Details
-
Improvement
-
Resolution: Done
-
Major - P3
-
None
-
None
Description
http://docs.mongodb.org/master/tutorial/configure-ldap-sasl-authentication/
We should mention that it is necessary to create a user in the '$external' database for this to actually work.
We should mention that saslauthd.conf may or may not exist and that users should create one if they don't have it.
The authentication example shows a kerberos style "user@REALM" username and this could be misleading. Should be replaced by <username> or some such thing.
It's worth describing how this process with saslauthd works. I'm not an expert on this (so check with others) but it should be something like:
The username and password typed into mongodb are communicated to saslauthd via a local unix socket in plain text. (this is why the mechanism is "PLAIN") Saslauthd then attempts to bind to the ldap server on MongoDB's behalf using the specified credentials. NOTE: This communication will be carried out over a secure channel (if they have ldaps enabled) however if the ldap server is remote and not using ldaps then your password will be transmitted in plaintext over the internet! If the saslauthd is able to bind to the ldap server then the authentication is successful. Etc...
In addition, on certain linux distributions - e.g. ubuntu 12.04 starting saslauthd causes it to automatically enable authentication credentials caching (see here) – the -c option. Thus, saslauthd will never contact the LDAP server to reauthenticate users it's already cached until it's restarted. Again, this means that saslauthd will still successfully authenticate users whose credentials it's cached even if the LDAP server is down.
It might also be worth mentioning – as part of the "Tips" for ldap_servers settings – that in addition to the ldap:/// protocol, those using the ldaps:/// protocol (LDAP over SSL) would typically have to use port 636.