As of Percona Operator for MongoDB 1.12.0, the documentation now has instructions on how to configure LDAP Authentication and Authorization. It already contains an example of how to configure the operator if OpenLDAP is your LDAP server. Here is another example of setting it up but using Samba as your LDAP server.
To simplify the installation and configuration, I will use Ubuntu Jammy 22.04 LTS since the distribution repository contains the packages to install Samba and Kubernetes.
This is the current configuration of the test server:
OS: Ubuntu Jammy 22.04 LTS
Hostname: samba.percona.local
IP Address: 192.168.0.101
Let’s install the necessary packages to install Samba as PDC and troubleshooting tools:
|
1 |
$ sudo apt update<br>$ sudo apt -y upgrade<br>$ sudo apt -y install samba net-tools winbind ldap-utils |
Disable smbd, winbind, and systemd-resolved services because we will need to reconfigure samba as a PDC and DNS resolver. Also remove current samba configuration, /etc/samba/smb.conf.
|
1 |
$ sudo systemctl stop smbd<br>$ sudo systemctl stop systemd-resolved<br>$ sudo systemctl stop winbind<br>$ sudo systemctl disable smbd<br>$ sudo systemctl disable systemd-resolved<br>$ sudo systemctl disable winbind<br>$ sudo rm /etc/samba/smb.conf |
Delete the symlink on /etc/resolv.conf and replace the content with “nameserver 127.0.0.1” to use the samba’s DNS service:
|
1 |
$ sudo rm -f /etc/resolv.conf<br>$ sudo echo -e "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf |
Create a domain environment with the following settings:
Realm: PERCONA.LOCAL
Domain: PERCONA
Administrator Password: PerconaLDAPTest2022
|
1 |
$ sudo samba-tool domain provision --realm percona.local --domain percona --admin=PerconaLDAPTest2022<br> |
Edit /etc/samba/smb.conf and set DNS forwarder to 8.8.8.8 to resolve other zones. We will also disable mandatory TLS authentication since Percona Operator does not support LDAP with TLS at the time of writing this article.
|
1 |
$ cat /etc/samba/smb.conf<br># Global parameters<br>[global]<br> dns forwarder = 8.8.8.8<br> netbios name = SAMBA<br> realm = PERCONA.LOCAL<br> server role = active directory domain controller<br> workgroup = PERCONA<br> ldap server require strong auth = No<br>[sysvol]<br> path = /var/lib/samba/sysvol<br> read only = No<br>[netlogon]<br> path = /var/lib/samba/sysvol/percona.local/scripts<br> read only = No<br> |
Symlink krb5.conf configuration.
|
1 |
$ sudo ln -s /var/lib/samba/private/krb5.conf /etc<br> |
Unmask samba-ad-dc service and start it. Ensure it will start at boot time.
|
1 |
$ sudo systemctl unmask samba-ad-dc<br>$ sudo systemctl start samba-ad-dc<br>$ sudo systemctl enable samba-ad-dc |
Check if the Samba services are up and running
|
1 |
$ sudo netstat -tapn|grep samba<br>tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4376/samba: task[ld <br>tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 4406/samba: task[dn <br>tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 4376/samba: task[ld <br>tcp 0 0 0.0.0.0:135 0.0.0.0:* LISTEN 4371/samba: task[rp <br>tcp6 0 0 :::389 :::* LISTEN 4376/samba: task[ld <br>tcp6 0 0 :::53 :::* LISTEN 4406/samba: task[dn <br>tcp6 0 0 :::636 :::* LISTEN 4376/samba: task[ld <br>tcp6 0 0 :::135 :::* LISTEN 4371/samba: task[rp <br><br>$ host google.com<br>google.com has address 172.217.194.101<br><br>$ host samba.percona.local<br>samba.percona.local has address 192.168.0.101 |
Now that Samba is up and running, we can now perform user and group management. We will create Samba users and groups and assign users to groups with samba-tool.
