MongoDB LDAP and Kerberos Authentication with Cent
By Alex Komyagin at MongoDB with the help of Felderi Santiago at Centrify and Robertson Pimentel at Centrify Overview Centrify provides unified identity management solutions that result in single sign-on (SSO) for users and a simplified id
By Alex Komyagin at MongoDB with the help of Felderi Santiago at Centrify and Robertson Pimentel at Centrify
Overview
Centrify provides unified identity management solutions that result in single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify’s Server Suite integrates Linux systems into Active Directory domains to enable centralized authentication, access control, privilege user management and auditing access for compliance needs.
Since version 2.4, MongoDB Enterprise allows authentication with Microsoft Active Directory Services using LDAP and Kerberos protocols. On Linux systems it is now possible to leverage Centrify’s Server Suite solution for integrating MongoDB with Active Directory.
The use of Centrify’s Active Directory integration with MongoDB greatly simplifies setup process and allows MongoDB to seamlessly integrate into the most complex Active Directory environments found at enterprise customer sites with hundreds or thousands of employees.
Requirements
- Existing Active Directory domain
- MongoDB Enterprise 2.4 or greater
- Centrify Suite
All further MongoDB commands in this paper are given for the current latest stable release, MongoDB 2.6.5. The Linux OS used is RHEL6.4. The Centrify Server Suite version is 2014.1.
Setup procedure
Preparing a new MongoDB Linux server
In existing Enterprise environments that are already using Centrify and MongoDB there are usually specific guidelines on setting up Linux systems. Here we will cover the most basic steps needed, that can be used as a quick reference:
1. Configure hostname and DNS resolution
For Centrify and MongoDB to function properly you must set a hostname on the system and make sure it’s configured to use the proper Active Directory-aware DNS server instance IP address. You can update the hostname using commands that resemble the following:
<b>$ nano /etc/sysconfig/network</b> HOSTNAME=lin-client.mongotest.com <b>$ reboot</b> <b>$ hostname -f</b> lin-client.mongotest.com
Next, verify the DNS settings and add additional servers, if needed:
<b>$ nano /etc/resolv.conf</b> search mongotest.com nameserver 10.10.42.250
2. Install MongoDB Enterprise
The installation process is well outlined in our Documentation. It’s recommended to turn SELinux off for this exercise:
<b>$ nano /etc/selinux/config</b> SELINUX=disabled
Since MongoDB grants user privileges through role-based authorization, there should be an LDAP and a Kerberos user created in mongodb:
<b>$ service mongod start
$ mongo
> db.getSiblingDB("$external").createUser(
{
user : "alex",
roles: [ { role: "root" , db : "admin"} ]
}
)
> db.getSiblingDB("$external").createUser(
{
user: "alex@MONGOTEST.COM",
roles: [ { role: "root", db: "admin" } ]
}
)</b>“alex” is a user listed in AD and who is a member of the “Domain Users” group and has “support” set as its Organizational Unit.
3. Install Centrify agent
Unpack the Centrify suite archive and install the centrify-dc package. Then join the server to your domain as a workstation:
<b>$ rpm -ihv centrifydc-5.2.0-rhel3-x86_64.rpm</b> <b>$ adjoin -V -w -u ldap_admin mongotest.com</b> ldap_admin@MONGOTEST.COM's password:
Here “ldap_admin” is user who is a member of the “Domain Admins” group in AD.
Setting up MongoDB with LDAP authentication using Centrify
Centrify agent manages all communications with Active Directory, and MongoDB can use the Centrify PAM module to authenticate LDAP users.
