Unit M310 , Homework 1.6: Enabling LDAP Authentication on a Replica Set

Even After following instructions step by step i am not able to Authenticate user:

These are configurations i am using on my server:

1. Configure saslauthd to automatically start and use LDAP as its mechanism.

# Should saslauthd run automatically on startup? (default: no)
** START=yes**

** # Description of this saslauthd instance. Recommended.**
** # (suggestion: SASL Authentication Daemon)**
** DESC=“SASL Authentication Daemon”**

** # Short name of this saslauthd instance. Strongly recommended.**
** # (suggestion: saslauthd)**
** NAME=“saslauthd”**

** # Which authentication mechanisms should saslauthd use? (default: pam)**
** #**
** # Available options in this Debian package:**
** # getpwent – use the getpwent() library function**
** # kerberos5 – use Kerberos 5**
** # pam – use PAM**
** # rimap – use a remote IMAP server**
** # shadow – use the local shadow password file**
** # sasldb – use the local sasldb database file**
** # ldap – use LDAP (configuration is in /etc/saslauthd.conf)**
** #**
** # Only one option may be used at a time. See the saslauthd man page**
** # for more information.**
** #**
** # Example: MECHANISMS=“pam”**
** MECHANISMS=“ldap”**

** # Additional options for this mechanism. (default: none)**
** # See the saslauthd man page for information about mech-specific options.**
** MECH_OPTIONS=""**

** # How many saslauthd processes should we run? (default: 5)**
** # A value of 0 will fork a new process for each connection.**
** THREADS=5**

** # Other options (default: -c -m /var/run/saslauthd)**
** # Note: You MUST specify the -m option or saslauthd won’t run!**
** #**
** # WARNING: DO NOT SPECIFY THE -d OPTION.**
** # The -d option will cause saslauthd to run in the foreground instead of as**
** # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish**
** # to run saslauthd in debug mode, please run it by hand to be safe.**
** #**
** # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.**
** # See the saslauthd man page and the output of ‘saslauthd -h’ for general**
** # information about these options.**
** #**
** # Example for chroot Postfix users: “-c -m /var/spool/postfix/var/run/saslauthd”**
** # Example for non-chroot Postfix users: “-c -m /var/run/saslauthd”**
** #**
** # To know if your Postfix is running chroot, check /etc/postfix/master.cf.**
** # If it has the line “smtp inet n - y - - smtpd” or “smtp inet n - - - - smtpd”**
** # then your Postfix is running in a chroot.**
** # If it has the line “smtp inet n - n - - smtpd” then your Postfix is NOT**
** # running in a chroot.**
** OPTIONS="-c -m /var/run/saslauthd"**
** ~**
2. sudo vi /etv/sasauhtd.conf

   ldap_server: ldap://infrastructure.m310.mongodb.university:389
 **ldap_search_base: ou=Users,dc=mongodb,dc=com
 **ldap_filetr: (cn=%u)

3. sudo service saslauthd start (working fine)

4. Started three mongodb instances with given options example:
mongod --auth --setParameter authenticationMechanisms=PLAIN --setParameter saslauthdPath="/var/run/saslauthd/mux" --keyFile /home/vagrant/keyFile --replSet x509Cert5 --dbpath /home/vagrant/M310-HW-1.6/r1 --logpath /home/vagrant/M310-HW-1.6/r1/mongodb.log --port 31161 --fork

5. Made server running on port 31160 primary and add user successfully
MongoDB Enterprise x509Cert5:PRIMARY> db.getSiblingDB("$external").createUser({
… user: ‘adam’,
… roles: [
… {role: “userAdminAnyDatabase”, db: “admin”},
… {role: “dbAdminAnyDatabase”, db: “admin”},
… {role: “clusterAdmin”, db: “admin”}
… ]
… })
Successfully added user: {
“user” : “adam”,
“roles” : [
{
“role” : “userAdminAnyDatabase”,
“db” : “admin”
},
{
“role” : “dbAdminAnyDatabase”,
“db” : “admin”
},
{
“role” : “clusterAdmin”,
“db” : “admin”
}
]
}

6. But it failed when i tried to Authenticate user :
MongoDB Enterprise x509Cert5:PRIMARY> db.getSiblingDB("$external").auth({
… mechanism: “PLAIN”,
… user: ‘adam’,
… pwd: ‘password’,
… digestPassword: false
… })
Error: Authentication failed.
0

7. On server Infrastructure server, service is running and listening to port 389:
[vagrant@infrastructure shared]$ sudo netstat -tulpn | grep LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2565/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2848/master
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 5161/slapd
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 2565/sshd
tcp6 0 0 ::1:25 :::* LISTEN 2848/master
tcp6 0 0 :::389 :::* LISTEN 5161/slapd

