[CXX-2201] Getting "could not start SASLPrep for password" when connecting with user name/password Created: 07/Mar/21  Updated: 31/Mar/23  Resolved: 06/Aug/21

Status: Closed
Project: C++ Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Shavit Talman Assignee: Roberto Sanchez
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu 20.04, MongoDB V4.4 with access control, Driver V3.6.2


Attachments: Zip Archive minimalMongoSetup.zip     JPEG File noname     JPEG File noname    
Issue Links:
Related
related to CDRIVER-3939 ENABLE_ICU=OFF does not prevent libmo... Closed

 Description   

I have a mongDB V4.4 running in my VM (Ubuntu 20.04) in access control mode. I created an admin user with this role:
roles: [ { role: “root”, db: “admin” } ]

I installed the mongoDB driver for C++ (V3.6.2) and wrote a mini-program to test it. My code (basically copied from mongocxx tutorial):

mongocxx::instance instance{};

mongocxx::uri uri( "mongodb://userName:password@localhost:27017/?authSource=admin");

mongocxx::client conn(uri);

mongocxx::database db = conn["test"];

mongocxx::collection coll = db["test"];

mongocxx::cursor cursor = coll.find({});

for (auto doc : cursor)

{    std::cout << bsoncxx::to_json(doc) << "\n"; }

 

I inserted a document in test.test from mongo shell. The ‘find’ command works with the same user in mongo shell. When running this mini program I get:

 terminate called after throwing an instance of 'mongocxx::v_noabi::query_exception' what(): could not start SASLPrep for password: generic server error Aborted (core dumped)

When I cancel the MonogDB access control and connect to it with the same lines but without the user/password it works great and I can insert and find documents.
I also installed Compass and copied the connection string from above in order to connect to MongoDB from it. It worked fine and I was able to read/write/delete and so on.



 Comments   
Comment by Jérôme Étévé [ 31/Mar/23 ]

Depending on which version of libicu you have on your system, you'll need the associated data.

 

For instance, if you use libicu 68, you'll need a file called 'icudt68l.dat' and the environment variable 'ICU_DATA=/path/to/icudt68l.dat' for the mongodb driver to work.

 

For some reason (maybe this is antique stuff), while the libicu is reasonable easy to find, finding the corresponding data files is a bit of a pain. You'll have to google hard.

Some reference:

https://unicode-org.github.io/icu/userguide/icu/howtouseicu.html#c-with-your-own-build-system

Comment by Alexis Jacob [ 09/Aug/21 ]

I see. Thank you for the help! We'll be discussing the best course of action from the data that you have provided.

Comment by Roberto Sanchez [ 06/Aug/21 ]

alexis.jacob@systrangroup.com & shavitalman@gmail.com, I am unable to reproduce this behavior outside of a Conan environment. Based on my investigation, it seems that the Conan build uses, among other things, a static-only build of ICU, a custom CMake module that appears to override find_package to handle the static-only build of ICU, and patches to the C driver build to not build any shared components (because static ICU components are apparently not relocatable). To try to reproduce the error, I applied some of the same modifications that the Conan build applies. I also made further modifications to force linking with the static ICU components. However, even then I was not able to reproduce the failure.

The fact is that the Conan build is sufficiently complex and changes enough things in unexpected ways, that a proper resolution of this issue requires someone who is intimately familiar with Conan to identify and fix the root cause. I recommend that you file a ticket with the Conan project and request that they investigate the failure. They are better equipped to identify build issues in dependencies.

In the meantime, please consider installing the C and C++ drivers directly from source, or from your Linux distro's repositories (assuming you are running a recent release). You can consult the C++ driver installation instructions to start. If you run into any difficulty, you can find assistance in the MongoDB Community Forums.

Also note that we discussed this matter internally and I have filed CDRIVER-4119 to document the need for an internal SASLPrep implementation that would allow us to eliminate the ICU dependency.

Comment by Alexis Jacob [ 02/Aug/21 ]

Hi,

Indeed, I realized that there needs to be a user with specific auth mechanisms. Try adding a user that accepts "SCRAM-SHA-256" as a mechanism for authentication, and then try "mongodb://username:userPassword@127.0.0.1/?authSource=test&authMechanism=SCRAM-SHA-256". This should trigger the exception "Exception: could not start SASLPrep for password: generic server error"

Comment by Roberto Sanchez [ 24/Jul/21 ]

alexis.jacob@systrangroup.com, I attempted to reproduce this again on Ubuntu 18.04 using your minimal example. However, there does not appear to be any problem. That is, the execution of ./bin/minimalMongoSetup "mongodb://127.0.0.1" produced no error output and the exit status of the command was 0. Can you describe the error I should observe?

