MongoDB LDAP and Kerberos Authentication with Dell (Quest) Authentication Services
By Alex Komyagin @MongoDB with the help of Kyle Robinson @Dell January 2015, NYC
Overview
Dell (formerly Quest) identity and access management software helps to solve security and administration issues inherent in Unix-based systems. The Privileged Access Suite product consolidates and unifies Unix, Linux, and Mac OS X identities, giving users centralized authentication and single sign-on with Microsoft Active Directory.Since version 2.6, MongoDB Enterprise supports authentication with Microsoft Active Directory Services using LDAP and Kerberos protocols. On Linux systems that are using Dell Privileged Access Suite it is now possible to integrate MongoDB into the existing infrastructure through the 3-step integration process described in this post.
Requirements
- Existing Active Directory domain
- Linux server
- MongoDB Enterprise 2.6 or greater
- Quest Authentication Services (QAS) version 4.1.0 or greater (part of the Privileged Access Suite distribution)
Setup procedure
Preparing a new MongoDB Linux serverI assume you already have QAS installed and configured on your production systems. For the purposes of this tutorial, I will cover the most basic steps needed to set everything up on a standalone Linux system:
1. Configure hostname and DNS resolution
For QAS and MongoDB Enterprise to function properly you must set a hostname on the system and make sure it’s configured to use the proper Active Directory-aware DNS server instance IP address. You can update the hostname using commands that resemble the following:

<pre>
<b>$ sudo nano /etc/sysconfig/network</b>
HOSTNAME=lin-client.mongotest.com
<b>$ sudo reboot</b>
<b>$ hostname -f</b>
lin-client.mongotest.com
</pre>

mongotest.com is the domain name configured in Active Directory.
Next, verify the DNS settings and add additional servers, if needed:

<pre>
<b>$ sudo nano /etc/resolv.conf</b>
search mongotest.com
nameserver AA.BB.CC.DD
</pre>

2. Install MongoDB Enterprise
The installation process is outlined in our Documentation. It’s recommended to turn SELinux off for this exercise, or you should configure SELinux to allow MongoDB to access the 27017 port:

<pre>
<b>$ sudo nano /etc/selinux/config</b>
SELINUX=disabled
<b>$ sudo reboot</b>
</pre>

Since MongoDB Enterprise grants user privileges through role-based authorization, there should be an LDAP and a Kerberos user created in the database:

<pre>
<b>$ sudo service mongod start
$ mongo
> db.getSiblingDB("$external").createUser(
 {
 user : "alex",
 roles: [ { role: "root" , db : "admin"} ]
 }
)
> db.getSiblingDB("$external").createUser(
 {
 user: "alex@MONGOTEST.COM",
 roles: [ { role: "root", db: "admin" } ]
 }
)</b>
</pre>

3. Install Quest Authentication Services
Basic installation of QAS is as simple as running a shell script:

<pre>
<b>$ tar -zxvf QAS_4_1_0_21267.tar.gz && cd QAS_4_1_0_21267
$ sudo ./install.sh</b>
</pre>

Once the QAS package is installed, you will need to connect this machine to AD:

<pre>
<b>$ sudo /opt/quest/bin/vastool -u ldap_admin -s join 
--autogen-posix-attrs -f mongotest.com</b>
ldap_admin@MONGOTEST.COM's password:
</pre>

I’m using the --autoget-posix-attrs parameter to the “join” command to instruct QAS to automatically generate POSIX user attributes for AD users. Other options would be to specify those manually (unixHomeDirectory, uidNumber, gidNumber, loginShell) in AD or use a vastool command to update the user entry in AD from Unix:

<pre>
<b>$ sudo /opt/quest/bin/vastool -u ldap_admin create -ei 
"alex:x:1001:100::/home/alex:/bin/sh" user alex</b>
</pre>

4. Verifying the installation
You can confirm that the Active Directory user is properly recognized by QAS using the following two commands:

<pre>
<b>$ sudo /opt/quest/bin/vastool isvas user alex</b>
alex is a QAS user.
<b>$ sudo /opt/quest/bin/vastool user checklogin alex</b>
Password:
ALLOWED [user=alex] [service=login]
Access Rule = [No Allow or Deny rules exist!]
</pre>

Setting up MongoDB Enterprise with LDAP authentication using Quest Authentication Services
The QAS “vasd” daemon manages all communications with Active Directory, and MongoDB can use QAS PAM module to authenticate LDAP users.
- Configure saslauthd, which is used by MongoDB as an interface between the database and the Linux PAM system.
a. Verify that “MECH=pam” is set in /etc/sysconfig/saslauthd:

