[DOCS-12947] Configuring both setParameter.saslauthdPath and security.ldap.servers clarification and results Created: 08/Aug/19  Updated: 13/Nov/23

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: Backlog, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Improvement Priority: Major - P3
Reporter: Jack Alder Assignee: Unassigned
Resolution: Won't Do Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-45295 Make sure that LDAP logs always conta... Closed
related to SERVER-44926 Startup warning when both saslauthd a... Closed
Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-1769

 Description   

Description

A user has configured both Native LDAP and saslauthdPath in a MongoDB deployment.

The configuration file passes validation and the process is started successfully.  Testing of this configuration scenario suggests that MongoDB will use the saslauthd proxy service for all LDAP user authentications.

Should the saslauthd service fail, LDAP users are unable to authenticate.

Documentation should note that should both options be present, the saslauthd configuration will take precedence and MongoDB will use it exclusively.

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Comment by Danny Hatcher (Inactive) [ 31/Dec/19 ]

So after Spencer's comment, I believe the proposed change of

Documentation should note that should both options be present, the saslauthd configuration will take precedence and MongoDB will use it exclusively.

should instead be

Documentation should note that should both options be present, the saslauthd configuration will take precedence and MongoDB will use it for authentication. If using LDAP for authorization, the native configuration will be used for that aspect.

Giving to the real docs team now.

Comment by Spencer Jackson [ 23/Dec/19 ]

nicholas.cottrell, a fair request. I've filed SERVER-45295. daniel.hatcher, passing back to you.

Comment by Spencer Jackson [ 03/Dec/19 ]

Be aware, that there is both LDAP authentication and LDAP authorization. LDAP authentication can be accomplished through either Cyrus SASL's saslauthd or our native LDAP authentication implementation. These are mutually exclusive. LDAP authorization can only be performed using our native LDAP implementation. LDAP authorization can be used in conjunction with either implementation of LDAP authentication. There are some complex scenarios when it may be desirable for a deployment to use saslauthd for authentication and our native LDAP authorization.

If during authentication a saslauthdPath is set, the server will rely on saslauthd to perform authentication. If we are only using LDAP for authentication, that is end of story, as use of saslauthd precludes native LDAP authentication. However, if configured to use LDAP authorization, a server which has just used saslauthd may then use its native LDAP implementation to acquire the user's roles for authorization.

Comment by Nic Cottrell [ 03/Dec/19 ]

jack.alder - Actually, I just created SERVER-44926 so that it didn't get forgotten. Please free to update/correct my description if I've misunderstood something.

Generated at Thu Feb 08 08:06:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.