|
1 |
$ sudo samba-tool user add dbauser01 --surname=User01 --given-name=Dba --mail-address=dbauser01@percona.local DbaPassword1<br>$ sudo samba-tool user add devuser01 --surname=User01 --given-name=Dev --mail-address=devuser01@percona.local DevPassword1<br>$ sudo samba-tool user add searchuser01 --surname=User01 --given-name=Search --mail-address=searchuser01@percona.local SearchPassword1<br>$ sudo samba-tool group add developers<br>$ sudo samba-tool group add dbadmins<br>$ sudo samba-tool group addmembers developers devuser01<br>$ sudo samba-tool group addmembers dbadmins dbauser01 |
Use samba-tool again to view the details of the users and groups:
|
1 |
$ sudo samba-tool user show devuser01<br>dn: CN=Dev User01,CN=Users,DC=percona,DC=local<br>objectClass: person<br>objectClass: user<br>cn: Dev User01<br>sn: User01<br>givenName: Dev<br>name: Dev User01<br>sAMAccountName: devuser01<br>mail: devuser01@percona.local<br>memberOf: CN=developers,CN=Users,DC=percona,DC=local<br><br>$ sudo samba-tool group show dbadmins<br>dn: CN=dbadmins,CN=Users,DC=percona,DC=local<br>objectClass: group<br>cn: dbadmins<br>name: dbadmins<br>sAMAccountName: dbadmins<br>member: CN=Dba User01,CN=Users,DC=percona,DC=local<br> |
Troubleshooting LDAP starts with being able to use the ldapsearch tool to specify the credentials and filters. Once you are successful with authentication and searching, it’s easier to plug the same or similar parameters used in ldapsearch in the configuration of the Percona operator. Here are some examples of useful ldapsearch commands:
1. Logging in as “CN=Dev User01,CN=Users,DC=percona,DC=local”. If authenticated, return the DN, First Name, Last Name, email and sAMAccountName for that record.
|
1 |
$ ldapsearch -LLL -W -x -H ldap://samba.percona.local -b "CN=Dev User01,CN=Users,DC=percona,DC=local" -D "CN=Dev User01,CN=Users,DC=percona,DC=local" "givenName" "sn" "mail" "sAMAccountName"<br>Enter LDAP Password:<br>dn: CN=Dev User01,CN=Users,DC=percona,DC=local<br>sn: User01<br>givenName: Dev<br>sAMAccountName: devuser01<br>mail: devuser01@percona.local<br> |
Essentially, without mapping,you will need to supply the username as the full DN to login to MongoDB. Eg. mongo -u “CN=Dev User01,CN=Users,DC=percona,DC=local”
2. Logging in as “CN=Search User01,CN=Users,DC=percona,DC=local” and looking for users in “DC=percona,dc=local” where sAMAccountName is “dbauser01”. If there’s a match, it will return the DN, First Name, Last Name, mail and sAMAccountName for that record.
|
1 |
$ ldapsearch -LLL -W -x -H ldap://samba.percona.local -b "DC=percona,dc=local" -D "CN=Search User01,CN=Users,DC=percona,DC=local" "(&(objectClass=person)(sAMAccountName=dbauser01))" "givenName" "sn" "mail" "sAMAccountName"<br>Enter LDAP Password:<br>dn: CN=Dba User01,CN=Users,DC=percona,DC=local<br>sn: User01<br>givenName: Dba<br>sAMAccountName: dbauser01<br>mail: dbauser01@percona.local<br> |
With mapping, you can now authenticate by specifying sAMAaccountName or mail depending on how mapping is defined. Eg. mongo -u dbauser01 or mongo -u “[email protected]”
3. Logging in as “CN=Search User01,CN=Users,DC=percona,DC=local”, looking for groups in “DC=percona,dc=local” where “CN=Dev User01,CN=Users,DC=percona,DC=local” is a member. If there’s a match, it will return the DN and common name of the group.
|
1 |
$ ldapsearch -LLL -W -x -H ldap://samba.percona.local -b "DC=percona,dc=local" -D "CN=Search User01,CN=Users,DC=percona,DC=local" "(&(objectClass=group)(member=CN=Dev User01,CN=Users,DC=percona,DC=local))" "cn"<br>Enter LDAP Password:<br>dn: CN=developers,CN=Users,DC=percona,DC=local<br>cn: developers<br> |
This type of search is important to enumerate the groups of that user for we can define the privileges of that user based on its group membership.
