Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/ceph-object-gateway-with-ldap-ad-guide/
Created attachment 1182539 [details] Additional instructions for trusting LDAP CA Hi John, here are some additional instructions for trusting the LDAP Certificate Authority on the RGW nodes. Would you please add this information to the Asciidoc source at https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/ceph-rgw-to-ldap-ad ?
Our LDAP doc directly talks about cert generation step when it comes to ldap config. Can somebody point me to the right doc for Redhat-ds configuration. The one provided in the doc has information scattered across for configuring SSL for redhat-ds. I tried couple of times to bring up with SSL but no luck. If somebody already know the proper steps that would be really a great help for me to continue. Even from customer's perspective there should be a proper flow of configuring redhat-ds , cert generation etc.
We should probably also incorporate the following troubleshooting commands, somehow: 1. To examine a PEM-formatted x509 certificate file "cacert.asc" before adding it as trusted on the RGW LDAP client: openssl x509 -in cacert.asc -noout -text For the certificate authority, the "Issuer" and "Subject" should be the same, there. 2. To examine the LDAPS certificate chain that the LDAP server sends to the RGW LDAP client: openssl s_client -connect ldapserver.example.com:636 < /dev/null | perl -0777 -nle 'print for m/(Certificate chain.*?)---/s' This command will show the full certificate chain that the sever sends as part of the SSL exchange, and you should see the Subject for the CA listed there. It should match the "openssl x509 ... -text" command above. 3. On RHEL, to examine the list of trusted CAs in the NSSDB trust store in /etc/openldap/certs: certutil -L -d /etc/openldap/certs 4. Similarly on RHEL, to examine a particular CA (example "My Org CA cert") in the NSSDB trust store: certutil -L -d /etc/openldap/certs -n "My Org CA cert"
Moving this to Assigned state. Need comment 4 and 5 to be addressed.
I left the link to the downstream LDAPs docs for v10. I've removed the certutil steps so that users can just follow the downstream docs and manpages. I've added the steps to make RGW trust the LDAPs CA and reviewed the changes with Ken Dreyer. https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/single/ceph-object-gateway-with-ldap-ad-guide#configuring_ldaps
Small Correction required: [Section] 1.6. Adding a Gateway User # ldapsearch -x -D "uid=ceph,ou=People,dc=example dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph' A Comma should be required to separate "dc=example dc=com" Correct Command should be: # ldapsearch -x -D "uid=ceph,ou=People,dc=example,dc=com" -W -H ldaps://example.com -b "ou=People,dc=example,dc=com" -s sub 'uid=ceph'
https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/single/ceph-object-gateway-with-ldap-ad-guide#adding_a_gateway_user
All the changes are made hence marking this as verified.