[SERVER-26767] Localhost exception not working on Windows with LDAP authorization Created: 25/Oct/16 Updated: 26/Oct/16 Resolved: 26/Oct/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 3.4.0-rc1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | David Golub | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Steps To Reproduce: | Configure a Windows Server 2012 box as a domain controller. Call the computer WINTEST and the domain MONGODB.LOCAL. Set the password for the Administrator account to "Test123!" Extract the attached zip file with MongoDB configuration files to C:\MMSAutomation. Start a mongod with each configuration file under data and a mongos with the configuration file under versions\workspace. Initiate two replica sets, one on ports 27000, 27001, and 27002, and the other on ports 27003, 27004, and 27005. Initiate the config server replica set, containing just one node, on port 27019. Connect to the mongos by running the Mongo shell with no parameters. Then, run the following:
There will be an authorization error, although access should be allowed under the localhost exception. |
||||
| Participants: | |||||
| Description |
|
When attempting to use LDAP authorization on Windows with a sharded cluster, the localhost exception doesn't work, making it impossible to add the role for the Automation Agent. |
| Comments |
| Comment by Andreas Nilsson [ 26/Oct/16 ] | ||
|
We were able to figure out the problem and resolve the issues. | ||
| Comment by Spencer Jackson [ 26/Oct/16 ] | ||
|
Can you try to create your "CN=Automation,OU=Groups,DC=MONGODB,DC=LOCAL" role on the 'admin' database, rather than $external? | ||
| Comment by Cailin Nelson [ 26/Oct/16 ] | ||
|
Note - using the FQDN to connect 'via localhost' only works if the FQDN resolves to 127.0.0.1. On Linux, it works like so.... Suppose you have a server a.example.com. If your /etc/hosts says
Then you can connect to mongod using the FQDN and be granted the localhost exception. If your /etc/hosts says
then if you connect to mongod using the FQDN you will not be granted the localhost exception. Both are valid server configurations. We cannot depend on being granted the localhost exception if connecting via the FQDN. | ||
| Comment by David Golub [ 26/Oct/16 ] | ||
|
You can't authenticate against Kerberos on Windows when connected through localhost. You have to connect through a hostname that has an SPN configured for it. |