For security, change the owner of this file to the
ceph user and group to ensure that it is not globally readable.
- Add the
rgw_ldap_secret option.
ceph config set client.rgw OPTION VALUE
For
example,
[ceph: root@host01 /]# ceph config set client.rgw rgw_ldap_secret /etc/bindpass
- Patch the bind password file to the Ceph Object Gateway container and reapply the Ceph
Object Gateway specification.
For example,
service_type: rgw
service_id: rgw.1
service_name: rgw.rgw.1
placement:
label: rgw
extra_container_args:
- -v
- /etc/bindpass:/etc/bindpass
Note: /etc/bindpass is not included automatically with IBM Storage Ceph. Check that the content is available on all the
possible Ceph Object Gateway instance nodes.