By the end of this article, you should be able to have a Percona Server for MongoDB and Percona Server for MySQL instance able to authenticate on an OpenLDAP backend. While this is mostly aimed at testing scenarios, it can be easily extended for production by following the OpenLDAP production best practices i.e. attending to security and high availability.
The first step is to install OpenLDAP via the slapd package in Ubuntu.
|
1 |
sudo apt update<br>sudo apt install slapd ldap-utils |
During installation, it will ask you for a few things listed below:
All these values are arbitrary, you can choose whatever suits your organization—especially the password.
Once slapd is running, we can create our logical groups and actual users on the LDAP server. To make it simple, we use LDIF files instead of GUIs. Our first file, perconadba.ldif contains our perconadba group definition. Take note of the root name part dc=ldap,dc=local it is simply the broken down value of our DNS Domain Name during the installation of slapd .
|
1 |
dn: ou=perconadba,dc=ldap,dc=local<br>objectClass: organizationalUnit<br>ou: perconadba |
We can add this definition into LDAP with the command shown below. With the -W option, it will prompt you for a password.
|
1 |
ldapadd -x -W -D "cn=admin,dc=ldap,dc=local" -f perconadba.ldif |
The next step is to create our user in LDAP, this user will be looked up by both MongoDB and MySQL during authentication to verify their password. Our LDIF file ( percona.ldif ) would look like this:
|
1 |
dn: uid=percona,ou=perconadba,dc=ldap,dc=local<br>objectClass: top<br>objectClass: account<br>objectClass: posixAccount<br>objectClass: shadowAccount<br>cn: percona<br>uid: percona<br>uidNumber: 1100<br>gidNumber: 100<br>homeDirectory: /home/percona<br>loginShell: /bin/bash<br>gecos: percona<br>userPassword: {crypt}x<br>shadowLastChange: -1<br>shadowMax: -1<br>shadowWarning: -1 |
The -1 values for the shadow* fields are important, we set them to negative to mean the password shadow does not expire. If these are set to zero (0), then MySQL will not be able to authenticate since PAM will complain that the password has expired and needs to be changed.
We can then add this user into LDAP, again the command below will ask for the admin password we entered during slapd’s installation.
|
1 |
ldapadd -x -W -D "cn=admin,dc=ldap,dc=local" -f percona.ldif |
To verify, we can search for the user we just entered using the command below. Notice we used the -w parameter to specify the admin password inline.
|
1 |
ldapsearch -x -D 'cn=admin,dc=ldap,dc=local' -w percona <br> -b 'ou=perconadba,dc=ldap,dc=local' '(uid=percona)' |
As last step on setting up our LDAP user properly is to give it a valid password. The -s parameter below is the actual password we will set for this user.
|
1 |
ldappasswd -s percona -D "cn=admin,dc=ldap,dc=local" -w percona <br> -x "uid=percona,ou=perconadba,dc=ldap,dc=local" |
At this point you should have a generic LDAP server that should work for both MongoDB and MySQL.
To make this work for a MySQL and support PAM authentication, take note of the following configuration files. Instructions on setting up PAM for MySQL is aplenty on this blog I just need to specify Ubuntu Bionic specific configuration files to make it work.
The only important difference with this configuration—compared to Jaime’s post for example—is the values for filter . If you are using Windows Active Directory, the map values are also important (posixAccount objectClass has been deprecated on recent release of Windows Active Directory).
|
1 |
uid nslcd<br>gid nslcd<br><br>uri ldap:///localhost<br>base ou=perconadba,dc=ldap,dc=local<br><br>filter passwd (&(objectClass=account)(objectClass=posixAccount))<br>filter group (&(objectClass=shadowAccount)(objectClass=account))<br>map passwd uid uid<br>map passwd uidNumber uidNumber<br>map passwd gidNumber gidNumber<br>map passwd homeDirectory "/home/$uid"<br>map passwd gecos uid<br>map passwd loginShell "/bin/bash"<br>map group gidNumber gidNumber<br><br>binddn cn=admin,dc=ldap,dc=local<br>bindpw percona<br>tls_cacertfile /etc/ssl/certs/ca-certificates.crt<br> |
Also for nsswitch.conf, make sure that passwd, group and shadow does LDAP lookups.
|
1 |
...<br>passwd: compat systemd ldap<br>group: compat systemd ldap<br>shadow: compat systemd ldap<br>gshadow: files ldap<br>... |
Adamo’s excellent post on MongoDB LDAP Authentication has all the details on configuring MongoDB itself. To complement that, if you use this LDAP test setup, you need the take note of the following configuration files with specific differences.
In the mongod.conf configuration file, I explicitly added the saslauthd socket path.
|
1 |
security:<br> authorization: enabled<br><br>setParameter:<br> saslauthdPath: /var/run/saslauthd/mux<br> authenticationMechanisms: PLAIN,SCRAM-SHA-1 |
For the saslauthd daemon configuration, the configuration has no actual difference – just take note I used differing values based on the LDAP setup above. Specifically, the ldap_filter and ldap_search_base are key options here which are concatenated during an LDAP search to come up with the percona user’s account information.
|
1 |
ldap_servers: ldap://localhost:389/<br>ldap_search_base: ou=perconadba,dc=ldap,dc=local<br>ldap_filter: (uid=%u)<br># Optional: specify a user to perform ldap queries<br>ldap_bind_dn: CN=admin,DC=ldap,DC=local<br># Optional: specify ldap user's passwordi<br>ldap_password: percona |
Enterprise quality features should not be complex and expensive. Tell us about your experience with our software and external authentication in the comments below!
Resources
RELATED POSTS
