LDAP Configuration issue inside container

MongoDB Percona Server for MongoDB
,
1

Hi,
I’m trying to set up LDAP for recently created Percona Server for MongoDB but I’m still struggling with some issues
I’ve been following this doc:

I’m using official PSMDB image downloaded with

docker.io/percona/percona-server-mongodb:7.0.2

I’m following all required commands step by step:

sudo  yum install -y cyrus-sasl
sudo sed -i -e s/^MECH=pam/MECH=ldap/g /etc/sysconfig/saslauthd

My handmade /etc/saslauthd.conf file looks like this:

ldap_servers: ldap://subdomain.domain.top-level-domain:389
ldap_mech: PLAIN
ldap_search_base: OU=my-ou,DC=subdomain,DC=domain,DC=top-level-domain
ldap_bind_dn: CN=ldap-user,CN=users,OU=my-ou,DC=subdomain,DC=domain,DC=top-level-domain
ldap_password: 'my-password'

I’m unable to use systemctl inside container so I had to run saslauthd with the one of commands below:

saslauthd -a ldap
saslauthd -d -a ldap

sudo chmod 755 /run/saslauthd

It’s weird as sasl group does not exist while I tried to add this:

sudo usermod -a -G sasl mongod

At last I’m testing the connection with test command:

testsaslauthd -u ldap-user -p my-password  -f /var/run/saslauthd/mux

The error below is going to be displayed instantly right after executing test command:

0: NO "authentication failed"

As for me it’s strange as I need to define auth method in command although it has been set in /etc/saslauthd.conf before. Moreover it seems like a config is being ignored completely by the command

I’ve been testing my ldap connection with ldapsearch - it’s fine. It’s been also tested in local Ubuntu environment. Although the systemctl is available here, I’m still getting the same error.

Could somebody advise please what’s wrong?
Thanks in advance

2

Please halp, there’re my logs.

 : attempting a read lock on slot: 77
:[login=me] [service=imap] [realm=]: not found, update pending
: attempting to release lock on slot: 77
: acquired accept lock
 Authentication failed for me: Bind to ldap server failed (invalid user/password or insufficient access) (-7)
                 : auth failure: [user=me] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
                 : response: NO

Updated config:

ldap_servers: ldap://subdomain.domain.top-level-domain:389
ldap_mech: PLAIN
ldap_search_base: OU=my-ou,DC=subdomain,DC=domain,DC=top-level-domain
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: CN=ldap-admin-user,OU=my-ou,DC=subdomain,DC=domain,DC=top-level-domain
ldap_password: "my password"
ldap_debug: -1

/etc/default/saslauthd

MECHANISMS="ldap"
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -V -m /var/run/saslauthd -O /etc/saslauthd.conf"

I have built image of OpenLDAP server in container and this one works perfectly, unfortunately I need LDAP directly from AD to be working as well

3

I got it at last. The issue is a password including some special characters like @, #, $ etc. inside saslauthd.conf file. For example, you cannot use quotation marks like this as it’s not going to work

ldap_password: "my-password"

Another account has been used for auth process that has no special characters, just letters and digits

ldap_password: normalpassword2137