Not the answer you need?
Register and ask your own question!
Many Forum changes were implemented on Tue 22 Sep. Read about new Ranks, Scoring, and Reactions.
Email [email protected] for any comments or concerns.

Mongodb rs cluster ldap configuration

bsiarabsiara Current User Role Novice
Hi, I want to swich my rs cluster from sasl-ldap to direct ldap conection, this is my configuration:
systemLog:
  destination: file
  path: /data/mongod.log
  logAppend: true
  logRotate: reopen
  component:
    accessControl:
      verbosity: 5
storage:
  engine: wiredTiger
  dbPath: /data/db
  directoryPerDB: true
  journal:
    enabled: true
  wiredTiger:
    engineConfig:
      cacheSizeGB: 1
      directoryForIndexes: true
processManagement:
  fork: true
net:
  bindIp: 127.0.0.1,192.168.0.20
  port: 27017
operationProfiling:
  slowOpThresholdMs: 100
replication:
  replSetName: rs1
  oplogSizeMB: 256
security:
  keyFile: /data/keyfile
  clusterAuthMode: keyFile
  authorization: enabled
  ldap:
    servers: 'ldap.domain.com:10389'
    transportSecurity: 'none'
    bind:
      method: 'simple'
      queryUser: 'uid=nobody,ou=people,dc=domain,dc=com'
      queryPassword: 'pass123'
    userToDNMapping:
      '[
        {
           match: "(.+)",
           ldapQuery: "ou=people,dc=domain,dc=com??sub?(&(uid={0})(!(pwdAccountLockedTime=*))(!(description=tech)))"
        }
      ]'
    authz:
      queryTemplate: 'ou=groups,dc=domain,dc=com??sub?(&(objectClass=groupOfUniqueNames)(description=mongo)(uniqueMember={USER}))'
setParameter:
  authenticationMechanisms: "PLAIN,SCRAM-SHA-1,SCRAM-SHA-256"
next create user in $external database:
> db.createUser({"user": "user", "roles": [{"role": "read", "db": "db1"}], "mechanisms": ["PLAIN"] })
Successfully added user: {
	"user" : "user",
	"roles" : [
		{
			"role" : "read",
			"db" : "db1"
		}
	],
	"mechanisms" : [
		"PLAIN"
	]
}
during connection to mongo I get error:
> db.auth({"mechanism": "PLAIN", "user": "user", "pwd": passwordPrompt(), "digestPassword ": false})
Enter password: 
Error: SASL(-4): no mechanism available: No worthy mechs found
0
In my ldap I store passwords in two hash:
sambaNTPassword
userPassword: ssha hash
Please help me, what I'm doing wrong?

Comments

  • Igor SolodovnikovIgor Solodovnikov Percona Percona Staff Role
    edited July 17
    Hello @bsiara
    have you tried to authorize from the command line like this:
    mongo -u "user" -p --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
    Does it return the same error?
    What LDAP server do you use?
    One note: you don't need to add LDAP user to the $external database. With native LDAP authentication this is not necessary. (But this is not the reason of the issue).
  • bsiarabsiara Current User Role Novice
    Thanks for your reply, using mongo cmd I get the same error:
    mongo -u "user" -p --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
    Percona Server for MongoDB shell version v4.2.8-8
    Enter password: 
    connecting to: mongodb://127.0.0.1:27017/?authMechanism=PLAIN&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb
    2020-07-17T19:41:52.396+0000 E  QUERY    [js] Error: SASL(-4): no mechanism available: No worthy mechs found :
    [email protected]/mongo/shell/mongo.js:341:17
    @(connect):3:6
    2020-07-17T19:41:52.401+0000 F  -        [main] exception: connect failed
    2020-07-17T19:41:52.401+0000 E  -        [main] exiting with code 1
    As ldap server I use Apache Directory Server. Ok, I deleted user on $external database, but the same error occur.
  • Igor SolodovnikovIgor Solodovnikov Percona Percona Staff Role
    edited August 11
    Hello @bsiara,
    Your configuration looks good. I don't know exactly what is going wrong. To debug it I would try to execute LDAP query using 'ldapsearch' utility from the openldap package. Something like this:
    ldapsearch -h ldap.domain.com -p 10389 -v -w pass123 -D uid=nobody,ou=people,dc=domain,dc=com -L -b ou=people,dc=domain,dc=com -s sub
    
    With this command you can ensure that your LDAP server accepts connections.
    Also you can try to switch bind mode from 'simple' to 'sasl'.
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.