Now that authenticating to LDAP and search filters are working, we are ready to test this in the Percona Operator. Since this is just for testing, we might as well use the same server to deploy Kubernetes. In this example, we will use Microk8s.
|
1 |
$ sudo snap install microk8s --classic<br>$ sudo usermod -a -G microk8s $USER<br>$ sudo chown -f -R $USER ~/.kube<br>$ newgrp microk8s<br>$ microk8s status --wait-ready<br>$ microk8s enable dns<br>$ microk8s enable hostpath-storage<br>$ alias kubectl='microk8s kubectl' |
Once installed, check system pods when all are running before we continue to the next step:
|
1 |
$ kubectl get pods --all-namespaces<br>NAMESPACE NAME READY STATUS RESTARTS AGE<br>kube-system calico-node-bj9c4 1/1 Running 0 3m12s<br>kube-system coredns-66bcf65bb8-l9hwb 1/1 Running 0 65s<br>kube-system calico-kube-controllers-644d5c79cb-fhhkc 1/1 Running 0 3m11s<br>kube-system hostpath-provisioner-85ccc46f96-qmjrq 1/1 Running 0 3m<br> |
Now that Kubernetes is running, we can download the Percona Operator for MongoDB. Let’s download version 1.13.0 with git:
|
1 |
$ git clone -b v1.13.0 https://github.com/percona/percona-server-mongodb-operator |
Then let’s go to the deploy directory and apply bundle.yaml to install the Percona operator:
|
1 |
$ cd percona-server-mongodb-operator/deploy<br>$ kubectl apply -f bundle.yaml <br>customresourcedefinition.apiextensions.k8s.io/perconaservermongodbs.psmdb.percona.com created<br>customresourcedefinition.apiextensions.k8s.io/perconaservermongodbbackups.psmdb.percona.com created<br>customresourcedefinition.apiextensions.k8s.io/perconaservermongodbrestores.psmdb.percona.com created<br>role.rbac.authorization.k8s.io/percona-server-mongodb-operator created<br>serviceaccount/percona-server-mongodb-operator created<br>rolebinding.rbac.authorization.k8s.io/service-account-percona-server-mongodb-operator created<br>deployment.apps/percona-server-mongodb-operator created |
Check if the operator is up and running:
|
1 |
$ kubectl get pods<br>NAME READY STATUS RESTARTS AGE<br>percona-server-mongodb-operator-547c499bd8-p8k74 1/1 Running 0 41s |
Now that it is running we need to apply cr.yaml to create the MongoDB instances and services. We will just use minimal deployment in cr-minimal.yaml which is provided in the deploy directory.
|
1 |
$ kubectl apply -f cr-minimal.yaml<br>perconaservermongodb.psmdb.percona.com/my-cluster-name created |
Wait until all pods are created:
|
1 |
$ kubectl get pods<br>NAME READY STATUS RESTARTS AGE<br>percona-server-mongodb-operator-547c499bd8-p8k74 1/1 Running 0 5m16s<br>minimal-cluster-cfg-0 1/1 Running 0 3m25s<br>minimal-cluster-rs0-0 1/1 Running 0 3m24s<br>minimal-cluster-mongos-0 1/1 Running 0 3m24s<br> |
Now that MongoDB pods are running, let’s add the groups for role-based mapping. We need to add this configuration from the primary config server which will be used by mongos and replicaset for authorization when logging in.
