MongoDB Security: Using LDAP Authentication

In this blog post, we’ll focus on MongoDB security and discuss how to configure Percona Server for MongoDB to authenticate a user with an LDAP server.

It is important to mention that Percona Server for MongoDB features LDAP authentication free of charge for everyone in all our versions. This feature is not available in the MongoDB Community versions. Make sure you’re using https://www.percona.com/software/mongo-database/percona-server-for-mongodb.

But what is LDAP, and how does it can help me with MongoDB security and provide a secure environment.

LDAP stands for Lightweight Directory Access Protocol, and it is a protocol to talk to a domain controller to provide authentication and/or authorization to users in a centralized way. It means that a user has only one single password to sign-in to multiple services. User management is centralized and maintained by a team. It is really not as simple as that, but we’re going to consider only this functionality for this blog. For more information about LDAP, please see: https://www.openldap.org/doc/admin24/

Before running MongoDB, we need to configure a few packages. For the next step, we are using a pre-existing domain called perconatest.com, running on machine ldapserver.perconatest.com with the USA organization group and one user called support1.

The first package you need to install is sasl2-bin or cyrus-sasl (depending on your OS). This package talks to the LDAP server in order to validate if a user password is valid, and Percona Server for MongoDB requires it.

Once we install (in this case) the cyrus package, we create/edit a few config files:

1. Edit the /etc/default/saslauthd. Change enable auto-start yes and the auth mechanisms to LDAP:
   
   Shell

   Start=yes<br>MECHANISMS="ldap"

   1	Start=yes<br>MECHANISMS="ldap"

   
   This change auto-starts the saslauthd process, and configures its auth mechanisms to ldap.
2. If the installation hasn’t created a file on /etc/saslauthd.conf, please create one with the following values:
   
   
   Shell

   ldap_servers: ldap://ldapserver.perconatest.com:389<br>ldap_search_base: ou=database,dc=perconatest,dc=com<br>ldap_filter: (uid=%u)

   1	ldap_servers: ldap://ldapserver.perconatest.com:389<br>ldap_search_base: ou=database,dc=perconatest,dc=com<br>ldap_filter: (uid=%u)

   
   This file means the sasauthd daemon tries to connect to the specified domain and run a search for the user we’ve passed as an argument in the USA Organizational Group. It is possible to run an LDAP server with a secure connection, but it is out of the scope of this blog post.

   &nbsp;

3. With that configuration done, the following test must result in an OK (confirming the cyrus package is correctly configured):
   
   Shell

   $ > sudo testsaslauthd -u support1 -p 1234 -f /var/run/saslauthd/mux<br>0: OK "Success."

   1	$ > sudo testsaslauthd -u support1 -p 1234 -f /var/run/saslauthd/mux<br>0: OK "Success."

If the steps above returned an “OK”, we are good to configure MongoDB to accept LDAP authentication.

It is important to mention this integration only authenticates the users. The authorization process is still on the database layer. This is why we need to create the user using the $external database in the following commands.

In order to setup MongoDB, please follow the next steps:

1. Download the latest Percona Server for MongoDB version here:
   
   Shell

   wget https://www.percona.com/downloads/percona-server-mongodb-LATEST/percona-server-mongodb-3.4.9-2.9/binary/tarball/percona-server-mongodb-3.4.9-2.9-xenial-x86_64.tar.gz<br>--2017-11-05 19:34:19-- https://www.percona.com/downloads/percona-server-mongodb-LATEST/percona-server-mongodb-3.4.9-2.9/binary/tarball/percona-server-mongodb-3.4.9-2.9-xenial-x86_64.tar.gz<br>Resolvendo www.percona.com (www.percona.com)... 74.121.199.234<br>Conectando-se a www.percona.com (www.percona.com)|74.121.199.234|:443... conectado.

