MongoDB LDAP and Kerberos Authentication with Dell (Quest) Authentication Services

Alex Komyagin
January 27, 2015 | Updated: June 3, 2015
#Technical

By Alex Komyagin @MongoDB with the help of Kyle Robinson @Dell January 2015, NYC

Overview

Dell (formerly Quest) identity and access management software helps to solve security and administration issues inherent in Unix-based systems. The Privileged Access Suite product consolidates and unifies Unix, Linux, and Mac OS X identities, giving users centralized authentication and single sign-on with Microsoft Active Directory.

Since version 2.6, MongoDB Enterprise supports authentication with Microsoft Active Directory Services using LDAP and Kerberos protocols. On Linux systems that are using Dell Privileged Access Suite it is now possible to integrate MongoDB into the existing infrastructure through the 3-step integration process described in this post.

Requirements

Existing Active Directory domain
Linux server
MongoDB Enterprise 2.6 or greater
Quest Authentication Services (QAS) version 4.1.0 or greater (part of the Privileged Access Suite distribution)

All further MongoDB commands in this paper are given for the latest stable release, MongoDB 2.6. The Linux OS used is RHEL6.5. The Quest Authentication Services version is 4.1.0.21267.

Setup procedure

Preparing a new MongoDB Linux server
I assume you already have QAS installed and configured on your production systems. For the purposes of this tutorial, I will cover the most basic steps needed to set everything up on a standalone Linux system:

1. Configure hostname and DNS resolution
For QAS and MongoDB Enterprise to function properly you must set a hostname on the system and make sure it’s configured to use the proper Active Directory-aware DNS server instance IP address. You can update the hostname using commands that resemble the following:

<pre> $ sudo nano /etc/sysconfig/network HOSTNAME=lin-client.mongotest.com $ sudo reboot $ hostname -f lin-client.mongotest.com </pre>

mongotest.com is the domain name configured in Active Directory.

Next, verify the DNS settings and add additional servers, if needed:

<pre> $ sudo nano /etc/resolv.conf search mongotest.com nameserver AA.BB.CC.DD </pre>

2. Install MongoDB Enterprise
The installation process is outlined in our Documentation. It’s recommended to turn SELinux off for this exercise, or you should configure SELinux to allow MongoDB to access the 27017 port:

<pre> $ sudo nano /etc/selinux/config SELINUX=disabled $ sudo reboot </pre>

Since MongoDB Enterprise grants user privileges through role-based authorization, there should be an LDAP and a Kerberos user created in the database:

<pre> $ sudo service mongod start $ mongo > db.getSiblingDB("$external").createUser( { user : "alex", roles: [ { role: "root" , db : "admin"} ] } ) > db.getSiblingDB("$external").createUser( { user: "alex@MONGOTEST.COM", roles: [ { role: "root", db: "admin" } ] } ) </pre>

“alex” is a user listed in AD and who is a member of the “Domain Users” group and has “support” set as its Organizational Unit.

3. Install Quest Authentication Services
Basic installation of QAS is as simple as running a shell script:

<pre> $ tar -zxvf QAS_4_1_0_21267.tar.gz && cd QAS_4_1_0_21267 $ sudo ./install.sh </pre>

You will need a valid license file for QAS in order for the LDAP and Kerberos authentication to work.

Once the QAS package is installed, you will need to connect this machine to AD:

<pre> $ sudo /opt/quest/bin/vastool -u ldap_admin -s join --autogen-posix-attrs -f mongotest.com ldap_admin@MONGOTEST.COM's password: </pre>

Here “ldap_admin” is a user who is a member of the “Domain Admins” group in AD.

I’m using the --autoget-posix-attrs parameter to the “join” command to instruct QAS to automatically generate POSIX user attributes for AD users. Other options would be to specify those manually (unixHomeDirectory, uidNumber, gidNumber, loginShell) in AD or use a vastool command to update the user entry in AD from Unix:

<pre> $ sudo /opt/quest/bin/vastool -u ldap_admin create -ei "alex:x:1001:100::/home/alex:/bin/sh" user alex </pre>

4. Verifying the installation
You can confirm that the Active Directory user is properly recognized by QAS using the following two commands:

<pre> $ sudo /opt/quest/bin/vastool isvas user alex alex is a QAS user. $ sudo /opt/quest/bin/vastool user checklogin alex Password: ALLOWED [user=alex] [service=login] Access Rule = [No Allow or Deny rules exist!] </pre>

As it is evident from their output, user “alex” is a valid QAS user and his login is allowed from this machine.