First, let’s get the username and password of the admin user:
|
1 |
$ kubectl get secrets<br>NAME TYPE DATA AGE<br>minimal-cluster Opaque 10 4m3s<br>internal-minimal-cluster-users Opaque 10 4m3s<br>minimal-cluster-mongodb-keyfile Opaque 1 4m3s<br>minimal-cluster-mongodb-encryption-key Opaque 1 4m3s<br><br>$ kubectl get secrets minimal-cluster -o yaml<br>apiVersion: v1<br>data:<br> MONGODB_BACKUP_PASSWORD: b2NNNkFjOHdEUU42OUpmYnE=<br> MONGODB_BACKUP_USER: YmFja3Vw<br> MONGODB_CLUSTER_ADMIN_PASSWORD: aElBWlVyajFkZWF0eEhWSzI=<br> MONGODB_CLUSTER_ADMIN_USER: Y2x1c3RlckFkbWlu<br> MONGODB_CLUSTER_MONITOR_PASSWORD: V1p6YkFhN1o3T2RkSm5Gbg==<br> MONGODB_CLUSTER_MONITOR_USER: Y2x1c3Rlck1vbml0b3I=<br> MONGODB_DATABASE_ADMIN_PASSWORD: U0hMR3Y3WlF2SVpxZ1dhcUFh<br> MONGODB_DATABASE_ADMIN_USER: ZGF0YWJhc2VBZG1pbg==<br> MONGODB_USER_ADMIN_PASSWORD: eW5TZjRzQjkybm5UdjdVdXduTQ==<br> MONGODB_USER_ADMIN_USER: dXNlckFkbWlu<br>kind: Secret<br>metadata:<br> creationTimestamp: "2022-09-15T15:57:42Z"<br> name: minimal-cluster<br> namespace: default<br> resourceVersion: "5673"<br> uid: d3f4f678-a3db-4578-b10c-69e8c4410b00<br>type: Opaque<br><br>$ echo `echo "dXNlckFkbWlu"|base64 --decode`<br>userAdmin<br>$ echo `echo "eW5TZjRzQjkybm5UdjdVdXduTQ=="|base64 --decode`<br>ynSf4sB92nnTv7UuwnM<br> |
Next, let’s connect to the primary config server:
|
1 |
$ kubectl get services<br>NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE<br>kubernetes ClusterIP 10.152.183.1 443/TCP 22m<br>minimal-cluster-cfg ClusterIP None 27017/TCP 7m27s<br>minimal-cluster-rs0 ClusterIP None 27017/TCP 7m27s<br>minimal-cluster-mongos ClusterIP 10.152.183.220 27017/TCP 7m27s<br><br>$ kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:5.0.11-10 --restart=Never -- bash -il<br>[mongodb@percona-client /]$ mongo --host minimal-cluster-cfg -u userAdmin -p ynSf4sB92nnTv7UuwnM<br>Percona Server for MongoDB shell version v5.0.11-10<br>connecting to: mongodb://minimal-cluster-cfg:27017/?compressors=disabled&gssapiServiceName=mongodb<br>Implicit session: session { "id" : UUID("5f1f7db8-d75f-4658-a579-86b9bbf22471") }<br>Percona Server for MongoDB server version: v5.0.11-10<br>cfg:PRIMARY><br> |
From the console, we can create two roles “CN=dbadmins,CN=Users,DC=percona,DC=local” and “CN=developers,CN=Users,DC=percona,DC=local” with their corresponding privileges:
|
1 |
use admin<br>db.createRole(<br> {<br> role: "CN=dbadmins,CN=Users,DC=percona,DC=local",<br> roles: [ "root"],<br> privileges: []<br> }<br>)<br>db.createRole(<br>{<br> role: "CN=developers,CN=Users,DC=percona,DC=local",<br> roles: [<br> "readWriteAnyDatabase"<br> ],<br> privileges: []<br>}<br>) |
Note that the role names defined here correspond to the Samba groups I created with samba-tool. Also, you will need to add the same roles in the replicaset endpoint if you want your LDAP users to have these privileges when connecting to the replicaset directly.
Finally, exit the mongo console by typing exit and pressing Enter. Do the same to exit the pod as well.
