Search code examples
mongodbpam

Configuring MongoDB to authenticate user's password via Linux PAM

I'm looking for a way to configure MongoDB to use Linux PAM to manage user passwords. This way when a user changes their password, it doesn't have to be manually updated in Mongodb.

Searching for help for this online only returns one result which is a blog article that mentions this is possible but doesn't describe how this is done.

enter image description here

The official documentation skips over setting up PAM and talks about LDAP.

How can I configure Mongodb to authenticate db users via Linux PAM?

Solution

  • Unfortunately, MongoDB authentication using PAM Linux seems to be configurable only in MongoDB Enterprise Edition.

    This is because PAM Authentication requires PLAIN Authentication Mechanism, available only in MongoDB Enterprise Edition as mentionned in the documentation:

    PLAIN (LDAP SASL) External authentication using LDAP. You can also use PLAIN for authenticating in-database users. PLAIN transmits passwords in plain text. This mechanism is available only in MongoDB Enterprise.

    BTW, in MongoDB Enterprise Edition, you can enable PAM Authentication using the following (tested on Debian Stretch):

    Install saslauthd

    apt-get install sasl2-bin

    vi /etc/default/saslauthd

    START=yes

    /etc/init.d/saslauthd restart

    At this step you may test your sasl configuration with ("myuser" is your unix user):

    testsaslauthd -u <myuser> -p <SecretPassword>

    This should output a success message:

    0: OK "Success."

    Create a MongoDB user "myuser"

    Replace "myuser" with the user with whom you want to authenticate.

    mongo admin

    db.getSiblingDB("$external").createUser(
    {
      user : "myuser",
      roles: [ { role: "read", db: "mydb" } ]
    }
)

    Configure MongoDB to enable PLAIN Authentication Mechanism

    vi /etc/mongod.conf

    security:
  authorization: enabled

setParameter:
  authenticationMechanisms: PLAIN,MONGODB-X509,SCRAM-SHA-1,SCRAM-SHA-256

    You should add the (Linux) mongodb user to the sasl group (this makes sure that MongoDB has the permission to access saslauthd)

    adduser mongodb sasl

    Restart mongod

    systemctl restart mongod.service

    Connect to MongoDB

    Now, on MongoDB Enterprise, you should be able to authenticate using your linux username/pwd:

    mongo --authenticationMechanism=PLAIN --authenticationDatabase='$external' -u myuser mydb

    MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("********-****-****-****-************") }
MongoDB server version: 4.0.7
MongoDB Enterprise >

    On MongoDB Community Edition, it sadly fails with an "Unsupported mechanism" error:

    MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
2019-03-25T18:26:51.307+0100 E QUERY    [js] Error: Unsupported mechanism 'PLAIN' on authentication database '$external' :
connect@src/mongo/shell/mongo.js:343:13
@(connect):3:6
exception: connect failed