LDAP Authentication Setup

MongoDB Percona Server for MongoDB
1

Hello there!

we are considering switching out rather simple MongoDB setup to PerconaServer for MongoDB, mainly to leverage the LDAP authentication option. This way our scientists would be able to access the database with the same credentials used for many of the other services we provide.

However, I’m having a hard time setting it up.

Two errors I keep bumping into while trying to login through the mongo shell are:

Error: Unsupported mechanism 'SCRAM-SHA-1' on authentication database '$external'

When trying to login without specifying the authentication mechanism, or when specifying SCRAM-SHA-1 explicitly.

db.getSiblingDB({user:“user@example.com”, pwd:“secret”, mechanism:“SCRAM-SHA-1”})
of
db.getSiblingDB({user:“user@example.com”, pwd:“secret”})

The error shows in the shell itself.

And

"result":"OperationFailed: SASL step did not complete: (no mechanism available)"

When trying to login and specifying the mechanism as PLAIN.
db.getSiblingDB({user:“user@example.com”, pwd:“secret”, mechanism:“PLAIN”})

The only immediate result is Authentication failed, but the error is logged in mongodb log file.

I have the following configured:

/etc/saslauth.conf
ldap_servers: ldaps:example.com
ldap_mech: SCRAM-SHA-1,PLAIN
ldap_search_base: ou=users,dc=example,dc=com
ldap_filter: (cn=%u)
ldap_bind_dn: cn=User,ou=users,dc=example,dc=com
ldap_password: JR2u2zY##

/etc/mongod.conf
security:
authorization: enabled

setParameter:
authenticationMechanisms: PLAIN,MONGODB-X509,SCRAM-SHA-1,SCRAM-SHA-256
saslauthdPath: /var/run/saslauthd/mux/mux

/etc/sasl2/mongodb.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux/mux
log_level: 5
mech_list: PLAIN,SCRAM-SHA-1

The error that says ‘unsupported mechanism’ appears to be the same error that one would get when trying to use the external authentication on the regular MongoDB community edition (i.e. not Enterprise, for which we are unwilling to fork out many k’s per year).

I figured it shouldn’t show up while using Percona Server, but maybe I’m missing something.

Please, help us, fellow forum members, you’re my only hope!

1 Like
2

Hello @Cis

Percona server for MongoDB implemented LDAP support in two stages:

  1. External authentication, using saslauthd as a proxy to access LDAP server. At this stage there was no way to use LDAP for authorization of mongo users. I guess you are using some instructions describing config for this feature. One exeample of such instruction are here.
  2. Full LDAP support for authentication and authorization. This is implemented using libldap library so no need for saslauthd proxy and no need to configure it. Please take a look at Authenticate and Authorize Users Using Active Directory via Native LDAP for example configuration.

I recommend to use second stage because it is simpler to configure and provides more features.

For more information and comparison between PSMDB and MongoDB enterprise take a look at
External Authentication with Percona Server for MongoDB and MongoDB Enterprise presentation.

2 Likes
3

Wonderful! Thank you for the reply. We managed to set it up according to the information you provided and it is now working as we expected.

We have some use cases where we would like to provide a specific user with their own database to use directly from their code.

  • We have the option to create a group for each of these users, but we would be kind of polluting the LDAP server with a bunch of single user groups.

  • Alternatively we’re also looking into whether it’s possible to return a dummy group per user, and use that Group to create a role. This feels a bit hacky though.

So then an extra question:

Do you know if there is a way to give permissions to a user and not to a group of users, while still using the LDAP authorization? I’ve tried creating a role with the exact DN of the user, but it didn’t take, as I had kind of expected.

1 Like
4

You should be able to accomplish this by creating the user directly in $external database and then granting whatever roles you need, for example:

db.getSiblingDB("$external").createUser({
  user: 'testUser',
  roles: [
    {role: "userAdminAnyDatabase", db: "admin"}
  ]
})
1 Like