Now, we can add the LDAP configuration to the config server. Our first test configuration is to supply the full DN when logging in so the configuration will be:
|
1 |
$ cat fulldn-config.yaml<br>security:<br> authorization: "enabled"<br> ldap:<br> authz:<br> queryTemplate: 'DC=percona,DC=local??sub?(&(objectClass=group)(member:={PROVIDED_USER}))'<br> servers: "192.168.0.101"<br> transportSecurity: none<br> bind:<br> queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local"<br> queryPassword: "SearchPassword1"<br>setParameter:<br> authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256' |
Next, apply the configuration to the config servers:
|
1 |
$ kubectl create secret generic minimal-cluster-cfg-mongod --from-file=mongod.conf=fulldn-config.yaml |
Additionally, if you want to log in to the replica set with LDAP, you can apply the same configuration as well:
|
1 |
$ kubectl create secret generic minimal-cluster-rs0-mongod --from-file=mongod.conf=fulldn-config.yaml<br> |
As for mongos, you will still need to omit the settings for authorization because this will come from the config server:
|
1 |
$ cat fulldn-mongos-config.yaml <br>security:<br> ldap:<br> servers: "192.168.0.101"<br> transportSecurity: none<br> bind:<br> queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local"<br> queryPassword: "SearchPassword1"<br>setParameter:<br> authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256' |
Then apply the configuration for mongos:
|
1 |
$ kubectl create secret generic minimal-cluster-mongos --from-file=mongos.conf=fulldn-mongos-config.yaml <br> |
One-by-one the pods will be recreated. Wait until all of them are recreated:
|
1 |
$ kubectl get pods<br>NAME READY STATUS RESTARTS AGE<br>percona-server-mongodb-operator-547c499bd8-p8k74 1/1 Running 0 24m<br>minimal-cluster-cfg-0 1/1 Running 0 4m27s<br>minimal-cluster-rs0-0 1/1 Running 0 3m34s<br>minimal-cluster-mongos-0 1/1 Running 0 65s<br> |
Now you can test authentication in one of the endpoints:
|
1 |
$ kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:5.0.11-10 --restart=Never -- mongo --host minimal-cluster-mongos -u "CN=Dba User01,CN=Users,DC=percona,DC=local" -p DbaPassword1 --authenticationDatabase '$external' --authenticationMechanism 'PLAIN' --eval "db.runCommand({connectionStatus:1})"<br><br>+ exec mongo --host minimal-cluster-mongos -u 'CN=Dba User01,CN=Users,DC=percona,DC=local' -p DbaPassword1 --authenticationDatabase '$external' --authenticationMechanism PLAIN --eval 'db.runCommand({connectionStatus:1})'<br>Percona Server for MongoDB shell version v5.0.11-10<br>connecting to: mongodb://minimal-cluster-mongos:27017/?authMechanism=PLAIN&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb<br>Implicit session: session { "id" : UUID("7eca812d-ad04-4ae2-8484-3b55dee1a673") }<br>Percona Server for MongoDB server version: v5.0.11-10<br>{<br> "authInfo" : {<br> "authenticatedUsers" : [<br> {<br> "user" : "CN=Dba User01,CN=Users,DC=percona,DC=local",<br> "db" : "$external"<br> }<br> ],<br> "authenticatedUserRoles" : [<br> {<br> "role" : "CN=dbadmins,CN=Users,DC=percona,DC=local",<br> "db" : "admin"<br> },<br> {<br> "role" : "root",<br> "db" : "admin"<br> }<br> ]<br> }<br>}<br>pod "percona-client" deleted<br> |
As you can see above, the user,”CN=Dba User01,CN=Users,DC=percona,DC=local” has assumed the role as root. You can test other endpoints using these commands.
|
1 |
$ kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:5.0.11-10 --restart=Never -- mongo --host minimal-cluster-rs0 -u "CN=Dba User01,CN=Users,DC=percona,DC=local" -p DbaPassword1 --authenticationDatabase '$external' --authenticationMechanism 'PLAIN' --eval "db.runCommand({connectionStatus:1})"<br>$ kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:5.0.11-10 --restart=Never -- mongo --host minimal-cluster-cfg -u "CN=Dba User01,CN=Users,DC=percona,DC=local" -p DbaPassword1 --authenticationDatabase '$external' --authenticationMechanism 'PLAIN' --eval "db.runCommand({connectionStatus:1})"<br> |
Obviously, you may not want the users to authenticate with the full DN. Perhaps, you want the users to specify just the first CN. You can use match and substitution mapping for this:
|
1 |
