Homework 1.6: Enabling LDAP Authentication on a Replica Set - Session Feb 2019

Not able to connect to the ldap account.

– database

vagrant@database:~/shared$ cat /etc/saslauthd.conf
ldap_servers: ldap://infrastructure.m310.mongodb.university:389
ldap_search_base: ou=Users,dc=mongodb,dc=com
ldap_filter: (cn=%u)
vagrant@database:~/shared$ testsaslauthd -u adam -p password -f /var/run/saslauthd/mux
connect() : Permission denied
0: vagrant@database:~/shared$

–infrastructure

[vagrant@infrastructure shared]$ ./setup-hw-1.6.sh
Redirecting to /bin/systemctl start slapd.service
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”
ldap_modify: Type or value exists (20)
additional info: modify/add: olcAuthzRegexp: value #0 already exists

adding new entry “dc=mongodb,dc=com”
ldap_add: Already exists (68)

adding new entry “ou=Users,dc=mongodb,dc=com”
ldap_add: Already exists (68)

Traceback (most recent call last):
File “/home/vagrant/shared/ldapconfig.py”, line 74, in
main()
File “/home/vagrant/shared/ldapconfig.py”, line 15, in main
addUser(args.user, args.password)
File “/home/vagrant/shared/ldapconfig.py”, line 45, in addUser
l.add_s(dn, ldif)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 428, in add_s
return self.add_ext_s(dn,modlist,None,None)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 414, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.ALREADY_EXISTS: {‘desc’: u’Already exists’}
[vagrant@infrastructure shared] ps -ef|grep ldap ldap 5205 1 0 14:20 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// vagrant 5219 5066 0 14:20 pts/0 00:00:00 grep --color=auto ldap [vagrant@infrastructure shared] hostname
infrastructure.m310.mongodb.university

[vagrant@infrastructure shared] [vagrant@infrastructure shared] sudo service sldap start
Redirecting to /bin/systemctl start sldap.service
Failed to start sldap.service: Unit not found.

If I remember correctly it is slapd no sldap.

1 Like

thank you. still no luck

[vagrant@infrastructure shared] sudo service slapd start Redirecting to /bin/systemctl start slapd.service [vagrant@infrastructure shared] ps -ef|grep ldap
ldap 5205 1 0 14:20 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
vagrant 17590 5066 0 14:47 pts/0 00:00:00 grep --color=auto ldap

vagrant@database:~/shared$ testsaslauthd -u adam -p password -f /var/run/saslauthd/mux
connect() : Permission denied

got it. permission was the problem.

vagrant@database:~/shared$ sudo chmod 777 /var/run/saslauthd/
vagrant@database:~/shared$ testsaslauthd -u adam -p password -f /var/run/saslauthd/mux
0: OK “Success.”

1 Like

The error message connect() : Permission denied helped a lot.

1 Like

looks now I stuck to create user. I’m able to create user but validation scripts did not return right results.

Is this the right way to create an external user ?
db.getSiblingDB("$external").createUser({user: ‘adam’, roles: [{role: ‘root’, db: ‘admin’}]})

also why this command is not working .
db.getSiblingDB("$external").auth(
{ mechanism: ‘PLAIN’, user: “uid=adam,ou=Users,dc=mongodb,dc=com”, pwd: “password”, digestPassword: false
} )

Error: Missing expected field “mechanism”
0

Your createUser() looks like what I did.

However, for auth() part, I don’t think you have to specify uid=adam,ou=…, you simply use user:adam. The mapping to the LDAP entity uid=…,ou=… is done in one of the config file but I was not able to recall which one.

vagrant@database:~/shared$ ./validate-hw-1.6.sh
{ unauthorizedStatus: {“ok”:0,“errmsg”:“not authorized on admin to execute command { replSetGetStatus: 1.0 }”,“code”:13}, memberStatuses: ["(not reachable/healthy)","(not reachable/healthy)",“RECOVERING”] }

Your replica set is not in the correct state. Make sure all members are running. One of them needs to be PRIMARY.

1 Like

looks problem in creating user.

  1. mongo --port 31160

  2. rs.initiate({
    _id: ‘myReplSet3’,
    members: [
    { _id: 1, host: ‘database.m310.mongodb.university:31160’, priority: 1 },
    { _id: 2, host: ‘database.m310.mongodb.university:31161’ },
    { _id: 3, host: ‘database.m310.mongodb.university:31162’ }
    ]
    })

  3. db.getSiblingDB("$external").createUser({user: ‘adam’, roles: [{role: ‘root’, db: ‘admin’}]})

How do I confirm that I created the user correctly ?

https://docs.mongodb.com/manual/reference/method/db.getUsers/

1 Like

after creating an account , I’m not able to login back into replicatset.

