[SERVER-35566] setParameter.saslauthdPath no longer defaults to /var/run/saslauthd/mux Created: 12/Jun/18  Updated: 29/Oct/23  Resolved: 14/Jun/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.0.0-rc6, 4.1.1

Type: Bug Priority: Major - P3
Reporter: Timothy Olsen (Inactive) Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: SWNA, mms-s
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0
Steps To Reproduce:

Start MongoDB 4.0.0-rc4 with LDAP: mongod --dbpath=db1 --setParameter authenticationMechanisms=PLAIN

Connect via the shell and attempt to authenticate:

MongoDB Enterprise > use $external
switched to db $external
MongoDB Enterprise > db.auth({mechanism: "PLAIN", user: "user", pwd: "supersecure", digestPassword: false})
Error: Authentication failed.
0

Sprint: Platforms 2018-06-18
Participants:

 Description   

I've noticed, that when using LDAP with saslauthd, saslauthdPath no longer defaults to /var/run/saslauthd/mux starting in MongoDB 4.0.

Authenticating using LDAP fails and I get the following error messages in the log:

2018-06-12T20:18:41.076+0000 E ACCESS   [conn1] Failed to bind to LDAP server at default: Can't contact LDAP server. Bind parameters were: {BindDN: automation-agent, authenticationType: simple}
2018-06-12T20:18:41.076+0000 I ACCESS   [conn1] SASL PLAIN authentication failed for automation-agent on $external from client 127.0.0.1:43584 ; OperationFailed: LDAP bind failed with error: Can't contact LDAP server

I am able to authenticate successfully if I downgrade to MongoDB 3.6 or specify saslauthdPath.

This is problematic for users upgrading existing LDAP deployments that do not specify saslauthdPath and depend on it defaulting to /var/run/saslauthd/mux. Such deployments will break upon upgrading to MongoDB 4.0



 Comments   
Comment by Githook User [ 14/Jun/18 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-35566 Proxy Cyrus/LDAP selection at runtime.

(cherry picked from commit 940ed1e95db94d132f018a82343fe0109b157272)
Branch: v4.0
https://github.com/mongodb/mongo/commit/91386a270d5ce8a296aa97036a7b9f54dedf4e28

Comment by Githook User [ 14/Jun/18 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-35566 Proxy PLAIN mechanism and dispatch to Cyrus/LDAP at runtime

(cherry picked from commit a5ceebdf6a1a75d8f4fdfd374dcbe0ab9415dad7)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/29fa49579b6a9673a0aba4a79b8541c3dfa82e87

Comment by Githook User [ 14/Jun/18 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-35566 Proxy Cyrus/LDAP selection at runtime.
Branch: master
https://github.com/mongodb/mongo/commit/940ed1e95db94d132f018a82343fe0109b157272

Comment by Githook User [ 14/Jun/18 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-35566 Proxy PLAIN mechanism and dispatch to Cyrus/LDAP at runtime
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/a5ceebdf6a1a75d8f4fdfd374dcbe0ab9415dad7

Comment by Andrew Morrow (Inactive) [ 13/Jun/18 ]

Interestingly, I don't find the path /var/run/saslauthd anywhere in our code in either the v3.6 or v4.0 branches. Perhaps it is constructed piecewise so a simple grep doesn't find it. I do find a test in the enterprise module that seems to be overriding the path, but I assume that is for testing purposes. I do find the path /var/run/saslauthd in the output of strings /usr/sbin/saslauthd though.

Generated at Thu Feb 08 04:40:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.