MongoDB LDAP and Kerberos Authentication with Dell (Quest) Authentication Services

Alex Komyagin
January 27, 2015 | Updated: June 3, 2015
#Technical

By Alex Komyagin @MongoDB with the help of Kyle Robinson @Dell January 2015, NYC

Overview

Dell (formerly Quest) identity and access management software helps to solve security and administration issues inherent in Unix-based systems. The Privileged Access Suite product consolidates and unifies Unix, Linux, and Mac OS X identities, giving users centralized authentication and single sign-on with Microsoft Active Directory.

Since version 2.6, MongoDB Enterprise supports authentication with Microsoft Active Directory Services using LDAP and Kerberos protocols. On Linux systems that are using Dell Privileged Access Suite it is now possible to integrate MongoDB into the existing infrastructure through the 3-step integration process described in this post.

Requirements

  • Existing Active Directory domain
  • Linux server
  • MongoDB Enterprise 2.6 or greater
  • Quest Authentication Services (QAS) version 4.1.0 or greater (part of the Privileged Access Suite distribution)
All further MongoDB commands in this paper are given for the latest stable release, MongoDB 2.6. The Linux OS used is RHEL6.5. The Quest Authentication Services version is 4.1.0.21267.

Setup procedure

Preparing a new MongoDB Linux server
I assume you already have QAS installed and configured on your production systems. For the purposes of this tutorial, I will cover the most basic steps needed to set everything up on a standalone Linux system:

1. Configure hostname and DNS resolution
For QAS and MongoDB Enterprise to function properly you must set a hostname on the system and make sure it’s configured to use the proper Active Directory-aware DNS server instance IP address. You can update the hostname using commands that resemble the following:

<pre> <b>$ sudo nano /etc/sysconfig/network</b> HOSTNAME=lin-client.mongotest.com <b>$ sudo reboot</b> <b>$ hostname -f</b> lin-client.mongotest.com </pre>

mongotest.com is the domain name configured in Active Directory.

Next, verify the DNS settings and add additional servers, if needed:

<pre> <b>$ sudo nano /etc/resolv.conf</b> search mongotest.com nameserver AA.BB.CC.DD </pre>

2. Install MongoDB Enterprise
The installation process is outlined in our Documentation. It’s recommended to turn SELinux off for this exercise, or you should configure SELinux to allow MongoDB to access the 27017 port:

<pre> <b>$ sudo nano /etc/selinux/config</b> SELINUX=disabled <b>$ sudo reboot</b> </pre>

Since MongoDB Enterprise grants user privileges through role-based authorization, there should be an LDAP and a Kerberos user created in the database:

<pre> <b>$ sudo service mongod start $ mongo > db.getSiblingDB("$external").createUser( { user : "alex", roles: [ { role: "root" , db : "admin"} ] } ) > db.getSiblingDB("$external").createUser( { user: "alex@MONGOTEST.COM", roles: [ { role: "root", db: "admin" } ] } )</b> </pre>

“alex” is a user listed in AD and who is a member of the “Domain Users” group and has “support” set as its Organizational Unit.

3. Install Quest Authentication Services
Basic installation of QAS is as simple as running a shell script:

<pre> <b>$ tar -zxvf QAS_4_1_0_21267.tar.gz && cd QAS_4_1_0_21267 $ sudo ./install.sh</b> </pre>

You will need a valid license file for QAS in order for the LDAP and Kerberos authentication to work.

Once the QAS package is installed, you will need to connect this machine to AD:

<pre> <b>$ sudo /opt/quest/bin/vastool -u ldap_admin -s join --autogen-posix-attrs -f mongotest.com</b> ldap_admin@MONGOTEST.COM's password: </pre>

Here “ldap_admin” is a user who is a member of the “Domain Admins” group in AD.

I’m using the --autoget-posix-attrs parameter to the “join” command to instruct QAS to automatically generate POSIX user attributes for AD users. Other options would be to specify those manually (unixHomeDirectory, uidNumber, gidNumber, loginShell) in AD or use a vastool command to update the user entry in AD from Unix:

<pre> <b>$ sudo /opt/quest/bin/vastool -u ldap_admin create -ei "alex:x:1001:100::/home/alex:/bin/sh" user alex</b> </pre>

4. Verifying the installation
You can confirm that the Active Directory user is properly recognized by QAS using the following two commands:

<pre> <b>$ sudo /opt/quest/bin/vastool isvas user alex</b> alex is a QAS user. <b>$ sudo /opt/quest/bin/vastool user checklogin alex</b> Password: ALLOWED [user=alex] [service=login] Access Rule = [No Allow or Deny rules exist!] </pre>

As it is evident from their output, user “alex” is a valid QAS user and his login is allowed from this machine.