$ cat mapping1-config.yaml <br>security:<br> authorization: "enabled"<br> ldap:<br> authz:<br> queryTemplate: 'DC=percona,DC=local??sub?(&(objectClass=group)(member:={USER}))'<br> servers: "192.168.0.101"<br> transportSecurity: none<br> bind:<br> queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local"<br> queryPassword: "SearchPassword1"<br> userToDNMapping: >-<br> [<br> {<br> match: "(.+)",<br> substitution: "CN={0},CN=users,DC=percona,DC=local"<br> }<br> ]<br>setParameter:<br> authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256'<br><br>$ cat mapping1-mongos-config.yaml <br>security:<br> ldap:<br> servers: "192.168.0.101"<br> transportSecurity: none<br> bind:<br> queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local"<br> queryPassword: "SearchPassword1"<br> userToDNMapping: >-<br> [<br> {<br> match: "(.+)",<br> substitution: "CN={0},CN=users,DC=percona,DC=local"<br> }<br> ]<br>setParameter:<br> authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256' |
You will need to delete the old configuration and apply the new ones:
|
1 |
$ kubectl delete secret minimal-cluster-cfg-mongod<br>$ kubectl delete secret minimal-cluster-rs0-mongod<br>$ kubectl delete secret minimal-cluster-mongos<br>$ kubectl create secret generic minimal-cluster-cfg-mongod --from-file=mongod.conf=mapping1-config.yaml<br>$ kubectl create secret generic minimal-cluster-rs0-mongod --from-file=mongod.conf=mapping1-config.yaml<br>$ kubectl create secret generic minimal-cluster-mongos --from-file=mongos.conf=mapping1-mongos-config.yaml<br> |
With userToDNMapping, match and substitution you can now just specify the first CN. Once all of the pods are restarted, try logging in with a shorter username:
|
1 |
$ kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:5.0.11-10 --restart=Never -- mongo --host minimal-cluster-mongos -u "Dba User01" -p DbaPassword1 --authenticationDatabase '$external' --authenticationMechanism 'PLAIN' --eval "db.runCommand({connectionStatus:1})"<br> |
Perhaps, it still seems awkward to have usernames with spaces and you would like to login based on other attributes such as sAMAccountName or mail. You can use an additional LDAP query in userToDBMapping to search for the record based on these properties. Once the record is found it will extract the user’s DN for authentication. For the example below, we will use sAMAccountName as input for the username:
|
1 |
$ cat mapping2-config.yaml <br>security:<br> authorization: "enabled"<br> ldap:<br> authz:<br> queryTemplate: 'DC=percona,DC=local??sub?(&(objectClass=group)(member:={USER}))'<br> servers: "192.168.0.101"<br> transportSecurity: none<br> bind:<br> queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local"<br> queryPassword: "SearchPassword1"<br> userToDNMapping: >-<br> [<br> {<br> match: "(.+)",<br> ldapQuery: "dc=percona,dc=local??sub?(&(sAMAccountName={0})(objectClass=person))"<br> }<br> ]<br>setParameter:<br> authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256'<br> <br>$ cat mapping2-mongos-config.yaml <br>security:<br> ldap:<br> servers: "192.168.0.101"<br> transportSecurity: none<br> bind:<br> queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local"<br> queryPassword: "SearchPassword1"<br> userToDNMapping: >-<br> [<br> {<br> match: "(.+)",<br> ldapQuery: "dc=percona,dc=local??sub?(&(sAMAccountName={0})(objectClass=person))"<br> }<br> ]<br>setParameter:<br> authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256' |
Again, we will need to delete the old configuration and apply new ones:
|
1 |
$ kubectl delete secret minimal-cluster-cfg-mongod<br>$ kubectl delete secret minimal-cluster-rs0-mongod<br>$ kubectl delete secret minimal-cluster-mongos<br>$ kubectl create secret generic minimal-cluster-cfg-mongod --from-file=mongod.conf=mapping2-config.yaml<br>$ kubectl create secret generic minimal-cluster-rs0-mongod --from-file=mongod.conf=mapping2-config.yaml<br>$ kubectl create secret generic minimal-cluster-mongos --from-file=mongos.conf=mapping2-mongos-config.yaml<br> |
Once the pods are recreated, we can now authenticate with regular usernames.
|
1 |
$ kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:5.0.11-10 --restart=Never -- mongo --host minimal-cluster-mongos -u devuser01 -p DevPassword1 --authenticationDatabase '$external' --authenticationMechanism 'PLAIN' --eval "db.runCommand({connectionStatus:1})"<br><br>$ kubectl run -i --rm --tty percona-client --image=percona/percona-server-mongodb:5.0.11-10 --restart=Never -- mongo --host minimal-cluster-mongos -u dbauser01 -p DbaPassword1 --authenticationDatabase '$external' --authenticationMechanism 'PLAIN' --eval "db.runCommand({connectionStatus:1})"<br> |
I hope this article gets you up to speed on setting up LDAP authentication and authorization with Percona Operator for MongoDB.
Resources
RELATED POSTS