Setting up MongoDB Enterprise with LDAP authentication using Quest Authentication Services

The QAS “vasd” daemon manages all communications with Active Directory, and MongoDB can use QAS PAM module to authenticate LDAP users.

Configure saslauthd, which is used by MongoDB as an interface between the database and the Linux PAM system.

a. Verify that “MECH=pam” is set in /etc/sysconfig/saslauthd:

<pre> $ grep ^MECH /etc/sysconfig/saslauthd MECH=pam </pre>

On Debian-based systems (such as Ubuntu) the saslauthd configuration file is located at /etc/default/saslauthd.

b. Turn on the saslauthd service and ensure it is started upon reboot:

<pre> $ sudo service saslauthd start Starting saslauthd: [ OK ] $ sudo chkconfig saslauthd on $ sudo chkconfig --list saslauthd saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off </pre>

Configure PAM to recognize the mongodb service by creating an appropriate PAM service file. I will use the sshd service file as a template, since it should have already been preconfigured to work with QAS:

<pre> $ sudo cp -v /etc/pam.d/{sshd,mongodb} `/etc/pam.d/sshd' -> `/etc/pam.d/mongodb' </pre>

Test SASL configuration by verifying that user “alex” can log in from this machine using the “mongodb” servicename:

<pre> $ testsaslauthd -u alex -p <user's password> -s mongodb -f /var/run/saslauthd/mux 0: OK "Success." </pre>

Start MongoDB Enterprise with LDAP authentication enabled, by adjusting the config file:

<pre> $ sudo nano /etc/mongod.conf auth=true setParameter=saslauthdPath=/var/run/saslauthd/mux setParameter=authenticationMechanisms=PLAIN $ sudo service mongod restart </pre>

Try to authenticate as the user “alex” in MongoDB Enterprise:

<pre> $ mongo > db.getSiblingDB("<a style="text-decoration: none; color: #325B8E;">$external</a>").auth( { mechanism: "<a style="text-decoration: none; color: #325B8E;">PLAIN</a>", user: "alex", pwd: "xxx", digestPassword: false } ) 1 > </pre>

The return value of “1” means success.

Setting up MongoDB Enterprise with Kerberos authentication using Quest Authentication Services

Create a user in Active Directory with SPN for the mongodb service:

<pre> $ sudo /opt/quest/bin/vastool -u ldap_admin service create mongodb/ Password for ldap_admin@MONGOTEST.COM: </pre>

The “ldap_admin” is user who is a member of the “Domain Admins” group in AD. This command will create automatically the “lin-client-mongodb” user in AD with the associated SPN “mongodb/lin-client.mongotest.com@MONGOTEST.COM”. The service keytab file will be exported to the “/etc/opt/quest/vas/mongodb.keytab” file.

Configure the MIT Kerberos (the /etc/krb5.conf file) using vastool:

<pre> $ sudo /opt/quest/bin/vastool -k /etc/opt/quest/vas/mongodb.keytab kinit mongodb/ $ sudo mv /etc/krb5.conf /etc/krb5.conf.orig $ sudo /opt/quest/bin/vastool configure mit </pre>

3 Start MongoDB with Kerberos authentication enabled, by adjusting the config file. You also need to make sure that mongod listens on the interface associated with the FQDN. For this exercise, you can just configure mongod to listen on all interfaces:

<pre> $ sudo nano /etc/mongod.conf # Listen to local interface only. Comment out to listen on all interfaces. # bind_ip=127.0.0.1 auth=true setParameter=authenticationMechanisms=GSSAPI $ sudo service mongod stop $ sudo env KRB5_KTNAME=/etc/opt/quest/vas/mongodb.keytab mongod -f /etc/mongod.conf </pre>

3) Try to authenticate as the user “alex@MONGOTEST.COM” in MongoDB Enterprise:

<pre> $ kinit alex@MONGOTEST.COM Password for alex@MONGOTEST.COM: $ mongo --host lin-client.mongotest.com > db.getSiblingDB("<a style="text-decoration: none; color: #325B8E;">$external</a>").auth( { mechanism: "<a style="text-decoration: none; color: #325B8E;">GSSAPI</a>", user: "alex@MONGOTEST.COM", } ) 1 > </pre>

The return value of “1” indicates success. It is important to provide the --host parameter to the mongo shell so that it generates a correct Kerberos ticket request.

Summary and More Information

MongoDB Enterprise offers different options for authentication, including Kerberos and LDAP external authentication. Organizations deploying Quest Authentication Services can now integrate their MongoDB Enterprise systems into the existing security infrastructure without additional operational overhead.

