Home > System Administration > Using saslauthd with PAM for Percona MongoDB

Using saslauthd with PAM for Percona MongoDB

I recently had reason to authenticate users in MongoDB against an Active Directory source. In Mongo Community Edition, this isn’t enabled/possible. Upgrading to Mongo Enterprise is required for those features. Our team made the switch to Percona’s Distribution of Mongo to take advantage of the In Memory backend otherwise only available in Mongo Enterprise. There is some documentation around using saslauthd as an authentication proxy directly to LDAP, however we already have these Linux hosts joined to our Active Directory domain. We wanted to take advantage of the existing realmd/sssd connection to authenticate AD users. What we ended up with was a combination of a couple of places as I searched the web and wanted to pull it all together here. Here are a few of the posts that helped point me in the right direction:

  1. https://docs.mongodb.com/manual/tutorial/configure-ldap-sasl-activedirectory/
  2. https://www.percona.com/blog/2017/07/13/setting-percona-pam-active-directory-external-authentication/
  3. https://www.percona.com/blog/2018/12/21/percona-server-for-mongodb-authentication-using-active-directory/
  4. https://stackoverflow.com/questions/54600693/configuring-mongodb-to-authenticate-users-password-via-linux-pam

We’re running CentOS 7 and Percona Mongo 4.4. Here’s the settings I made to allow us to use SASL with our existing PAM configuration:

# Install SASL
sudo yum -y install cyrus-sasl cyrus-sasl-plain
# /etc/sasl2/mongodb.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
log_level: 5
mech_list: plain
# /etc/pam.d/mongodb
auth       include	password-auth
account    include	password-auth

And finally in the Mongo configuration, we need to enable Authentication as well as allow the PLAIN mechanism in addition to the SCRAM-SHA-1 used for internal Mongo auth.

# /etc/mongod.conf
    mode: requireTLS
  authorization: enabled
  authenticationMechanisms: PLAIN,SCRAM-SHA-1

That’s pretty much it. Initially, a local administrator account will need to be created – for example:

mongo --tls --tlsAllowInvalidHostnames --authenticationDatabase admin 
> use admin
switched to db admin
> db.createUser({user: "dba", pwd: passwordPrompt(), roles: ['root']});
Enter password:
Successfully added user: { "user" : "dba", "roles" : [ "root" ] }

Disconnect and reconnect using authentication and then add users to the $external authentication database:

mongo --tls --authenticationDatabase admin --host mongodb.example.com -u dba
> use MyDatabase
switched to db MyDatabase
> db.getSiblingDB("$external").createUser({user: "myadaccount",  roles: [ {role: 'dbAdmin', db: "MyDatabase" }] });
Successfully added user: {
	"user" : "myadaccount",
	"roles" : [
			"role" : "dbAdmin",
			"db" : "MyDatabase"

Hopefully this helps someone else in the future!