Ceph » rgw

It appears that rgw-nfs Ganesha is not correctly authenticating LDAP tokens.

Ganesha config for RGW FSAL references client instance with config known to work for HTTP S3 clients using LDAP tokens. As described below it appears that the instance is looking up the user from the token but failing to authenticate properly.

In ganesha.conf RGW FSAL the setting 'Access_Key_Id' is set to ldap token, that token encodes a user 'myuser' secret 'whatever'. 'User_id' and 'Secret_access_key' settings blank - they cannot be left out or config parser complains but I would expect they are unused in this context.

In ganesha log it seems to pick up what you'd expect out of the ldap token:
2018-03-09 11:21:27.513315 7fafbfd861c0 12 auth search filter: (uid=myuser)

(I have seen that there would be a 'auth simple_bind failed' message from the rgw instance if there were an issue at this point)

And in ldap logs it appears to bind:
[09/Mar/2018:11:21:27.637588220 -0500] conn=8965 op=0 BIND
dn="uid=myuser,ou=RGWUsers,dc=example,dc=org" method=128 version=3

But still have this in ganesha log:
09/03/2018 11:21:27 : epoch 5aa2b485 : host.example :
ganesha.nfsd-363383[main] create_export :FSAL :CRIT :Authorization
Failed for user

That's not truncated, it's using the User_id setting which is an empty string. As a further test, if I put a string matching the correct username into the ganesha FSAL User_id setting it still does not work but that string shows up in the 'Failed for user' message.

The net result is the share doesn't initialize.
09/03/2018 11:21:27 : epoch 5aa2b485 : host.example :
ganesha.nfsd-363383[main] mdcache_fsal_create_export :FSAL :MAJ
:Failed to call create_export on underlying FSAL RGW

This same configuration has no issues if I use radosgw-admin to create a user that does not use LDAP for authentication and configure with those credentials. Likewise the same ldap token I am using for Access_Key_Id in my ganesha.conf is working fine with via a rgw http instance.