Further information is available in our MongoDB Enterprise security documentation and MongoDB Enterprise user and role management tutorials.

To download MongoDB Enterprise, click below:

Download MongoDB Enterprise

About Alex Komyagin

Alex is a member of the all-star MongoDB Technical Services team. He is always happy to help customers to meet their goals against all odds. Prior to MongoDB, Alex led a team of engineers for an embedded software project. Also he is a very nice person.

← Previous

Introducing the Database Selection Matrix

For the better part of a generation, the database landscape had changed very little. No one could say “this is not your father’s database.” They had become, in a word, boring. Then a combination of factors catalyzed an era of innovation in database technologies: cheap storage and compute resources; pervasive connectivity; social networks; smartphones; the proliferation of sensors; open source software. Data volumes grew (and are growing) at exponential rates. Over 80% of today’s data no longer fits neatly into the normalized row and column table formats of the past. And so developers began engineering solutions to a new set of problems with a very different set of resources and assumptions. Today these new options include a variety of database architectures built around diverse data models – from key-value to document to wide-column and graph. And of course you still have the option of the venerable relational database. For the enterprise these new technologies hold great promise. They open the door to new applications that could not be imagined before, or to more efficiently solve existing problems. They attract new technical talent. They facilitate the migration of systems to more cost effective infrastructure based on commodity hardware and cloud platforms. But at the same time, evaluation of these new options requires careful consideration. Selecting the appropriate database for a new project requires evaluation against multiple criteria, including: Development considerations: includes the data model, query functionality, available drivers, data consistency. These factors dictate the functionality of your application, and how quickly you can build it. Operational considerations: performance and scalability, high availability, data center awareness, security, management and backups. Over the application’s lifetime, operational costs will contribute a significant percentage to the project’s Total Cost of Ownership (TCO), and so these factors constitute your ability to meet SLAs while minimizing administrative overhead. Commercial considerations: licensing, pricing and support. You need to know that the database you choose is available in a way that is aligned with how you do business. Each these considerations need to be evaluated in context of specific application requirements as well as internal technology standards, skills availability and integration with your existing enterprise architecture. So, where to start? The Database Selection Matrix is designed to serve as a decision framework by teams responsible for database selection. It has been developed in collaboration with several large enterprises who have the choice of running multiple databases in production, and who wanted to institute a systematic methodology for database evaluation. Responses to questions in the matrix helped them identify key requirements and guide selection. And it can do the same for you. Lets illustrate how the Database Selection Matrix can be used by working through a practical example. The Database Selection Matrix in Action! ACME Retail Corporation runs a large vehicle fleet to distribute produce to its nationwide network of stores. The CEO is intent on improving distribution efficiency and so tasks her enterprise architects to build a new platform that can utilize sensor data generated by the company’s trucks. By capturing and analyzing this data, the organization believes it can optimize route planning, improve delivery times, cut wastage and reduce business interruptions caused by breakdowns. ACME Retail Corp is typical of many enterprises that see the opportunity to unlock new efficiencies by leveraging the “ Internet of Things ”. As Morgan Stanley stated in the “Internet of Things is Now” research “We do not believe traditional data storage architectures are well- suited to accommodate the volume, velocity, and variety of IoT data”. For this reason, enterprises are looking beyond traditional RDBMS technology to the swathe of new database options available to them. Bosch SI did exactly this when it took the decision to use MongoDB to power the Bosch IoT Suite . Of course, MongoDB may not be a perfect fit for every IoT project. There are many choices available – as there for every new type of project – and the ACME architecture group needs a way to navigate the complex landscape of modern databases. Using the Database Selection Matrix, they have the framework to ask the key questions that will guide their technology decisions. So lets put it into practice. Development Considerations In this opening phase, the architects need to evaluate how their shortlisted database options meet the functional requirements of the app that is being built. This is impacted directly by multiple factors – and these are the questions they will need to ask. The Data Model: Will the application need to handle data of varying structure and types? How large can each data type be – is our data made up of simple integers, strings and timestamps or can it also be large binary files such as images or videos? Can our