   1

   wget https://www.percona.com/downloads/percona-server-mongodb-LATEST/percona-server-mongodb-3.4.9-2.9/binary/tarball/percona-server-mongodb-3.4.9-2.9-xenial-x86_64.tar.gz<br>--2017-11-05 19:34:19-- https://www.percona.com/downloads/percona-server-mongodb-LATEST/percona-server-mongodb-3.4.9-2.9/binary/tarball/percona-server-mongodb-3.4.9-2.9-xenial-x86_64.tar.gz<br>Resolvendo www.percona.com (www.percona.com)... 74.121.199.234<br>Conectando-se a www.percona.com (www.percona.com)|74.121.199.234|:443... conectado.

2. Configure the mongod.conf file into the /etc/sasl2 folder (as root):
   
   Shell

   # mkdir -p /etc/sasl2<br># echo 'pwcheck_method: saslauthd<br>saslauthd_path: /var/run/saslauthd/mux<br>log_level: 5<br>mech_list: plain' > /etc/sasl2/mongodb.conf

   1	# mkdir -p /etc/sasl2<br># echo 'pwcheck_method: saslauthd<br>saslauthd_path: /var/run/saslauthd/mux<br>log_level: 5<br>mech_list: plain' > /etc/sasl2/mongodb.conf

3. Edit mongodb config, or add startup parameters in order to use the sasauthd library to validate the users and passwords. If using a config file:
   
   Shell

   setParameter:<br>   authenticationMechanisms: PLAIN,SCRAM-SHA-1

   1	setParameter:<br>   authenticationMechanisms: PLAIN,SCRAM-SHA-1

   
   If using startup parameters:
   
   Shell

   --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-1

   1	--setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-1

   
   Make sure the authentication is configured to on. We wrote a blog post about it a few months ago.
4. Create the first user as root. Considering the process is up and running, we need to create an administrator user. For this example, we will create a root user called admin with a “root” role (meaning this user can perform any operation in the database):
   
   Shell

   mongo<br>> use admin<br>> db.createUser({user : 'admin', pwd: '1234', roles :['root']})

   1	mongo<br>> use admin<br>> db.createUser({user : 'admin', pwd: '1234', roles :['root']})

5. Create the standard user using LDAP authentication. There is no password saved on the admin database when we perform the next operation. The following command creates a user based on LDAP, and the password verification is performed outside of the database. The cyrus library either answers OK or NOK for the validation and the authorization document (roles) is still managed by the database:
   
   Shell

   use admin<br>> db.auth('admin','1234')<br><br>1<br>> db.getSiblingDB("$external").createUser({<br>user : 'support1',<br>roles: [ {role : "read", db: 'percona'} ]<br>})<br><br>Successfully added user: {<br>"user" : "support1", <br>"roles" : [<br>  {<br>    "role" : "read",<br>    "db" : "percona" <br>}<br>  ]<br>}

   1

   use admin<br>> db.auth('admin','1234')<br><br>1<br>> db.getSiblingDB("$external").createUser({<br>user : 'support1',<br>roles: [ {role : "read", db: 'percona'} ]<br>})<br><br>Successfully added user: {<br>"user" : "support1", <br>"roles" : [<br>  {<br>    "role" : "read",<br>    "db" : "percona" <br>}<br>  ]<br>}

6. Test the user. Use the following command to log in using an LDAP user. Please notice the digestPassword is false, as the database calls another process to validate the user account:
   
   Shell

   db.getSiblingDB("$external").auth(<br>... {<br>... mechanism: "PLAIN",<br>... user: 'support1',<br>... pwd: '1234',<br>... digestPassword: false<br>... }<br>... )<br>1

   1	db.getSiblingDB("$external").auth(<br>... {<br>... mechanism: "PLAIN",<br>... user: 'support1',<br>... pwd: '1234',<br>... digestPassword: false<br>... }<br>... )<br>1

Configuring MongoDB security (and specifically Percona Server for MongoDB) to use LDAP is very straightforward, and this setup can help you have a more secure environment – with passwords managed by a central domain.

I hope you find this article useful! Please feel free to contact me @AdamoTonete or @percona on Twitter anytime!

If you’ve never worked with those technologies before, don’t miss our webinar on Wednesday, November 8, 2017. We are going to configure an LDAP and Percona Server for MongoDB to work together from scratch!