Comment by Alexis Jacob [ 01/Jul/21 ]

Understood. Thank you for your time.

Comment by Roberto Sanchez [ 01/Jul/21 ]

alexis.jacob@systrangroup.com my apologies for the lack of communication. I have been assigned some other work that has had to take priority. I intend to return to this ticket soon and I will follow-up if I have further questions at that time.

Comment by Alexis Jacob [ 30/Jun/21 ]

I was wondering if you needed additional info regarding the setup? We have tested and could reproduce from the zip file in an Ubuntu-18 OS, but we could probably try other OSes in order to reproduce that bug. Thanks for your help.

Comment by Alexis Jacob [ 18/Jun/21 ]

minimalMongoSetup.zip

Comment by Alexis Jacob [ 18/Jun/21 ]

Very well. Please find attached a zip of a reproduction that we had on an ubuntu-18 install.

Steps are as follows, after unzipping and working inside the extracted directory:

1. cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_STANDARD=11 -G "CodeBlocks - Unix Makefiles" minimalMongoSetup
2. make
3. ./bin/minimalMongoSetup "mongodb://uri-path"

Comment by Roberto Sanchez [ 11/Jun/21 ]

alexis.jacob@systrangroup.com, a minimal project would be very helpful. It looks like conan provides static libraries. From what I can tell by inspecting those static libraries and looking at the source code, it seems that disabling SASL but enabling ICU results in a peculiar output of the build process. It isn't clear to me if this is a combination of options that we support or test. I will need to investigate that. However, a minimal example will help me trigger the failure and then allow me to confirm that I have fixed it properly.

Comment by Alexis Jacob [ 31/May/21 ]

From looking at the conaninfo.txt:

mongo-c-driver:shared=True
mongo-c-driver:srv=True
mongo-c-driver:with_icu=True
mongo-c-driver:with_sasl=False
mongo-c-driver:with_snappy=True
mongo-c-driver:with_ssl=openssl
mongo-c-driver:with_zlib=True
mongo-c-driver:with_zstd=True
mongo-cxx-driver:polyfill=boost
mongo-cxx-driver:shared=True
mongo-cxx-driver:with_ssl=True

So the versions that I am using (mongo-c-driver 1.17.3 and mongo-cxx-driver 3.6.2) seem to be compiled with icu but without sasl. Tell me if you'd like a c++/cmake project that reproduces the bug concisely. Thanks for your help!

Comment by Alexis Jacob [ 31/May/21 ]

dpkg -l |grep libicu gives out the following:

ii libicu60:amd64 60.2-3ubuntu3.1 amd64 International Components for Unicode

But we use conan package manager (https://conan.io/center/mongo-cxx-driver) to get the latest packages, in this instance we fetch icu/68.2.

Maybe I could show a smaller reproduction of the issue so that I could share how we use conan install

Comment by Roberto Sanchez [ 27/May/21 ]

alexis.jacob@systrangroup.com, I would like to request some additional information to see if I can track down the root cause of the issue. Please provide the output of dpkg -l |grep libicu, as well as the commands and complete output of the C and C++ driver builds.

Comment by Kevin Albertson [ 28/Apr/21 ]

Apologies for the delayed response alexis.jacob@systrangroup.com and shavitalman@gmail.com.

It is still reproducible, but thanks to you, when setting the authMechanism
to be "SCRAM-SHA-1", my code started to work. It's an acceptable WA for me
at this stage.

Setting a SCRAM-SHA-1 auth mechanism does seem like a sensible workaround, as passwords will not undergo SASLPrep for SCRAM-SHA-1 (per the driver authentication specification).

At a glance the error comes from a call to libicu's usprep_openByType here. I suspect this may be due to the installation of libicu not having necessary components.

Thank you for sharing the information about your system. We will attempt to reproduce this on Ubuntu 20.04 soon.

