[GODRIVER-2609] Error Connecting to MongoDB using go driver from our internal services Created: 25/Oct/22  Updated: 27/Oct/23  Resolved: 01/Nov/22

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Critical - P2
Reporter: karthick d Assignee: Matt Dale
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

When I try to connect the mongoDB using the below URI through our internal services 

URI := mongodb://user:pass@hostname:27017/db?w=majority 
 
//here i get the tls config using our utilities and pass it back here 
clientOpts := options.Client().ApplyURI(URI).SetTLSConfig(&tlsConfig)
client, err = mongo.Connect(ctx, clientOpts)
if err != nil {
    return nil, err
 }
 

I get the below error 

connection() error occurred during connection handshake: auth error: sasl conversation error: unable to authenticate using mechanism "SCRAM-SHA-256": (AuthenticationFailed) Authentication failed.
 

But am able to access the same URI and connect to DB for our external port that works fine ., Not sure if i'm missing something here ,

In our old mongo global sign mgo driver we used to use something like below

session, err := mgo.DialWithInfo(mongoDBDialInfo) ,
 
where we set the  DialServer info using tls.Dial("tcp",addr.String(), &tlsConfig) and pass it to the DialInfo

currently we are in the process of migrating our code from mgo driver to go official mongo-driver . 

 Can anyone help me with this ? 

 



 Comments   
Comment by Matt Dale [ 01/Nov/22 ]

karthickcseapitam@gmail.com thanks for the update, I'm glad to hear you were able to resolve the issue!

Authentication failures can be difficult to troubleshoot, in part because the error messages intentionally omit the exact authentication failure reason (see the OWASP Authentication and Error Messages guidelines for an explanation). I've opened a PR that adds troubleshooting information for the kind of authentication failure you encountered to our "common issues" doc to help other users who encounter the same issue.

Comment by karthick d [ 01/Nov/22 ]

@matt Actually we try to force change the password when DB comes up , I referred a wrong username and pw over there that was causing this problem , I sorted it out . Just felt that mongo should give a proper error response saying incorrect password or something that would have been helpful . Appreciate your help , Please mark this ticket as closed and complete . 

Comment by Matt Dale [ 01/Nov/22 ]

karthickcseapitam@gmail.com I'm not sure why the authentication would succeed or not succeed based on connecting on two different ports. One difference between the Go Driver and mgo is that the Go Driver supports the SCRAM-SHA-256 authentication mechanism, which is not supported by mgo (the latest auth mechanism supported by mgo is SCRAM-SHA-1). It's possible there is something unexpected happening when the Go Driver attempts to authenticate with the SCRAM-SHA-256 auth mechanism that wasn't happening with mgo.

Try adding authMechanism=SCRAM-SHA-1 to the connection string to force the Go Driver to use SCRAM-SHA-1 and see if that makes any difference when connecting to the internal or external ports.

E.g. connection string:

mongodb://user:pass@hostname:27017/db?w=majority&authMechanism=SCRAM-SHA-1

 
I also have a few questions that may help troubleshoot the problem:

  1. What is your MongoDB deployment's topology? (e.g. single server, replica set, sharded cluster, etc)
  2. When you're able to connect to the external port, is that using the Go Driver or some other MongoDB client? (e.g. mongosh).
  3. Are you able to connect to the internal or external port using another MongoDB client like mongosh or Compass?

Thanks!

Comment by Esha Bhargava [ 28/Oct/22 ]

karthickcseapitam@gmail.com Thanks for reporting this issue! We'll look into it and get back to you soon.

Comment by karthick d [ 26/Oct/22 ]

We use mongo as a container since our services are conatinerized (Docker platform) , we run a command to bring up the mongo stuff do i need to set a param something like below to support the  SCRAM-SHA-256  auth mechanism ? We currently use mongoDB version 4.2 

mongod --verbose --setParameter --authenticationMechanisms=SCRAM-SHA-256

Generated at Thu Feb 08 08:39:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.