LDAP Authentication Setup

Hello there!

we are considering switching out rather simple MongoDB setup to PerconaServer for MongoDB, mainly to leverage the LDAP authentication option. This way our scientists would be able to access the database with the same credentials used for many of the other services we provide.

However, I’m having a hard time setting it up.

Two errors I keep bumping into while trying to login through the mongo shell are:

Error: Unsupported mechanism 'SCRAM-SHA-1' on authentication database '$external'

When trying to login without specifying the authentication mechanism, or when specifying SCRAM-SHA-1 explicitly.

db.getSiblingDB({user:“user@example.com”, pwd:“secret”, mechanism:“SCRAM-SHA-1”})
of
db.getSiblingDB({user:“user@example.com”, pwd:“secret”})

The error shows in the shell itself.

And

"result":"OperationFailed: SASL step did not complete: (no mechanism available)"

When trying to login and specifying the mechanism as PLAIN.
db.getSiblingDB({user:“user@example.com”, pwd:“secret”, mechanism:“PLAIN”})

The only immediate result is Authentication failed, but the error is logged in mongodb log file.

I have the following configured:

/etc/saslauth.conf
ldap_servers: ldaps:example.com
ldap_mech: SCRAM-SHA-1,PLAIN
ldap_search_base: ou=users,dc=example,dc=com
ldap_filter: (cn=%u)
ldap_bind_dn: cn=User,ou=users,dc=example,dc=com
ldap_password: JR2u2zY##

/etc/mongod.conf
security:
authorization: enabled

setParameter:
authenticationMechanisms: PLAIN,MONGODB-X509,SCRAM-SHA-1,SCRAM-SHA-256
saslauthdPath: /var/run/saslauthd/mux/mux

/etc/sasl2/mongodb.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux/mux
log_level: 5
mech_list: PLAIN,SCRAM-SHA-1

The error that says ‘unsupported mechanism’ appears to be the same error that one would get when trying to use the external authentication on the regular MongoDB community edition (i.e. not Enterprise, for which we are unwilling to fork out many k’s per year).

I figured it shouldn’t show up while using Percona Server, but maybe I’m missing something.

Please, help us, fellow forum members, you’re my only hope!

1 Like

Hello @Cis

Percona server for MongoDB implemented LDAP support in two stages:

  1. External authentication, using saslauthd as a proxy to access LDAP server. At this stage there was no way to use LDAP for authorization of mongo users. I guess you are using some instructions describing config for this feature. One exeample of such instruction are here.
  2. Full LDAP support for authentication and authorization. This is implemented using libldap library so no need for saslauthd proxy and no need to configure it. Please take a look at Authenticate and Authorize Users Using Active Directory via Native LDAP for example configuration.

I recommend to use second stage because it is simpler to configure and provides more features.

For more information and comparison between PSMDB and MongoDB enterprise take a look at
External Authentication with Percona Server for MongoDB and MongoDB Enterprise presentation.

2 Likes