mongosh cannot authenticate LDAP user
Description
Environment
Smart Checklist
Activity
Igor Solodovnikov September 15, 2020 at 10:03 AM
Hello @Carson Chiu
Thank you for your ananlysis once again.
We have a fix for this issue here: https://github.com/percona/percona-server-mongodb/pull/608
It will be included in the next release
Carson Chiu September 10, 2020 at 9:59 AM
It doesn't seem to be a NodeJS driver bug.
I've taken a look of MongoDB C and Python drivers: ( https://github.com/mongodb/mongo-c-driver/blob/ff3894d1d75a8f13f1f35d1e8bc27f3bdee0d235/src/libmongoc/src/mongoc/mongoc-cluster.c#L1175 and https://github.com/mongodb/mongo-python-driver/blob/dc94ca628e10011f81310df351b604a0beb559a7/pymongo/auth.py#L508 )and they put the payload in the same format as Nodejs driver does. It seems that all MongoDB drivers, excluding the classic Mongo Shell, use the same format.
Akira Kurogane September 10, 2020 at 9:29 AM
I don't use NodeJS myself so I'm not expert here.
Akira Kurogane September 10, 2020 at 9:28 AM
Hi Yat.
My appreciation for your brainstorming on the solution, going merely from the observation I noted about the missing "**" for the username in the logs.
This sounds as if it should be a MongoDB NodeJS driver bug. I can't find any likely tickets for it at jira.mongodb.org though. Maybe no Enterprise MongoDB server users have ever both LDAP/ActiveDirectory and NodeJS workplaces at the same time?
I don't think it would be a bug of new mongosh. LDAP connections are (confusingly) the "PLAIN" authMechanism type and so that code (https://github.com/mongodb/node-mongodb-native/blob/3.6/lib/core/auth/plain.js) would be the right place. I did a search for ldap in the "MONGOSH" jira.mongodb.org project and didn't find it there either.
I wish I could say "This patch you've added to .../core/auth/plain.js just needs to reported to the NodeJS driver project at jira.mongodb.org" but I find documentation that shows LDAP being used. I note that it is unchanged documentation since many versions ago, so many it got broken a long time ago.
https://mongodb.github.io/node-mongodb-native/3.6/tutorials/connect/authenticating/
LDAP (PLAIN) Auth with NodeJS v3.6
LDAP (PLAIN)
MongoDB Enterprise supports proxy authentication through a Lightweight Directory Access Protocol (LDAP) service.
To connect using the LDAP authentication mechanism, specify authMechanism=PLAIN as the mechanism in the URI connection string.
const MongoClient = require('mongodb').MongoClient;
const assert = require('assert');
// LDAP Server
const server = "ldap.example.com";
const user = "ldap-user";
const pass = "ldap-password";
// Url
const url = `mongodb://${user}:${pass}@${server}?authMechanism=PLAIN&maxPoolSize=1`;
// Client
const client = new MongoClient(url);
// Let's write the actual connection code
client.connect(function(err) {
assert.equal(null, err);
client.close();
});NOTE
The method refers to the PLAIN authentication mechanism instead of LDAP because technically the driver authenticates via the PLAIN SASL mechanism.
Carson Chiu September 9, 2020 at 6:47 AM
I am not sure if MongoDB drivers in other languages construct the payload in the same way as NodeJS because I am not familiar with other languages. If you confirm that is the root cause of the bug, hope to see a fix very soon as I would like to use it in one of my projects. Thank you so much for such a great product.
This issue was mentioned by reporter of PSMDB-670.
Mongo's new shell project named 'mongosh' cannot authenticate with LDAP user while classic 'mongo' shell works fine.
With mongosh version 0.1.0 attempt to auth LDAP user looks like this:
$ mongosh -u "alice@engineering.example.com" -p --authenticationDatabase '$external' --authenticationMechanism 'PLAIN' Current sessionID: c84229cad62eaf673b3bf976 Enter password: ***** Connecting to: mongodb://127.0.0.1:27017 MongoServerSelectionError: Failed to map user '' to LDAP DNClassic mongo shell with the same parameters succeeds.
With non LDAP user mongosh can successfully authenticate:
$ mongosh -u "myUserAdmin" --authenticationDatabase "admin" -p Current sessionID: c8439a2ff050bfe54dfc87ce Enter password: ***** Connecting to: mongodb://127.0.0.1:27017 Warning: no saslprep library specified. Passwords will not be sanitized Warning: no saslprep library specified. Passwords will not be sanitized Using MongoDB: 4.2.8 Using Mongosh Beta: 0.1.0 For more information about mongosh, please see our docs: https://docs.mongodb.com/mongodb-shell/ > exitFor this test this server configuration was used:
security: authorization: enabled ldap: servers: "192.168.0.11:389" transportSecurity: none userToDNMapping: >- [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?(&(objectClass=organizationalPerson)(userPrincipalName={0}))" } ] bind: queryUser: "CN=alice,CN=Users,DC=engineering,DC=example,DC=com" queryPassword: "***" saslMechanisms: GSSAPI authz: queryTemplate: "{USER}?memberOf?base" setParameter: authenticationMechanisms: PLAIN,SCRAM-SHA-256,SCRAM-SHA-1Disabling user to DN mapping and using plain DN as a user name does not solve this issue.