1. Configure saslauthd, which is used by MongoDB as an interface between the database and the Linux PAM system.
a. Verify that “MECH=pam” is set in /etc/sysconfig/saslauthd:
<b>$ grep ^MECH /etc/sysconfig/saslauthd</b> MECH=pam
b. Turn on the saslauthd service and ensure it is started upon reboot:
<b>$ service saslauthd start</b> Starting saslauthd: [ OK ] <b>$ chkconfig saslauthd on</b> <b>$ chkconfig --list saslauthd</b> saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
2. Configure PAM to recognize the mongodb service by creating an appropriate PAM service file. We will use the sshd service file as a template, since it should’ve already been preconfigured to work with Centrify:
<b>$ cp -v /etc/pam.d/{sshd,mongodb}</b>
`/etc/pam.d/sshd' -> `/etc/pam.d/mongodb'3. Start MongoDB with LDAP authentication enabled, by adjusting the config file:
<b>$ nano /etc/mongod.conf</b> auth=true setParameter=saslauthdPath=/var/run/saslauthd/mux setParameter=authenticationMechanisms=PLAIN <b>$ service mongod restart</b>
4. Try to authenticate as the user “alex” in MongoDB:
<b>$ mongo
> db.getSiblingDB("$external").auth(
{
mechanism: "PLAIN",
user: "alex",
pwd: "xxx",
digestPassword: false
}
)</b>
1
<b>></b>Returning a value of “1” means the authentication was successful.
Setting up MongoDB with Kerberos authentication using Centrify
Centrify agent automatically updates system Kerberos configuration (the /etc/krb5.conf file), so no manual configuration is necessary. Additionally, Centrify provides means to create Active Directory service user, service principal name and keyfile directly from the Linux server, thus making automation easier.
1. Create the “lin-client-svc” user in Active Directory with SPN and UPN for the server, and export its keytab to the “mongod_lin.keytab” file:
<b>$ adkeytab -n -P mongodb/lin-client.mongotest.com@MONGOTEST.COM -U mongodb/lin-client.mongotest.com@MONGOTEST.COM -K /home/ec2-user/mongod_lin.keytab -c "OU=support" -V --user ldap_admin lin-client-svc</b> ldap_admin@MONGOTEST.COM's password: <b>$ adquery user lin-client-svc -PS</b> userPrincipalName:mongodb/lin-client.mongotest.com@MONGOTEST.COM servicePrincipalName:mongodb/lin-client.mongotest.com
Again, the “ldap_admin” is user who is a member of the “Domain Admins” group in AD. An OU “support” will be used to create the “lin-client-svc” service user.
2. Start MongoDB with Kerberos authentication enabled, by adjusting the config file. You also need to make sure that mongod listens on the interface associated with the FQDN. For this exercise, you can just configure mongod to listen on all interfaces:
<b>$ nano /etc/mongod.conf</b> # Listen to local interface only. Comment out to listen on all interfaces. #bind_ip=127.0.0.1 auth=true setParameter=authenticationMechanisms=GSSAPI <b>$ service mongod stop</b> <b>$ env KRB5_KTNAME=/home/ec2-user/mongod_lin.keytab mongod -f /etc/mongod.conf</b>
3. Try to authenticate as the user “alex@MONGOTEST.COM” in MongoDB:
<b>$ kinit alex@MONGOTEST.COM</b>
Password for alex@MONGOTEST.COM:
<b>$ mongo --host lin-client.mongotest.com
> db.getSiblingDB("$external").auth(
{
mechanism: "GSSAPI",
user: "alex@MONGOTEST.COM",
}
)</b>
1
<b>></b>The return value of “1” indicates success.
Summary and more information
MongoDB supports different options for authentication, including Kerberos and LDAP external authentication. With MongoDB and Centrify integration, it is now possible to speed up enterprise deployments of MongoDB into your existing security and Active Directory infrastructure and ensure quick day-one productivity without expending days and weeks of labor dealing with open-source tools.
About Centrify
Centrify is a leading provider of unified identity management solutions that result in single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify’s Server Suite software integrates Linux systems into Active Directory domains to enable centralized authentication, access control, privilege user management and auditing access for compliance needs. Over the last 10 years, more than 5,000 customers around the world, including nearly half of the Fortune 50, have deployed and trusted Centrify solutions across millions of servers, workstations, and applications, and have regularly reduced their identity management and compliance costs by 50% or more.
