Bug #40406
closedUSERNAME ldap token not replaced in rgw client
0%
Description
Hi,
Referencing from http://docs.ceph.com/docs/mimic/radosgw/ldap-auth/#specifying-a-complete-filter
By specifying the following is specified in ceph.conf:
rgw_ldap_searchfilter = "(&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=USERNAME))"
Should result in auth search filter for "user" to be:
(&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=user))
However the result is:
(&((&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=USERNAME)))(uid=user))
Logs:
2019-06-18 14:51:31.238 7fae78f76700 12 auth search filter: (&((&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=USERNAME)))(uid=user))
2019-06-18 14:51:31.238 7fae78f76700 5 auth ldap_search_s error uid=crawler ldap err=-7
2019-06-18 14:51:31.243 7fae78f76700 5 auth ldap_search_s error uid=crawler ldap err=-7
2019-06-18 14:51:31.243 7fae78f76700 20 rgw::auth::s3::LDAPEngine denied with reason=-13
Updated by Thomas Kriechbaumer almost 5 years ago
The documentation is missing the necessary "@" characters around the USERNAME token.
I already sent a PR about two months ago... https://github.com/ceph/ceph/pull/27964
Updated by Nathan Cutler almost 5 years ago
- Status changed from New to Resolved
- Pull request ID set to 27964
Updated by Nathan Cutler almost 5 years ago
- Status changed from Resolved to Pending Backport
- Backport set to nautilus, mimic
Updated by Nathan Cutler almost 5 years ago
- Copied to Backport #40672: nautilus: USERNAME ldap token not replaced in rgw client added
Updated by Nathan Cutler almost 5 years ago
- Copied to Backport #40673: mimic: USERNAME ldap token not replaced in rgw client added
Updated by Nathan Cutler over 4 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved".