Mongodb rs cluster ldap configuration

MongoDB Percona Server for MongoDB
, , ,
1

Hi, I want to swich my rs cluster from sasl-ldap to direct ldap conection, this is my configuration:

systemLog:
destination: file
path: /data/mongod.log
logAppend: true
logRotate: reopen
component:
accessControl:
verbosity: 5
storage:
engine: wiredTiger
dbPath: /data/db
directoryPerDB: true
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 1
directoryForIndexes: true
processManagement:
fork: true
net:
bindIp: 127.0.0.1,192.168.0.20
port: 27017
operationProfiling:
slowOpThresholdMs: 100
replication:
replSetName: rs1
oplogSizeMB: 256
security:
keyFile: /data/keyfile
clusterAuthMode: keyFile
authorization: enabled
ldap:
servers: 'ldap.domain.com:10389'
transportSecurity: 'none'
bind:
method: 'simple'
queryUser: 'uid=nobody,ou=people,dc=domain,dc=com'
queryPassword: 'pass123'
userToDNMapping:
'[
{
match: "(.+)",
ldapQuery: "ou=people,dc=domain,dc=com??sub?(&(uid={0})(!(pwdAccountLockedTime=*))(!(description=tech)))"
}
]'
authz:
queryTemplate: 'ou=groups,dc=domain,dc=com??sub?(&(objectClass=groupOfUniqueNames)(description=mongo)(uniqueMember={USER}))'
setParameter:
authenticationMechanisms: "PLAIN,SCRAM-SHA-1,SCRAM-SHA-256"

next create user in $external database:

> db.createUser({"user": "user", "roles": [{"role": "read", "db": "db1"}], "mechanisms": ["PLAIN"] })
Successfully added user: {
	"user" : "user",
	"roles" : [
		{
			"role" : "read",
			"db" : "db1"
		}
	],
	"mechanisms" : [
		"PLAIN"
	]
}

during connection to mongo I get error:

> db.auth({"mechanism": "PLAIN", "user": "user", "pwd": passwordPrompt(), "digestPassword ": false})
Enter password: 
Error: SASL(-4): no mechanism available: No worthy mechs found
0

In my ldap I store passwords in two hash:

sambaNTPassword
userPassword: ssha hash

Please help me, what I’m doing wrong?

2

Hello @bsiara
have you tried to authorize from the command line like this:

mongo -u "user" -p --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'

Does it return the same error?
What LDAP server do you use?
One note: you don’t need to add LDAP user to the $external database. With native LDAP authentication this is not necessary. (But this is not the reason of the issue).

3

Thanks for your reply, using mongo cmd I get the same error:

mongo -u "user" -p --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
Percona Server for MongoDB shell version v4.2.8-8
Enter password: 
connecting to: mongodb://127.0.0.1:27017/?authMechanism=PLAIN&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb
2020-07-17T19:41:52.396+0000 E QUERY [js] Error: SASL(-4): no mechanism available: No worthy mechs found :
connect@src/mongo/shell/mongo.js:341:17
@(connect):3:6
2020-07-17T19:41:52.401+0000 F - [main] exception: connect failed
2020-07-17T19:41:52.401+0000 E - [main] exiting with code 1

As ldap server I use Apache Directory Server. Ok, I deleted user on $external database, but the same error occur.

4

Hello @bsiara,
Your configuration looks good. I don’t know exactly what is going wrong. To debug it I would try to execute LDAP query using ‘ldapsearch’ utility from the openldap package. Something like this:

ldapsearch -h ldap.domain.com -p 10389 -v -w pass123 -D uid=nobody,ou=people,dc=domain,dc=com -L -b ou=people,dc=domain,dc=com -s sub

With this command you can ensure that your LDAP server accepts connections.
Also you can try to switch bind mode from ‘simple’ to ‘sasl’.