[DOCS-2300] LDAP documentation has major gaps Created: 25/Nov/13  Updated: 11/Jan/17  Resolved: 12/Dec/13

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 01112017-cleanup

Type: Improvement Priority: Major - P3
Reporter: Tyler Brock Assignee: Kay Kim (Inactive)
Resolution: Done Votes: 0
Labels: security
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Sub-Tasks:
Key
Summary
Type
Status
Assignee
DOCS-2386 LDAP Authentication is not supported ... Sub-task Closed Kay Kim  
Participants:
Days since reply: 10 years, 9 weeks, 6 days ago

 Description   

http://docs.mongodb.org/master/tutorial/configure-ldap-sasl-authentication/

We should mention that it is necessary to create a user in the '$external' database for this to actually work.

We should mention that saslauthd.conf may or may not exist and that users should create one if they don't have it.

The authentication example shows a kerberos style "user@REALM" username and this could be misleading. Should be replaced by <username> or some such thing.

It's worth describing how this process with saslauthd works. I'm not an expert on this (so check with others) but it should be something like:

The username and password typed into mongodb are communicated to saslauthd via a local unix socket in plain text. (this is why the mechanism is "PLAIN") Saslauthd then attempts to bind to the ldap server on MongoDB's behalf using the specified credentials. NOTE: This communication will be carried out over a secure channel (if they have ldaps enabled) however if the ldap server is remote and not using ldaps then your password will be transmitted in plaintext over the internet! If the saslauthd is able to bind to the ldap server then the authentication is successful. Etc...

In addition, on certain linux distributions - e.g. ubuntu 12.04 starting saslauthd causes it to automatically enable authentication credentials caching (see here) – the -c option. Thus, saslauthd will never contact the LDAP server to reauthenticate users it's already cached until it's restarted. Again, this means that saslauthd will still successfully authenticate users whose credentials it's cached even if the LDAP server is down.

It might also be worth mentioning – as part of the "Tips" for ldap_servers settings – that in addition to the ldap:/// protocol, those using the ldaps:/// protocol (LDAP over SSL) would typically have to use port 636.



 Comments   
Comment by Githook User [ 12/Dec/13 ]

Author:

{u'username': u'kay-kim', u'name': u'kay', u'email': u'kay.kim@10gen.com'}

Message: DOCS-2300 add to ldap saslauthd tutorial
Branch: master
https://github.com/mongodb/docs/commit/1ea8052ae6439407171db8981886946529561465

Generated at Thu Feb 08 07:43:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.