[SERVER-26767] Localhost exception not working on Windows with LDAP authorization Created: 25/Oct/16  Updated: 26/Oct/16  Resolved: 26/Oct/16

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 3.4.0-rc1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: David Golub Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Zip Archive db.zip    
Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Configure a Windows Server 2012 box as a domain controller. Call the computer WINTEST and the domain MONGODB.LOCAL. Set the password for the Administrator account to "Test123!" Extract the attached zip file with MongoDB configuration files to C:\MMSAutomation. Start a mongod with each configuration file under data and a mongos with the configuration file under versions\workspace. Initiate two replica sets, one on ports 27000, 27001, and 27002, and the other on ports 27003, 27004, and 27005. Initiate the config server replica set, containing just one node, on port 27019. Connect to the mongos by running the Mongo shell with no parameters. Then, run the following:

use admin
db.system.roles.findOne()

There will be an authorization error, although access should be allowed under the localhost exception.

Participants:

 Description   

When attempting to use LDAP authorization on Windows with a sharded cluster, the localhost exception doesn't work, making it impossible to add the role for the Automation Agent.

CC tim.olsen dennis.kuczynski



 Comments   
Comment by Andreas Nilsson [ 26/Oct/16 ]

We were able to figure out the problem and resolve the issues.

Comment by Spencer Jackson [ 26/Oct/16 ]

Can you try to create your "CN=Automation,OU=Groups,DC=MONGODB,DC=LOCAL" role on the 'admin' database, rather than $external?

Comment by Cailin Nelson [ 26/Oct/16 ]

Note - using the FQDN to connect 'via localhost' only works if the FQDN resolves to 127.0.0.1. On Linux, it works like so....

Suppose you have a server a.example.com. If your /etc/hosts says

127.0.0.1 a.example.com

Then you can connect to mongod using the FQDN and be granted the localhost exception.

If your /etc/hosts says

10.1.2.3 a.example.com

then if you connect to mongod using the FQDN you will not be granted the localhost exception.

Both are valid server configurations. We cannot depend on being granted the localhost exception if connecting via the FQDN.

Comment by David Golub [ 26/Oct/16 ]

You can't authenticate against Kerberos on Windows when connected through localhost. You have to connect through a hostname that has an SPN configured for it.

Generated at Thu Feb 08 04:13:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.