Comment by Shavit Talman [ 28/Apr/21 ]

Hi,
I couldn't find a way to reopen. Perhaps only Clyde can?
It is still reproducible, but thanks to you, when setting the authMechanism
to be "SCRAM-SHA-1", my code started to work. It's an acceptable WA for me
at this stage.
Thanks,
Shavit

On Wed, Apr 28, 2021 at 11:04 AM Alexis Jacob (Jira) <jira@mongodb.org>

Comment by Alexis Jacob [ 28/Apr/21 ]

Hello,

Excuse me for reposting, but any help with this issue is greatly appreciated. @Shavit Talman, do you still reproduce this bug? If so, I'd like to propose that this issue be reopened. I cannot reopen it myself as a participant, but I think opening a new ticket could potentially split the same information in two separate issues. I looked at the description and it seems both our reproductions of the bug are identical. What are your thoughts on the matter? Have you fixed the problem locally? Would you like to reopen this issue?

Thanks in advance for your answers
Alexis

Comment by Alexis Jacob [ 09/Apr/21 ]

Could you reopen and check this issue again, @Clyde Bazille III?

I can give you any additional info if needed. Thanks in advance for your answer.
Alexis

Comment by Alexis Jacob [ 09/Apr/21 ]

Hello,

We have the same issue on our installation.

This bug still reproduces with Ubuntu 18.04 and redhat-8, mongo-c-driver versions 3.6.1 and 3.6.2, MongoDB v4.2, no authMechanism specified or authMechanism="SCRAM-SHA-256" with an authorized user on this authMechanism, no cyrus-sasl.
 
We don't reproduce the bug upon:

  • Installing an older version of mongo-c-driver (3.5.0)
  • forcing authMechanism to be "SCRAM-SHA-1" in the mongodb uri
  • installing cyrus-sasl and rebuilding while linking mongo-c-driver to cyrus-sasl
Comment by Shavit Talman [ 06/Apr/21 ]

Hi,
Sorry - I moved to another task and now got back to this. I tried to add
the flag to my project's CMake and it didn't help - samr error.
I didn't understand how to do the other option: "set ICU_ROOT to the
installation path of libicu."
I can send files themselves if it helps . I really appreciate your
assistance in this matter.
Thanks,
Shavit

On Wed, Mar 31, 2021 at 11:52 PM Clyde Bazile III (Jira) <jira@mongodb.org>

Comment by Clyde Bazile III (Inactive) [ 31/Mar/21 ]

Closing this ticket since there hasn't been any activity for a while. Feel free to re-open if you're still having issues. Thanks for the report.

Comment by Clyde Bazile III (Inactive) [ 17/Mar/21 ]

Since you're only using ASCII characters, SASLPrep shouldn't be triggered. You can ensure the step is skipped by adding -DMONGOC_ENABLE_ICU=OFF to your list of CMake options. Alternatively, you can set ICU_ROOT to the installation path of libicu.

Comment by Shavit Talman [ 16/Mar/21 ]

Hi Clyde

I have only letters in my password and when trying to install libicu it
writes:

libicu-dev is already the newest version (66.1-2ubuntu2).

On Mon, Mar 15, 2021 at 8:29 PM Clyde Bazile III (Jira) <jira@mongodb.org>

Comment by Shavit Talman [ 16/Mar/21 ]

Hi @Clyde Bazile III 

I have only letters in my password and when trying to install libicu it writes:

libicu-dev is already the newest version (66.1-2ubuntu2).

Comment by Clyde Bazile III (Inactive) [ 15/Mar/21 ]

Hi shavitalman@gmail.com,

It might be that your password contains non-ASCII characters. If so, please see our documentation on Basic Authentication (SCRAM-SHA-256). From the docs:

Passwords for SCRAM-SHA-256 undergo the preprocessing step known as SASLPrep specified in RFC 4013. SASLPrep will only be performed for passwords containing non-ASCII characters. SASLPrep requires libicu. If libicu is not available, attempting to authenticate over SCRAM-SHA-256 with non-ASCII passwords will result in error.

Usernames never undergo SASLPrep.

Please let me know if you're only sticking to ASCII characters or install libicu does not fix the issue.

Comment by Clyde Bazile III (Inactive) [ 08/Mar/21 ]

Hi Shavit,

Thanks for reporting this issue. We will look into this soon.

Generated at Wed Feb 07 22:05:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.