Setting up MongoDB Enterprise with LDAP authentication using Quest Authentication Services

The QAS “vasd” daemon manages all communications with Active Directory, and MongoDB can use QAS PAM module to authenticate LDAP users.

  1. Configure saslauthd, which is used by MongoDB as an interface between the database and the Linux PAM system.

a. Verify that “MECH=pam” is set in /etc/sysconfig/saslauthd:

<pre> <b>$ grep ^MECH /etc/sysconfig/saslauthd</b> MECH=pam </pre>

On Debian-based systems (such as Ubuntu) the saslauthd configuration file is located at /etc/default/saslauthd.

b. Turn on the saslauthd service and ensure it is started upon reboot:

<pre> <b>$ sudo service saslauthd start</b> Starting saslauthd: [ OK ] <b>$ sudo chkconfig saslauthd on</b> <b>$ sudo chkconfig --list saslauthd</b> saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off </pre>

  1. Configure PAM to recognize the mongodb service by creating an appropriate PAM service file. I will use the sshd service file as a template, since it should have already been preconfigured to work with QAS:

<pre> <b>$ sudo cp -v /etc/pam.d/{sshd,mongodb}</b> `/etc/pam.d/sshd' -> `/etc/pam.d/mongodb' </pre>

  1. Test SASL configuration by verifying that user “alex” can log in from this machine using the “mongodb” servicename:

<pre> <b>$ testsaslauthd -u alex -p <user's password> -s mongodb -f /var/run/saslauthd/mux</b> 0: OK "Success." </pre>

  1. Start MongoDB Enterprise with LDAP authentication enabled, by adjusting the config file:

<pre> <b>$ sudo nano /etc/mongod.conf</b> auth=true setParameter=saslauthdPath=/var/run/saslauthd/mux setParameter=authenticationMechanisms=PLAIN <b>$ sudo service mongod restart</b> </pre>

  1. Try to authenticate as the user “alex” in MongoDB Enterprise:

<pre> <b>$ mongo > db.getSiblingDB("<a style="text-decoration: none; color: #325B8E;">$external</a>").auth( { mechanism: "<a style="text-decoration: none; color: #325B8E;">PLAIN</a>", user: "alex", pwd: "xxx", digestPassword: false } )</b> 1 <b>></b> </pre>

The return value of “1” means success.

Setting up MongoDB Enterprise with Kerberos authentication using Quest Authentication Services

  1. Create a user in Active Directory with SPN for the mongodb service:

<pre> <b>$ sudo /opt/quest/bin/vastool -u ldap_admin service create mongodb/</b> Password for ldap_admin@MONGOTEST.COM: </pre>

The “ldap_admin” is user who is a member of the “Domain Admins” group in AD. This command will create automatically the “lin-client-mongodb” user in AD with the associated SPN “mongodb/lin-client.mongotest.com@MONGOTEST.COM”. The service keytab file will be exported to the “/etc/opt/quest/vas/mongodb.keytab” file.
  1. Configure the MIT Kerberos (the /etc/krb5.conf file) using vastool:

<pre> <b>$ sudo /opt/quest/bin/vastool -k /etc/opt/quest/vas/mongodb.keytab kinit mongodb/ $ sudo mv /etc/krb5.conf /etc/krb5.conf.orig $ sudo /opt/quest/bin/vastool configure mit</b> </pre>

3 Start MongoDB with Kerberos authentication enabled, by adjusting the config file. You also need to make sure that mongod listens on the interface associated with the FQDN. For this exercise, you can just configure mongod to listen on all interfaces:

<pre> <b>$ sudo nano /etc/mongod.conf</b> # Listen to local interface only. Comment out to listen on all interfaces. # bind_ip=127.0.0.1 <p>auth=true setParameter=authenticationMechanisms=GSSAPI <b>$ sudo service mongod stop</b> <b>$ sudo env KRB5_KTNAME=/etc/opt/quest/vas/mongodb.keytab mongod -f /etc/mongod.conf</b> </pre>

3) Try to authenticate as the user “alex@MONGOTEST.COM” in MongoDB Enterprise:

<pre> <b>$ kinit alex@MONGOTEST.COM</b> Password for alex@MONGOTEST.COM: <b>$ mongo --host lin-client.mongotest.com > db.getSiblingDB("<a style="text-decoration: none; color: #325B8E;">$external</a>").auth( { mechanism: "<a style="text-decoration: none; color: #325B8E;">GSSAPI</a>", user: "alex@MONGOTEST.COM", } )</b> 1 <b>></b> </pre>

The return value of “1” indicates success. It is important to provide the --host parameter to the mongo shell so that it generates a correct Kerberos ticket request.