8. I am Successfully able to ping servers with each other.

Still not sure why i am not able to Auth the user.

ldap_server should be ldap_servers in config file
Also check permissions on /var/run/saslauthd

Thanks for replying:
Still having no luck, Permissions on saslauthd dir:
drwxrwxrwx 2 root sasl 140 Mar 20 17:47 saslauthd

saslauthd:
total 968
-rw------- 1 root root 5 Mar 20 17:47 saslauthd.pid
-rw------- 1 root root 0 Mar 20 17:47 mux.accept
srwxrwxrwx 1 root root 0 Mar 20 17:47 mux
-rw------- 1 root root 986112 Mar 20 17:47 cache.mmap
-rw------- 1 root root 0 Mar 20 17:47 cache.flock

These are the log entries that i found in /var/log , looks like user not present in server.

Mar 20 17:52:38 database sudo: pam_unix(sudo:session): session closed for user root
Mar 20 17:53:01 database saslauthd[1164]: Entry not found ((uid=adam)).
Mar 20 17:53:01 database saslauthd[1164]: Authentication failed for adam: User not found (-6)
Mar 20 17:53:01 database saslauthd[1164]: do_auth : auth failure: [user=adam] [service=mongodb] [realm=] [mech=l
dap] [reason=Unknown]
Mar 20 17:59:01 database sudo: vagrant : TTY=pts/0 ; PWD=/run ; USER=root ; COMMAND=/usr/bin/vi /etc/saslauthd.conf
Mar 20 17:59:01 database sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)
Mar 20 17:59:28 database sudo: pam_unix(sudo:session): session closed for user root
Mar 20 17:59:43 database sudo: vagrant : TTY=pts/0 ; PWD=/run ; USER=root ; COMMAND=/usr/sbin/service saslauthd restart
Mar 20 17:59:43 database sudo: pam_unix(sudo:session): session opened for user root by vagrant(uid=0)
Mar 20 17:59:43 database saslauthd[1163]: server_exit : master exited: 1163

Output from Infrastructure when i run script :slight_smile:

Redirecting to /bin/systemctl start slapd.service
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “cn=config”
ldap_modify: Type or value exists (20)
additional info: modify/add: olcAuthzRegexp: value #0 already exists

adding new entry “dc=mongodb,dc=com”
ldap_add: Already exists (68)

adding new entry “ou=Users,dc=mongodb,dc=com”
ldap_add: Already exists (68)

Traceback (most recent call last):
File “/home/vagrant/shared/ldapconfig.py”, line 74, in
main()
File “/home/vagrant/shared/ldapconfig.py”, line 15, in main
addUser(args.user, args.password)
File “/home/vagrant/shared/ldapconfig.py”, line 45, in addUser
l.add_s(dn, ldif)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 428, in add_s
return self.add_ext_s(dn,modlist,None,None)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 414, in add_ext_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 749, in result3
resp_ctrl_classes=resp_ctrl_classes
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 756, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 329, in _ldap_call
reraise(exc_type, exc_value, exc_traceback)
File “/usr/lib64/python2.7/site-packages/ldap/ldapobject.py”, line 313, in _ldap_call
result = func(*args,**kwargs)
ldap.ALREADY_EXISTS: {‘desc’: u’Already exists’}

I have one question is there any other stuff other that running setup script on infrastructure db ?

@Ramachandra_37567

Did you use the testsaslauthd utility to validate your user?? That’s documented in the tutorial here, which you might want to read before trying again.

I’d recommend starting over from scratch at this point, particularly since you left the ‘-c’ (caching) option turned on in your saslauthd configuration.

Please go thru the doc/steps and repeat as David suggested
You have to do this check on DB box and it should succeed

vagrant@database:~$ testsaslauthd -u adam -p password -f /var/run/saslauthd/mux
0: OK “Success.”

1 Like

@Ramachandra_37567

Sorry – responded to the wrong person. Thanks for forwarding that!

@ranbir1mittal

Let’s try this again – this time to the actual post…

Did you use the testsaslauthd utility to validate your user?? That’s documented in the tutorial here, which you might want to read before trying again.

I’d recommend starting over from scratch at this point, particularly since you left the ‘-c’ (caching) option turned on in your saslauthd configuration.

1 Like

@DHz
Yes i did use testsaslauth utility to valid the user which get failed that time.
I think ,i will start it again from the scratch and i will post if get any issue.

Thank you!

@Ramachandra_37567
So i am going to start it again from scratch and will post again if i get any issue.

Thank you !