Buy Percona ServicesBuy Now!

LDAP Authorization

  • Filter
  • Time
  • Show
Clear All
new posts

  • LDAP Authorization

    I was able to setup LDAP authentication with Active Directory (thanks to Jim - see linked article).
    The problem now is authorization for external users.
    I created an external user in this way:

    user : 'ext_test_user',
    roles: [ {role : "read", db: 'percona'} ]
    and now I can also drop the PERCONA database!!!

    Is there a way to manage authorization for LDAP external users?

  • #2
    Hello MaxCor,
    Please make sure you've logged and performed the authentication with the user ext_test_user
    You can test it running:

    db.runCommand({connectionStatus : 1}).authInfo

    "authenticatedUsers" : [
    "user" : "utest",
    "db" : "$external"
    "authenticatedUserRoles" : [
    "role" : "read",
    "db" : "percona"

    Following the step by step Jim sent after user creation you must logout and login again with the ext_test_user:

    > mongo > use admin switched to db admin > db.getSiblingDB("$external").auth( ... { ... mechanism: "PLAIN", ... user: 'utest', ... pwd: '123', ... digestPassword: false ... } ... ) 1 Then when we try to drop the database the following message is expected: use percona switched to db percona > db.dropDatabase() { "ok" : 0, "errmsg" : "not authorized on percona to execute command { dropDatabase: 1.0 }", "code" : 13, "codeName" : "Unauthorized" } If you still seeing this problem please share the mongod --version along with db.getUser('ext_test_user') for a detailed investigation. Regards, Adamo


    • #3
      Hi Adamo,
      frankly speaking I can't reproduce the error.
      It is simply fixed now.
      Probably I was doing something wrong...

      Anyway, thank you for your reply.
      I can confirm it is working.