data just be represented as a set of opaque values, or does it need to be typed so other applications can make sense of it? Do we know the data structure will remain constant, or will it vary as we introduce new sensor data and as the business updates application requirements? Does the application require its data to be strongly consistent (i.e. read our own writes), or can eventually consistent data be tolerated (and do our developers know how to handle the complexity it introduces?). Do we end up trading performance and availability if we configure the database to only return the freshest data? The Query Model: What sort of queries are we going to run against the database? Is it simple key-value lookups that we know in advance or do we need to execute ad-hoc queries and complex aggregations to support real-time analytics that the business wants to see? Can we run analytics directly against the database, or do we need to replicate data to dedicated search or analytics engines? Will the application be handling geospatial queries and text search? Does the data need to be integrated with our BI & analytics tools, and what about our new Hadoop cluster, or the data warehouse? Which languages will our engineers be using to develop the application, and does the database have drivers available for them? Operational Considerations In this second phase, the ACME Retail architects need to evaluate how each database would run in production. No-one wants to hand-feed a custom technology, so they need to understand if the database can meet the availability, scalability and security needs of the business, and interoperate with the existing management frameworks. Service Availability: What is the application’s availability SLA? What are our RTO and RPO objectives? Will our operations teams manage failure recovery, or is this something that should be fully automated by the database? What capabilities does the database offer to maintain availability during routine maintenance? Are there tools available to manage this or do we need to script something ourselves? Are there specific requirements to replicate data between our data centers to support disaster recovery? Scalability: How do we expect this application to grow? Will the database need to scale beyond the limits of just a few servers? If data is to be distributed across multiple nodes, will it be partitioned in such a way that it is still optimized for the application’s query patterns? Do we need to scale this across data centers? Can we write and read data locally to reduce the effects of geographic latency? Can we scale storage capacity and I/O by compressing the data, and are different compression algorithms available to optimize compression ratio to CPU overhead? Security: What types of data access control do we need? Can we just use authentication controls within the database or do we need to integrate with our existing LDAP infrastructure? What type of authorization controls are available, and how granular can we get? Do these controls needs to extend down to the level of individual attributes within a document? Is encryption needed, and will those pesky compliance officers need to audit every action taken against the database? Administration: How are going to run this thing? Does the database provide tools to automate provisioning and upgrades or do we need to create our own scripts? How about backups? Can we get incremental backups. How about point in time backups? And then monitoring. We need to know, for example, if disk utilization is peaking above 60% so we can take action before we hit a problem. Can we add these alerts into our existing operational workflow tools? Can we integrate the database’s management platform into our own operational tooling so we don’t need to leave our single screen? Commercial Considerations Once the ACME architects have profiled their technology requirements, they will need to understand how the database is licensed and priced, before legal and procurement come knocking at the door: Licensing: what license is used, and is this acceptable to our legal team? Are commercial licenses available? Support: What support options are open to me? Can I get support SLAs from my vendor, even if I use a community version of their product? What is the SLA I can expect if I do hit an issue? What sort of training is available? Is my only option to send my engineers to public classes, or can we get trained on-demand, at our own pace? What’s Next? The ACME example is designed to illustrate some of the key questions engineering teams need to ask. It is true that the database landscape is more complex than ever. But it needn’t be bewildering – the Database Selection Matrix is designed to help you identify and compare what is most critical as you build your next app, so go ahead and download it now. Looking for additional information about database selection? Learn why organizations choose MongoDB to deliver applications and outcomes that were never previously possible. Download the white paper below: The Value of Database Selection About Mat Keep Mat is part of the MongoDB product marketing team, responsible for building the vision, positioning and content for MongoDB’s products and services, including the analysis of market trends and customer requirements. Prior to MongoDB, Mat was director of product management at Oracle Corp. with responsibility for the MySQL database in web, telecoms, cloud and big data workloads. This followed a series of sales, business development and analyst / programmer positions with both technology vendors and end-user companies.

