Join Log in
Score:1
avatar Server

Debugging Active Directory Login with MongoDB

eg flag
Brad

I am trying to log into MongoDB using an active directory username. We're using Percona for MongoDB but I believe this really should be pretty similar to regular MongoDB 5.x authentication.

We've tried variation after variation. Here's the most recent attempt:

net:
   tls:
      mode: requireTLS
      allowConnectionsWithoutCertificates: true
security:
  authorization: enabled
  ldap:
    authz:
      queryTemplate: "dc=domain,dc=local??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))"
    servers: "my-dc.domain.local"
    transportSecurity: none
    bind:
      queryUser: "CN=percona,OU=Accounts,OU=My Site,DC=domain,DC=local"
      queryPassword: "super-secret"
    userToDNMapping: >-
      [
         {
           match: "(.+)",
           ldapQuery: "dc=domain,dc=local??sub?(&(objectClass=organizationalPerson)(sAMAccountName={0}))"
         }
      ]
setParameter:
  authenticationMechanisms: "PLAIN"

The error I am getting is:

{"t":{"$date":"2022-05-27T21:31:24.896+00:00"},"s":"I", "c":"ACCESS", "id":29052, "ctx":"conn349795","msg":"SASL server message: ({priority}) {msg}","attr":{"priority":2,"msg":"Password verification failed"}}

{"t":{"$date":"2022-05-27T21:31:24.896+00:00"},"s":"I", "c":"ACCESS", "id":20249, "ctx":"conn349795","msg":"Authentication failed","attr":{"mechanism":"PLAIN","speculative":false,"principalName":"brad.test","authenticationDatabase":"$external","remote":"10.40.14.16:42930","extraInfo":{},"error":"OperationFailed: SASL step did not complete: (user not found)"}}

Now from the two errors above you'd assume that the password was mistyped but I've quadrouple checked the password in the mongod.conf is correct. I've also quardrouple checked the usernamd and password of the user I am connecting to mogodb with is correct.

There's also a mention of user not found but if I take my username and query active directory directly using: (objectClass=organizationalPerson)(sAMAccountName=brad.test) I get my account back.

Likewise If I query active directory using: (objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Brad - Test,OU=Foo,OU=Bar,DC=domain,DC=local) I get a list of groups I am a member of.

I think my ldap query and my querytemplate are correct.

I should mention that I have the following defined in the mongo admin database and my account is a member of that group:

var admin = db.getSiblingDB("admin")
admin.createRole(
   {
     role: "CN=MongoDB Users,OU=Groups,OU=My Site,DC=domain,DC=local",
     privileges: [],
     roles: [ "userAdminAnyDatabase" ]
   }
)

If I check the security log on the active directory server I see

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  percona
Source Workstation: MY-DC
Error Code: 0x0

Error Code 0x0 means it successfully logged in.

Now I don't see any login attempts for my user account brad.test - maybe that's indicative that its not reaching out to AD to authenticate my user but I am not sure why. Sadly there is so much documentation for both mongo, and percona for Mongo that is different depending on if your user AD or LDAP. Finding a working example has been hard.

I feel like something small has to be wrong but I don't see what it is. Anyone else done this before and have any pointers or suggestions?

Thanks Brad

12
0 + 0
eg flag
Brad
What might be most helpful is some way of getting additional debug information from mongo about the authentication process to understand what is going on. I don't see a mongod.conf option for adjusting verbosity. And I've tried using mongosh and I'm not getting any more verbose error there.
0
Reply
eg flag
Brad
Here's the auth string I am connecting with: mongodb://brad.test:[email protected]:27017/?tls=true&authMechanism=PLAIN&authSource=%24external Regular non-active directory authentication works fine.
0
Reply
mx flag
strongline
I know not much about MongoDB, and its less descriptive log is not helping. But if I have to guess, the "password verification failed" error message came from the account you used for query AD ( CN=percona). Subsequent error was result of the fact that query account didn't successfully authenticated. So double check your percona account instead of "brad.test". If CN=percona logged in AD successfully, MongoDB would then check if "brad.test" is member of certain group, which doesn't involve any authentication of brad.test
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.