  • Start the saslauthd service. Done

  • Fix the permissions on the saslauthd socket directory. Done

  • Start three mongod instances on ports 31160 , 31161 , and 31162 with LDAP support enabled. done

  • Connect to the primary and initiate the replica set. Done

  • Create an account for adam . Done

  • Verify that you can authenticate to MongoDB with the username adam and his LDAP password of password . Stuck here

Have you setup saslauthd with the following:
LDAP Server IP: infrastructure.m310.mongodb.university
LDAP Search Base: ou=Users,dc=mongodb,dc=com
LDAP Search Filter: (cn=%u)

Yes. also tested. LDAP authentication test works fine.

@ asif284

Well, I see that you’ve had a bunch of problems here, so it’s really hard to tell where exactly this went off track. However, my best guess is that you have used up your localhost exception or that the replica set was not initiated correctly to allow all this to happen.

Although it’s a pain, I’d suggest going back to the beginning, killing all your MongoDB instances etc, and using your current knowledge restarting this exercise from scratch.

Everything worked fine until I changed the password with the python’s command:
$ python ldapconfig.py passwd -u adam -op password -np webscale

Then, I used the testsaslauthd and it worked good.
when i validated the homework
./validate-hw-1.6.sh
However, the answer is incorrect. Why?
Later, I reconnected to the Ubuntu VM. Then, I restarted the saslauthd service and the
testsaslauthd fails

What should I do?
Now, in myreplica set I can not connect anymore, neither with the old password nor with webscale

I already corrected the problem.
I restarted my replica set, then
I just went back to running the following:
./setup-hw-1.6.sh

Even though it tells me that ldap.ALREADY_EXISTS I was able to use
the new password.
This works for me. Why?
ter

Hi,

Im struggling in adding members to the replicaset:

Here are the steps I did:

  1. start 3 mongoDB instances with LDAP config

mongod --auth --replSet HW-1.6 --port 31160 --fork --setParameter authenticationMechanisms=PLAIN --setParameter saslauthdPath="/var/run/saslauthd/mux" --dbpath ~/M310-HW-1.6/r0 --logpath ~/M310-HW-1.6/r0/mongo.log

mongod --auth --replSet HW-1.6 --port 31161 --fork --setParameter authenticationMechanisms=PLAIN --setParameter saslauthdPath="/var/run/saslauthd/mux" --dbpath ~/M310-HW-1.6/r1 --logpath ~/M310-HW-1.6/r1/mongo.log

mongod --auth --replSet HW-1.6 --port 31162 --fork --setParameter authenticationMechanisms=PLAIN --setParameter saslauthdPath="/var/run/saslauthd/mux" --dbpath ~/M310-HW-1.6/r2 --logpath ~/M310-HW-1.6/r2/mongo.log

  1. initiate the replicatset

mongo --port 31160
use admin
rs.initiate()

  1. Create an account for adam

use $external

MongoDB Enterprise HW-1.6:PRIMARY> db.getSiblingDB("$external").createUser(
… { user: “adam”,
… roles: [ { db: “admin”, role: “root” } ]
… }
… )
Successfully added user: {
“user” : “adam”,
“roles” : [
{
“db” : “admin”,
“role” : “root”
}
]
}

  1. Verify that you can authenticate to MongoDB with the username adam and his LDAP password of password .

MongoDB Enterprise HW-1.6:PRIMARY> db.getSiblingDB("$external").auth({ mechanism: ‘PLAIN’, user: ‘adam’, pwd: ‘password’, digestPassword: false} )
1

–> OK (i have result 1)

  1. Add the other members of the replica set.

MongoDB Enterprise HW-1.6:PRIMARY> rs.add(“database:31162”)
{
“ok” : 0,
“errmsg” : “Quorum check failed because not enough voting nodes responded; required 2 but only the following 1 voting nodes responded: database:31160; the following nodes did not respond affirmatively: database:31162 failed with not authorized on admin to execute command { replSetHeartbeat: “HW-1.6”, pv: 1, v: 2, from: “database:31160”, fromId: 0, checkEmpty: false }”,
“code” : 74
}

–> failed.
I don;t have the authorization.

Can you help?

Thanks

I had to add the paramater keyfile to start the mongod:

mongod --auth --replSet HW-1.6 --port 31160 --fork --keyFile shared_key --setParameter authenticationMechanisms=PLAIN --setParameter saslauthdPath="/var/run/saslauthd/mux" --dbpath ~/M310-HW-1.6/r0 --logpath ~/M310-HW-1.6/r0/mongo.log

From this, i could complete the lab.

Without this, do the members try to use ldap to authenticate between them?

3 Likes