January 27, 2015

Next →

Australian Start-Up Ynomia Is Building an IoT Platform to Transform the Construction Industry and its Hostile Environments

The trillion dollar construction industry has not yet experienced the same revolution in technology you might have expected. Low levels of R&D and difficult working environments have led to a lack of innovation and fundamental improvements have been slow. But one Australian start-up is changing that by building an Internet of Things (IoT) platform to harness construction and jobsite data in real time. “Productivity in construction is down there with hunting and fishing as one of the least productive industries per capita in the entire world. It's a space that's ripe for people to come in and really help,” explains Rob Postill , CTO at Ynomia. Ynomia has already been closely involved with many prestigious construction projects, including the residential N06 development in London’s famous 2012 Olympic Village. It was also integral to the construction of the Victoria University Tower in Australia. Link to Podcast Episode Here “These projects involve massive outflow of money: think about glass facades on modern buildings, which can represent 20-30 percent of the overall project cost. They are largely produced in China and can take 12 weeks to get here,” says Postill. “Meanwhile, the plasterer, the plumber, the electrician are all waiting for those glass facades to be put on so it is safe for them to work. If you get it wrong, you can go in the deep red very quickly.” To tackle these longstanding challenges, Ynomia aims to address the lack of connectivity, transparency and data management on construction sites, which has traditionally resulted in the inefficient use of critical personnel, equipment and materials; compressed timelines; and unpredictable cash flows. To optimize productivity, Ynomia offers a simple end-to-end technology solution that creates a Connected Jobsite. Helping teams manage materials, tools, and people across the worksite in real time. IOT in a Hostile Environment The deployment of technology in construction is often fraught with risk. As a result, construction sites are still largely run on paper, such as blueprints, diagrams and models as well as the more traditional invoices and filing. At the same time, there is a constant need to track progress and monitor massive volumes of information across the entire supply chain. Engineers, builders, electricians, plumbers, and all the other associated professionals need to know what they need to do, where they need to be, and when they need to start. “The environment is hostile to technology like GPS, computers, and mobile phone reception because you have a lot of Faraday cages and lots of water and dust,” explains Postill. “You can't have somebody wandering around a construction site with a laptop; it'll get trashed pretty quickly." Enter MongoDB Atlas “On a site, you might be talking about materials, then if you add to that plant & equipment, or bins, or tools etc, you're rapidly getting into thousands and thousands of tags, talking all the time, every day,” said Postill. That means thousands of tags now send millions of readings on Ynomia building sites around the world. All these IoT data packets must be stored efficiently and accurately so Ynomia can reassemble the history of what has happened and track tagged inventory, personnel, and vehicles around the site. Many of the tag events are also safety critical so accuracy is a vital component and packets can't be missed. To address these needs Ynomia was looking for a database that was scalable, flexible, resilient and could easily handle a wide variety of fast-changing sensor data captured from multiple devices. The final component Postill was looking for in a database layer was freedom: a database that didn't lock them into a single cloud platform as they were still in the early stages of assessing cloud partners. The Commonwealth Scientific and Industrial Research Organisation , which Postill had worked with in the past, suggested MongoDB , a general purpose, document-based database built for modern applications. “The most important factor was that the database is event-driven, which I knew would be difficult in the traditional relational model. We deal with millions of tag readings a day, which is a massive wall of data,” said Postill. A Cloud Database Ynomia is using MongoDB Atlas , the global cloud database service, now hosted on Microsoft Azure. Atlas offers best-in-class automation and proven practices that combine availability, scalability, and compliance with the most demanding data security and privacy standards. “When we started we didn't know enough about the problem and we didn't want to be constrained," explained Postill. "MongoDB Atlas gives us a cloud environment that moves with us. It allows us to understand what is happening and make changes to the architecture as we go." Postill says this combination of flexibility and management tooling also allows his developers to focus on business value not undifferentiated code. One example Postill gave was cluster administration: "Cluster administration for a start-up like us is wasted work," he said. "We’re not solving the customer's problem. We're not moving anything on. We’re focusing on the wrong thing. For us to be able to just make that problem go away is huge. Why wouldn’t you?" Atlas also gives Ynomia the option to spin out new clusters seamlessly anywhere in the world. This allows customers to keep data local to their construction site, improving latency and helping solve for regional data regulations. Real Time Analytics The company has also deployed MongoDB Charts, which takes this live data and automatically provides a real time view. Charts is the fastest and easiest way to visualize event data directly from MongoDB in order to act instantly and decisively based on the real-time insights generated by event-driven architecture. It allows Ynomia to share dashboards so all the right people can see what they need to and can collaborate accordingly. “Charts enables us to quickly visualize information without having to build more expensive tools, both internally and externally, to examine our data,” comments Postill. “As a startup, we go through this journey of: what are we doing and how are we doing it? There's a lot of stuff we are finding out along the way on how we slice and re-slice our data using Charts.” A Platform for Future Growth Ynomia is targeting a huge market and is set for ambitious growth in the coming years. How the platform, and its underlying architecture, can continue to scale and evolve will be crucial to enabling that business growth. “We do anything we can to keep things simple,” concluded Postill. “We pick technology partners that save us from spending time we shouldn't spend so we can solve real problems. We pick technologies that roll with the punches and that's MongoDB.” When we started we didn't know enough about the problem and we didn't want to be constrained," explained Postill. "MongoDB Atlas gives us a cloud environment that moves with us. It allows us to understand what is happening and make changes to the architecture as we go. Rob Postill, CTO, Ynomia

February 23, 2021