Video tutorials
Video on how to use Centrify to integrate MongoDB with Active Directory:
Video on how to enforce PAM access rights as an additional security layer for MongoDB with Centrify:
Centrify Community post and videos showcasing Active Directory integration for MongoDB: http://community.centrify.com/t5/Standard-Edition-DirectControl/MongoDB-AD-Integration-made-easy-with-Centrify/td-p/18779
MongoDB security documentation is available here: http://docs.mongodb.org/manual/security/ MongoDB user and role management tutorials: http://docs.mongodb.org/manual/administration/security-user-role-management/
原文地址:MongoDB LDAP and Kerberos Authentication with Cent, 感谢原作者分享。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1668
14
1427
52
1329
25
1273
29
1256
24
Use Composer to solve the dilemma of recommendation systems: andres-montanez/recommendations-bundle
Apr 18, 2025 am 11:48 AM
When developing an e-commerce website, I encountered a difficult problem: how to provide users with personalized product recommendations. Initially, I tried some simple recommendation algorithms, but the results were not ideal, and user satisfaction was also affected. In order to improve the accuracy and efficiency of the recommendation system, I decided to adopt a more professional solution. Finally, I installed andres-montanez/recommendations-bundle through Composer, which not only solved my problem, but also greatly improved the performance of the recommendation system. You can learn composer through the following address:
Navicat's method to view MongoDB database password
Apr 08, 2025 pm 09:39 PM
It is impossible to view MongoDB password directly through Navicat because it is stored as hash values. How to retrieve lost passwords: 1. Reset passwords; 2. Check configuration files (may contain hash values); 3. Check codes (may hardcode passwords).
How to choose a database for GitLab on CentOS
Apr 14, 2025 pm 04:48 PM
GitLab Database Deployment Guide on CentOS System Selecting the right database is a key step in successfully deploying GitLab. GitLab is compatible with a variety of databases, including MySQL, PostgreSQL, and MongoDB. This article will explain in detail how to select and configure these databases. Database selection recommendation MySQL: a widely used relational database management system (RDBMS), with stable performance and suitable for most GitLab deployment scenarios. PostgreSQL: Powerful open source RDBMS, supports complex queries and advanced features, suitable for handling large data sets. MongoDB: Popular NoSQL database, good at handling sea
What is the CentOS MongoDB backup strategy?
Apr 14, 2025 pm 04:51 PM
Detailed explanation of MongoDB efficient backup strategy under CentOS system This article will introduce in detail the various strategies for implementing MongoDB backup on CentOS system to ensure data security and business continuity. We will cover manual backups, timed backups, automated script backups, and backup methods in Docker container environments, and provide best practices for backup file management. Manual backup: Use the mongodump command to perform manual full backup, for example: mongodump-hlocalhost:27017-u username-p password-d database name-o/backup directory This command will export the data and metadata of the specified database to the specified backup directory.
MongoDB and relational database: a comprehensive comparison
Apr 08, 2025 pm 06:30 PM
MongoDB and relational database: In-depth comparison This article will explore in-depth the differences between NoSQL database MongoDB and traditional relational databases (such as MySQL and SQLServer). Relational databases use table structures of rows and columns to organize data, while MongoDB uses flexible document-oriented models to better suit the needs of modern applications. Mainly differentiates data structures: Relational databases use predefined schema tables to store data, and relationships between tables are established through primary keys and foreign keys; MongoDB uses JSON-like BSON documents to store them in a collection, and each document structure can be independently changed to achieve pattern-free design. Architectural design: Relational databases need to pre-defined fixed schema; MongoDB supports
How to set up users in mongodb
Apr 12, 2025 am 08:51 AM
To set up a MongoDB user, follow these steps: 1. Connect to the server and create an administrator user. 2. Create a database to grant users access. 3. Use the createUser command to create a user and specify their role and database access rights. 4. Use the getUsers command to check the created user. 5. Optionally set other permissions or grant users permissions to a specific collection.
How to encrypt data in Debian MongoDB
Apr 12, 2025 pm 08:03 PM
Encrypting MongoDB database on a Debian system requires following the following steps: Step 1: Install MongoDB First, make sure your Debian system has MongoDB installed. If not, please refer to the official MongoDB document for installation: https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/Step 2: Generate the encryption key file Create a file containing the encryption key and set the correct permissions: ddif=/dev/urandomof=/etc/mongodb-keyfilebs=512
What are the tools to connect to mongodb
Apr 12, 2025 am 06:51 AM
The main tools for connecting to MongoDB are: 1. MongoDB Shell, suitable for quickly viewing data and performing simple operations; 2. Programming language drivers (such as PyMongo, MongoDB Java Driver, MongoDB Node.js Driver), suitable for application development, but you need to master the usage methods; 3. GUI tools (such as Robo 3T, Compass) provide a graphical interface for beginners and quick data viewing. When selecting tools, you need to consider application scenarios and technology stacks, and pay attention to connection string configuration, permission management and performance optimization, such as using connection pools and indexes.
