Percona Server for MongoDB currently has several external authentication options, such as LDAP with SASL, LDAP, Kerberos, and AWS IAM. What is amazing is that SASL can authenticate with Pluggable Authentication Modules (PAM) too. This means that you still have additional external authentication options to choose from through PAM libraries.
For a quick demonstration of PAM authentication in Oracle Enterprise Linux 9, we will authenticate with Unix users using the pam_unix.so module since this is already built-in. You can also search previous articles in the Percona blog for other examples of using PAM with different modules to authenticate to WindowsAD, Samba, Google Authenticator, and LDAP. These solutions should work as well with SASL with minimal adjustments.
Setting up the Unix users:
1. Use useradd to add the users:
1 2 | # useradd devuser01 # useradd dbauser01 |
2. Use passwd to change the passwords of the users:
1 2 3 4 5 6 7 8 9 10 11 | # passwd devuser01 Changing password for user devuser01. New password: Retype new password: passwd: all authentication tokens updated successfully. # passwd dbauser01 Changing password for user dbauser01. New password: Retype new password: passwd: all authentication tokens updated successfully. |
Setting up SASL to authenticate via PAM with mongodb service:
1. Install cyrus-sasl and cyrus-sasl-plain packages:
1 | # yum -y install cyrus-sasl cyrus-sasl-plain |
2. Start saslauthd and ensure it runs when the OS is restarted:
1 2 | # systemctl start saslauthd # systemctl enable saslauthd |
By default, saslauthd authenticates to PAM modules.
1 2 3 4 5 6 7 | # ps aux|grep saslauthd root 7597 0.0 0.0 12620 768 ? Ss 15:07 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam root 7598 0.0 0.0 12620 792 ? S 15:07 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam root 7599 0.0 0.0 12620 792 ? S 15:07 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam root 7600 0.0 0.0 12620 792 ? S 15:07 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam root 7601 0.0 0.0 12620 792 ? S 15:07 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam root 7603 0.0 0.1 6408 2164 pts/0 R+ 15:07 0:00 grep --color=auto saslauthd |
We just need to add the PAM service for MongoDB to authenticate with Unix users.
3. To create the PAM service for MongoDB, create a file called /etc/pam.d/mongodb with this content:
1 2 3 | auth required pam_warn.so auth required pam_unix.so audit account required pam_unix.so audit |
4. Test authentication by supplying the username and password of the Unix users and service mongodb which we configured above with testsaslauthd:
1 2 3 4 5 6 7 8 | # testsaslauthd -u devuser01 -p TheRightPassword2024 -s mongodb 0: OK "Success." # testsaslauthd -u devuser01 -p TheWrongPassword2024 -s mongodb 0: NO "authentication failed" # testsaslauthd -u dbauser01 -p TheRightPassword2024 -s mongodb 0: OK "Success." # testsaslauthd -u dbauser01 -p TheWrongPassword2024 -s mongodb 0: NO "authentication failed" |
Setting up MongoDB configuration with SASL
1. Install and start Percona Server for MongoDB and ensure it starts when the OS is restarted:
1 2 3 4 5 | # yum install -y https://repo.percona.com/yum/percona-release-latest.noarch.rpm # percona-release setup psmdb-70 -y # yum -y install percona-server-mongodb # systemctl enable mongod # systemctl start mongod |
2. Create the Unix users in the $external database of MongoDB:
1 2 3 4 5 | # mongosh > use $external > db.createUser({user: "dbauser01",roles: [{role: "root", db: "admin"}]}) > db.createUser({user: "devuser01",roles: [{role: "readWrite", db: "test"}]}) > exit |
3. Create /etc/sasl2/mongodb.conf to integrate MongoDB with SASL. Ensure that the file is accessible by MongoDB:
1 2 3 4 5 6 7 8 | # cat /etc/sasl2/mongodb.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux log_level: 5 mech_list: plain # chown mongod:mongod /etc/sasl2/mongodb.conf # chmod 640 /etc/sasl2/mongodb.conf |
4. Edit /etc/mongodb.conf and append the following at the bottom of the configuration file to allow MongoDB to authenticate in plaintext format and use SASL:
1 2 3 4 | setParameter: authenticationMechanisms: PLAIN,SCRAM-SHA-1,SCRAM-SHA-256 security: authorization: enabled |
5. Restart MongoDB for the configuration changes to take effect:
1 | # systemctl restart mongod |
6. Test login with MongoDB and Unix User:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # mongosh --authenticationMechanism=PLAIN --authenticationDatabase='$external' --username devuser01 Enter password: *********** test> db.runCommand({connectionStatus : 1}) { authInfo: { authenticatedUsers: [ { user: 'devuser01', db: '$external' } ], authenticatedUserRoles: [ { role: 'readWrite', db: 'test' } ] }, ok: 1 } test> exit # mongosh --authenticationMechanism=PLAIN --authenticationDatabase='$external' --username dbauser01 Enter password: *********** test> db.runCommand({connectionStatus : 1}) { authInfo: { authenticatedUsers: [ { user: 'dbauser01', db: '$external' } ], authenticatedUserRoles: [ { role: 'root', db: 'admin' } ] }, ok: 1 } test> exit |
Voila! Now, users can authenticate with PAM modules!
Take note that since we used PLAIN(text) as the authentication mechanism in MongoDB, you need to make sure that users connect to MongoDB over TLS/SSL. You also need to ensure that transport from SASL to the external authentication backend is secure as well. For other security considerations, it would be best to consult with your security administrators or consider Percona Professional Services.
Percona Distribution for MongoDB is a source-available alternative for enterprise MongoDB. A bundling of Percona Server for MongoDB and Percona Backup for MongoDB, Percona Distribution for MongoDB combines the best and most critical enterprise components from the open source community into a single feature-rich and freely available solution.
Download Percona Distribution for MongoDB Today!
