Hi,
I’m wondering why the authorization mapping (to a Windows AD) is different between configuring the MongoDB for Kerberos as opposed to LDAP.
If someone could shed some light into this, I’d appreciate it.
To better explain my confusion, I will compare my LDAP and Kerberos configuration.
That is, PLAIN vs. GSSAPI authentication mechanism.
LDAP Configuration
The /etc/mongod.conf is as follows (I need to rewrite some of the FQDN and Windows UPN so it won’t be considered as links):
security:
authorization: enabled
ldap:
servers: dc(dot)mydomain(dot)com
bind:
queryUser: LDAPQuery(at)mydomain(dot)com
queryPassword: SomePassword
transportSecurity: tls
userToDNMapping: '[{ match: "(.+)",
ldapQuery: "dc=mydomain,dc=com??sub?userPrincipalName={0}(at)mydomain(dot)com"}]'
authz:
queryTemplate: '{USER}?memberOf?base'
enableEncryption: true
encryptionKeyFile: /srv/mongodb/mongodb-keyfile
The usual authentication routine will work.
And the domain group membership mapping works as well.
$ mongo --host mongodb-ad-3 --tls
MongoDB Enterprise > use $external
switched to db $external
MongoDB Enterprise > db.auth({mechanism: "PLAIN", user: "beleazar", pwd: "SomePassword"})
1
MongoDB Enterprise > db.runCommand({connectionStatus:1})
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "beleazar",
"db" : "$external"
}
],
"authenticatedUserRoles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "CN=MongoDB User Admins,CN=Users,DC=MYDOMAIN,DC=COM",
"db" : "admin"
}
]
},
"ok" : 1
}
MongoDB Enterprise >
Kerberos
However, without changing the above /etc/mongod.conf, using GSSAPI will not work.
$ kinit fusoya
$ mongo --host mongodb-ad-3 --tls
MongoDB Enterprise > use $external
switched to db $external
MongoDB Enterprise > db.auth({mechanism: "GSSAPI", user: "fusoya"})
Error: Authentication failed.
0
MongoDB Enterprise >
The logs will show something like this:
{"t":{"$date":"2021-07-06T10:07:24.330+07:00"},"s":"E", "c":"ACCESS", "id":24031, "ctx":"conn3","msg":"{message}","attr":{"message":"saslServerConnAuthorize: Requested identity fusoya does not match authenticated identity fusoya"}}
{"t":{"$date":"2021-07-06T10:07:24.331+07:00"},"s":"I", "c":"ACCESS", "id":20249, "ctx":"conn3","msg":"Authentication failed","attr":{"mechanism":"GSSAPI","speculative":false,"principalName":"fusoya","authenticationDatabase":"$external","remote":"192.168.18.20:35478","extraInfo":{},"error":"AuthenticationFailed: SASL(-13): authentication failure: saslServerConnAuthorize: Requested identity fusoya does not match authenticated identity fusoya"}}
I needed to comment out the userToDNMapping and authz sections of the config file.
Something like this:
security:
authorization: enabled
ldap:
servers: dc(dot)mydomain(dot)com
bind:
queryUser: LDAPQuery(at)mydomain(dot)com
queryPassword: SomePassword
transportSecurity: tls
# userToDNMapping: '[{ match: "(.+)",
# ldapQuery: "dc=mydomain,dc=com??sub?userPrincipalName={0}(at)mydomain(dot)com"}]'
# authz:
# queryTemplate: '{USER}?memberOf?base'
enableEncryption: true
encryptionKeyFile: /srv/mongodb/mongodb-keyfile
Then GSSAPI mechanism works.
$ mongo --host mongodb-ad-3 --tls
MongoDB Enterprise > use $external
switched to db $external
MongoDB Enterprise > db.auth({mechanism: "GSSAPI", user:"fusoya(at)MYDOMAIN(dot)COM"})
1
MongoDB Enterprise > db.runCommand({connectionStatus:1})
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "fusoya(at)MYDOMAIN(dot)COM",
"db" : "$external"
}
],
"authenticatedUserRoles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
},
"ok" : 1
}
MongoDB Enterprise >
I don’t find this to be ideal, as I need to maintain a separate user repository so to speak.
I had to create the fusoya account on MongoDB first.
Not the role-to-AD-domain-group mapping, but the actual account with whatever roles I required.
Can someone point out where I did wrong?
Thanks a lot!