Project

General

Profile

Bug #40406

USERNAME ldap token not replaced in rgw client

Added by Ween Jiann Lee 2 months ago. Updated about 2 months ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
-
Target version:
Start date:
06/18/2019
Due date:
% Done:

0%

Source:
Tags:
ldap rgw s3
Backport:
nautilus, mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

Hi,

Referencing from http://docs.ceph.com/docs/mimic/radosgw/ldap-auth/#specifying-a-complete-filter

By specifying the following is specified in ceph.conf:
rgw_ldap_searchfilter = "(&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=USERNAME))"

Should result in auth search filter for "user" to be:
(&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=user))

However the result is:
(&((&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=USERNAME)))(uid=user))

Logs:
2019-06-18 14:51:31.238 7fae78f76700 12 auth search filter: (&((&(objectClass=groupOfUniqueNames)(cn=ceph)(uniqueMember=uid=USERNAME)))(uid=user))
2019-06-18 14:51:31.238 7fae78f76700 5 auth ldap_search_s error uid=crawler ldap err=-7
2019-06-18 14:51:31.243 7fae78f76700 5 auth ldap_search_s error uid=crawler ldap err=-7
2019-06-18 14:51:31.243 7fae78f76700 20 rgw::auth::s3::LDAPEngine denied with reason=-13


Related issues

Copied to rgw - Backport #40672: nautilus: USERNAME ldap token not replaced in rgw client Resolved
Copied to rgw - Backport #40673: mimic: USERNAME ldap token not replaced in rgw client New

History

#1 Updated by Thomas Kriechbaumer about 2 months ago

The documentation is missing the necessary "@" characters around the USERNAME token.
I already sent a PR about two months ago... https://github.com/ceph/ceph/pull/27964

#2 Updated by Nathan Cutler about 2 months ago

  • Status changed from New to Resolved
  • Pull request ID set to 27964

#3 Updated by Nathan Cutler about 2 months ago

  • Status changed from Resolved to Pending Backport
  • Backport set to nautilus, mimic

#4 Updated by Nathan Cutler about 2 months ago

  • Copied to Backport #40672: nautilus: USERNAME ldap token not replaced in rgw client added

#5 Updated by Nathan Cutler about 2 months ago

  • Copied to Backport #40673: mimic: USERNAME ldap token not replaced in rgw client added

Also available in: Atom PDF