Summary and More Information

MongoDB Enterprise offers different options for authentication, including Kerberos and LDAP external authentication. Organizations deploying Quest Authentication Services can now integrate their MongoDB Enterprise systems into the existing security infrastructure without additional operational overhead.

Further information is available in our MongoDB Enterprise security documentation and MongoDB Enterprise user and role management tutorials.

To download MongoDB Enterprise, click below:

Download MongoDB Enterprise

About Alex Komyagin

Alex is a member of the all-star MongoDB Technical Services team. He is always happy to help customers to meet their goals against all odds. Prior to MongoDB, Alex led a team of engineers for an embedded software project. Also he is a very nice person.

← Previous

Introducing the Database Selection Matrix

For the better part of a generation, the database landscape had changed very little. No one could say “this is not your father’s database.” They had become, in a word, boring. Then a combination of factors catalyzed an era of innovation in database technologies: cheap storage and compute resources; pervasive connectivity; social networks; smartphones; the proliferation of sensors; open source software. Data volumes grew (and are growing) at exponential rates. Over 80% of today’s data no longer fits neatly into the normalized row and column table formats of the past. And so developers began engineering solutions to a new set of problems with a very different set of resources and assumptions. Today these new options include a variety of database architectures built around diverse data models – from key-value to document to wide-column and graph. And of course you still have the option of the venerable relational database. For the enterprise these new technologies hold great promise. They open the door to new applications that could not be imagined before, or to more efficiently solve existing problems. They attract new technical talent. They facilitate the migration of systems to more cost effective infrastructure based on commodity hardware and cloud platforms. But at the same time, evaluation of these new options requires careful consideration. Selecting the appropriate database for a new project requires evaluation against multiple criteria, including: Development considerations: includes the data model, query functionality, available drivers, data consistency. These factors dictate the functionality of your application, and how quickly you can build it. Operational considerations: performance and scalability, high availability, data center awareness, security, management and backups. Over the application’s lifetime, operational costs will contribute a significant percentage to the project’s Total Cost of Ownership (TCO), and so these factors constitute your ability to meet SLAs while minimizing administrative overhead. Commercial considerations: licensing, pricing and support. You need to know that the database you choose is available in a way that is aligned with how you do business. Each these considerations need to be evaluated in context of specific application requirements as well as internal technology standards, skills availability and integration with your existing enterprise architecture. So, where to start? The Database Selection Matrix is designed to serve as a decision framework by teams responsible for database selection. It has been developed in collaboration with several large enterprises who have the choice of running multiple databases in production, and who wanted to institute a systematic methodology for database evaluation. Responses to questions in the matrix helped them identify key requirements and guide selection. And it can do the same for you. Lets illustrate how the Database Selection Matrix can be used by working through a practical example. The Database Selection Matrix in Action! ACME Retail Corporation runs a large vehicle fleet to distribute produce to its nationwide network of stores. The CEO is intent on improving distribution efficiency and so tasks her enterprise architects to build a new platform that can utilize sensor data generated by the company’s trucks. By capturing and analyzing this data, the organization believes it can optimize route planning, improve delivery times, cut wastage and reduce business interruptions caused by breakdowns. ACME Retail Corp is typical of many enterprises that see the opportunity to unlock new efficiencies by leveraging the “ Internet of Things ”. As Morgan Stanley stated in the “Internet of Things is Now” research “We do not believe traditional data storage architectures are well- suited to accommodate the volume, velocity, and variety of IoT data”. For this reason, enterprises are looking beyond traditional RDBMS technology to the swathe of new database options available to them. Bosch SI did exactly this when it took the decision to use MongoDB to power the Bosch IoT Suite . Of course, MongoDB may not be a perfect fit for every IoT project. There are many choices available – as there for every new type of project – and the ACME architecture group needs a way to navigate the complex landscape of modern databases. Using the Database Selection Matrix, they have the framework to ask the key questions that will guide their technology decisions. So lets put it into practice. Development Considerations In this opening phase, the architects need to evaluate how their shortlisted database options meet the functional requirements of the app that is being built. This is impacted directly by multiple factors – and these are the questions they will need to ask. The Data Model: Will the application need to handle data of varying structure and types? How large can each data type be – is our data made up of simple integers, strings and timestamps