Configuring LDAPS

The Ceph Object Gateway uses a simple ID and password to authenticate with the LDAP server, so the connection requires an SSL certificate for LDAP. Once the LDAP is working, configure the Ceph Object Gateway servers to trust the Directory Server’s certificate.

1. Extract/Download a PEM-formatted certificate for the Certificate Authority (CA) that signed the LDAP server’s SSL certificate.

2. Confirm that /etc/openldap/ldap.conf does not have TLS_REQCERT set.

3. Confirm that /etc/openldap/ldap.conf contains a TLS_CACERTDIR /etc/openldap/certs setting.

4. Use the certutil command to add the AD CA to the store at /etc/openldap/certs. For example, if the CA is "msad-frog-MSAD-FROG-CA", and the PEM-formatted CA file is ldap.pem, use the following command:

   Example

   # certutil -d /etc/openldap/certs -A -t "TC,," -n "msad-frog-MSAD-FROG-CA" -i /path/to/ldap.pem

5. Update SELinux on all remote LDAP sites:

   Example

   # setsebool -P httpd_can_network_connect on

   Note: This still has to be set even if SELinux is in permissive mode.

6. Make the certs database world-readable:

   Example

   # chmod 644 /etc/openldap/certs/*

7. Connect to the server using the "ldapwhoami" command as a non-root user.

   Example

   $ ldapwhoami -H ldaps://redhat-directory-server.example.com -d 9

   The -d 9 option will provide debugging information in case something went wrong with the SSL negotiation.