Percona mongodb external authentication with VLDAP

Hi, we are using ldap authentication with percona mongodb. We have installed saslauth daemon to authenticate with onelogin vldap. Sanity test is working fine and from mongodb server we are able to communicate with vldap using ldapsearch command. But when trying from mongodb shell using $external auth db, it is not able to authenticate. Can anyone please help me on this.

This is the mongo shell command output

db.getSiblingDB("$external").auth({ mechanism:“PLAIN”, user:"mongo.db@example.com", pwd:“XXXXXXXX”, digestPassword:false})
Error: Authentication failed.
0

This is the error log which we are seeing.

{“t”:{"$date":“2021-06-17T21:34:12.546+05:30”},“s”:“I”, “c”:“ACCESS”, “id”:20249, “ctx”:“conn10”,“msg”:“Authentication failed”,“attr”:{“mechanism":“PLAIN”,“speculative”:false,“principalName”:"mongo.db@example.com”,“authenticationDatabase”:"$external",“remote”:“127.0.0.1:45234”,“extraInfo”:{},“error”:“OperationFailed: SASL step did not complete: (authentication failure)”}}

Configurations

##under mongodb configuration
cat /etc/mongod.conf
setParameter:
authenticationMechanisms: PLAIN
saslauthdPath: /var/run/saslauthd/mux

##saslauthdb configuration
cat /etc/saslauthd.conf
ldap_servers: ldaps://example.ldap.com:636
ldap_mech: PLAIN
ldap_search_base: dc=domain1,dc=domain2,dc=com
ldap_filter: (cn=%u)
ldap_bind_dn: cn=mongo.db@example.com,ou=users,dc=domain1,dc=domain2,dc=com
ldap_password: XXXXXXXX

##under saslauthd lib configuration
cat /etc/sasl2/mongodb.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
log_level: 5
mech_list: plain

###Sanity test
sudo testsaslauthd -u mongo.db@example.com -p XXXXXXX -f /var/run/saslauthd/mux
0: OK “Success.”

1 Like

This is the error log in mongodb.log

{“t”:{"$date":“2021-06-22T03:50:01.532+05:30”},“s”:“I”, “c”:“ACCESS”, “id”:20249, “ctx”:“conn11”,“msg”:“Authentication failed”,“attr”:{“mechanism”:“PLAIN”,“speculative”:false,“principalName”:“mongotest_userm”,“authenticationDatabase”:"$external",“remote”:“127.0.0.1:35230”,“extraInfo”:{},“error”:“OperationFailed: SASL step did not complete: (authentication failure)”}}

And this the erro log got for saslauthd daemon

user ldap_search_st() failed: Timed out
Retrying authentication
Entry not found ((cn=mongotest_userm)).
Authentication failed for mongotest_userm: User not found (-6)
auth failure: [user=mongotest_userm] [service=mongodb] [realm=] [mech=ldap] [reason=Unknown]

Can any one from percona team or any other please help me on this.

1 Like