or can it also be large binary files such as images or videos? Can our data just be represented as a set of opaque values, or does it need to be typed so other applications can make sense of it? Do we know the data structure will remain constant, or will it vary as we introduce new sensor data and as the business updates application requirements? Does the application require its data to be strongly consistent (i.e. read our own writes), or can eventually consistent data be tolerated (and do our developers know how to handle the complexity it introduces?). Do we end up trading performance and availability if we configure the database to only return the freshest data? The Query Model: What sort of queries are we going to run against the database? Is it simple key-value lookups that we know in advance or do we need to execute ad-hoc queries and complex aggregations to support real-time analytics that the business wants to see? Can we run analytics directly against the database, or do we need to replicate data to dedicated search or analytics engines? Will the application be handling geospatial queries and text search? Does the data need to be integrated with our BI & analytics tools, and what about our new Hadoop cluster, or the data warehouse? Which languages will our engineers be using to develop the application, and does the database have drivers available for them? Operational Considerations In this second phase, the ACME Retail architects need to evaluate how each database would run in production. No-one wants to hand-feed a custom technology, so they need to understand if the database can meet the availability, scalability and security needs of the business, and interoperate with the existing management frameworks. Service Availability: What is the application’s availability SLA? What are our RTO and RPO objectives? Will our operations teams manage failure recovery, or is this something that should be fully automated by the database? What capabilities does the database offer to maintain availability during routine maintenance? Are there tools available to manage this or do we need to script something ourselves? Are there specific requirements to replicate data between our data centers to support disaster recovery? Scalability: How do we expect this application to grow? Will the database need to scale beyond the limits of just a few servers? If data is to be distributed across multiple nodes, will it be partitioned in such a way that it is still optimized for the application’s query patterns? Do we need to scale this across data centers? Can we write and read data locally to reduce the effects of geographic latency? Can we scale storage capacity and I/O by compressing the data, and are different compression algorithms available to optimize compression ratio to CPU overhead? Security: What types of data access control do we need? Can we just use authentication controls within the database or do we need to integrate with our existing LDAP infrastructure? What type of authorization controls are available, and how granular can we get? Do these controls needs to extend down to the level of individual attributes within a document? Is encryption needed, and will those pesky compliance officers need to audit every action taken against the database? Administration: How are going to run this thing? Does the database provide tools to automate provisioning and upgrades or do we need to create our own scripts? How about backups? Can we get incremental backups. How about point in time backups? And then monitoring. We need to know, for example, if disk utilization is peaking above 60% so we can take action before we hit a problem. Can we add these alerts into our existing operational workflow tools? Can we integrate the database’s management platform into our own operational tooling so we don’t need to leave our single screen? Commercial Considerations Once the ACME architects have profiled their technology requirements, they will need to understand how the database is licensed and priced, before legal and procurement come knocking at the door: Licensing: what license is used, and is this acceptable to our legal team? Are commercial licenses available? Support: What support options are open to me? Can I get support SLAs from my vendor, even if I use a community version of their product? What is the SLA I can expect if I do hit an issue? What sort of training is available? Is my only option to send my engineers to public classes, or can we get trained on-demand, at our own pace? What’s Next? The ACME example is designed to illustrate some of the key questions engineering teams need to ask. It is true that the database landscape is more complex than ever. But it needn’t be bewildering – the Database Selection Matrix is designed to help you identify and compare what is most critical as you build your next app, so go ahead and download it now. Looking for additional information about database selection? Learn why organizations choose MongoDB to deliver applications and outcomes that were never previously possible. Download the white paper below: The Value of Database Selection About Mat Keep Mat is part of the MongoDB product marketing team, responsible for building the vision, positioning and content for MongoDB’s products and services, including the analysis of market trends and customer requirements. Prior to MongoDB, Mat was director of product management at Oracle Corp. with responsibility for the MySQL database in web, telecoms, cloud and big data workloads. This followed a series of sales, business development and analyst / programmer positions with both technology vendors and end-user companies.

January 27, 2015
Next →

Calling all Innovators! Nominations are Open for the 2020 MongoDB Innovation Awards

Nominations are open for the 2020 MongoDB Innovation Awards

April 2, 2020