Mongo Authentication - Replica Set |
|
Client Authentication |
LDAP |
Internal Authentication |
Keyfile |
Operating System |
Linux |
In this procedure, you will configure a MongoDB replica set with three members using LDAP authentication for clients and keyfile authentication among members. LDAP authentication is available only in the Enterprise Edition of MongoDB. This procedure does not make use of the saslauthd utility. It uses the operating system libraries.
•Set up a virtual machine running the LDAP server with users added to the directory.
•Start this virtual machine.
•The replica set has been configured and a user with root role has been added.
1.Create three configuration files to specify the LDAP authentication. (See example configuration file with authentication.)
2.Restart the mongod members without authentication.
mongod -f init1.yaml
mongod -f init2.yaml
mongod -f init3.yaml
3.Log into primary member with the MongoDB shell.
mongo --port 31210 --host mongodb.waysysweb.us.com
Note: Be sure to log into the primary member of the replica set.
4.Authenticate with this commands:
use admin
db.auth('userAdmin', 'badges')
5.Create user administrative role in MongoDB, using the corresponding group distinguished name in LDAP.
use admin
var rl = {role: "cn=SecOff,ou=Groups,dc=waysysweb,dc=us,dc=com", privileges: [], roles: [{role: "userAdminAnyDatabase", db: "admin"}] }
db.createRole(rl)
6.Shut down the mongod members with the command: killall mongod
7.Restart the members with the authentication configuration files.
mongod -f cc1.yaml --auth
mongod -f cc2.yaml --auth
mongod -f cc3.yaml --auth
8.Log into the MongoDB shell:
mongo --port 31210 --host mongodb.waysysweb.us.com
9.Authenticate to MongoDB, using the $external database. The mechanism attribute must be set to "PLAIN".
db.getSiblingDB("$external").auth(
{
mechanism: "PLAIN",
user: "uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com",
pwd: "secret",
digestPassword: false
}
)
You can check the configuration of MongoDB to use LDAP by using the mongoldap command, where cc1.yaml is a mongod configuration file. Use the full distinguished name of a user in the LDAP directory.
mongoldap --config cc1.yaml --user 'uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com' --password secret
•In this example, you are not transforming user names, so you must use the full distinguished name of the user when logging in.
systemLog:
destination: file
path: /home/vagrant/data/r0/mongodb.log
storage:
dbPath: /home/vagrant/data/r0
processManagement:
fork: true
security:
clusterAuthMode: keyFile
keyFile: /home/vagrant/mk
ldap:
servers: "ldap.waysysweb.us.com:389"
authz:
queryTemplate: "dc=waysysweb,dc=us,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"
bind:
queryUser: "cn=admin,dc=waysysweb,dc=us,dc=com"
queryPassword: "jamaica"
method: "simple"
transportSecurity: none
net:
bindIp: mongodb.waysysweb.us.com
port: 31210
replication:
replSetName: repl
setParameter:
authenticationMechanisms: PLAIN