<pre>
<b>$ grep ^MECH /etc/sysconfig/saslauthd</b>
MECH=pam
</pre>

b. Turn on the saslauthd service and ensure it is started upon reboot:

<pre>
<b>$ sudo service saslauthd start</b>
Starting saslauthd: [ OK ]
<b>$ sudo chkconfig saslauthd on</b>
<b>$ sudo chkconfig --list saslauthd</b>
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
</pre>

- Configure PAM to recognize the mongodb service by creating an appropriate PAM service file. I will use the sshd service file as a template, since it should have already been preconfigured to work with QAS:

<pre>
<b>$ sudo cp -v /etc/pam.d/{sshd,mongodb}</b>
`/etc/pam.d/sshd' -> `/etc/pam.d/mongodb'
</pre>

- Test SASL configuration by verifying that user “alex” can log in from this machine using the “mongodb” servicename:

<pre>
<b>$ testsaslauthd -u alex -p <user's password> -s mongodb -f 
/var/run/saslauthd/mux</b>
0: OK "Success."
</pre>

- Start MongoDB Enterprise with LDAP authentication enabled, by adjusting the config file:

<pre>
<b>$ sudo nano /etc/mongod.conf</b>
auth=true
setParameter=saslauthdPath=/var/run/saslauthd/mux
setParameter=authenticationMechanisms=PLAIN
<b>$ sudo service mongod restart</b>
</pre>

- Try to authenticate as the user “alex” in MongoDB Enterprise:

<pre>
<b>$ mongo
> db.getSiblingDB("<a style="text-decoration: none; color: #325B8E;">$external</a>").auth(
 {
 mechanism: "<a style="text-decoration: none; color: #325B8E;">PLAIN</a>",
 user: "alex",
 pwd: "xxx",
 digestPassword: false
 }
)</b>
1
<b>></b>
</pre>

The return value of “1” means success.
Setting up MongoDB Enterprise with Kerberos authentication using Quest Authentication Services
- Create a user in Active Directory with SPN for the mongodb service:

<pre>
<b>$ sudo /opt/quest/bin/vastool -u ldap_admin service create mongodb/</b>
Password for ldap_admin@MONGOTEST.COM:
</pre>

- Configure the MIT Kerberos (the /etc/krb5.conf file) using vastool:

<pre>
<b>$ sudo /opt/quest/bin/vastool -k /etc/opt/quest/vas/mongodb.keytab kinit 
mongodb/
$ sudo mv /etc/krb5.conf /etc/krb5.conf.orig
$ sudo /opt/quest/bin/vastool configure mit</b>
</pre>

3 Start MongoDB with Kerberos authentication enabled, by adjusting the config file. You also need to make sure that mongod listens on the interface associated with the FQDN. For this exercise, you can just configure mongod to listen on all interfaces:

<pre>
<b>$ sudo nano /etc/mongod.conf</b>
# Listen to local interface only. Comment out to listen on all 
interfaces.
# bind_ip=127.0.0.1
<p>auth=true
setParameter=authenticationMechanisms=GSSAPI
<b>$ sudo service mongod stop</b>
<b>$ sudo env KRB5_KTNAME=/etc/opt/quest/vas/mongodb.keytab mongod -f
/etc/mongod.conf</b>
</pre>


<pre>
<b>$ kinit alex@MONGOTEST.COM</b>
Password for alex@MONGOTEST.COM:
<b>$ mongo --host lin-client.mongotest.com
> db.getSiblingDB("<a style="text-decoration: none; color: #325B8E;">$external</a>").auth(
 {
 mechanism: "<a style="text-decoration: none; color: #325B8E;">GSSAPI</a>",
 user: "alex@MONGOTEST.COM",
 }
)</b>
1
<b>></b>
 </pre>

Summary and More Information
MongoDB Enterprise offers different options for authentication, including Kerberos and LDAP external authentication. Organizations deploying Quest Authentication Services can now integrate their MongoDB Enterprise systems into the existing security infrastructure without additional operational overhead.Further information is available in our MongoDB Enterprise security documentation and MongoDB Enterprise user and role management tutorials.
To download MongoDB Enterprise, click below:
About Alex Komyagin
Alex is a member of the all-star MongoDB Technical Services team. He is always happy to help customers to meet their goals against all odds. Prior to MongoDB, Alex led a team of engineers for an embedded software project. Also he is a very nice person.