问题
I'm looking for a way to configure MongoDB to use Linux PAM to manage user passwords. This way when a user changes their password, it doesn't have to be manually updated in Mongodb.
Searching for help for this online only returns one result which is a blog article that mentions this is possible but doesn't describe how this is done.
The official documentation skips over setting up PAM and talks about LDAP.
How can I configure Mongodb to authenticate db users via Linux PAM?
回答1:
Unfortunately, MongoDB authentication using PAM Linux seems to be configurable only in MongoDB Enterprise Edition.
This is because PAM Authentication requires PLAIN Authentication Mechanism, available only in MongoDB Enterprise Edition as mentionned in the documentation:
PLAIN (LDAP SASL) External authentication using LDAP. You can also use PLAIN for authenticating in-database users. PLAIN transmits passwords in plain text. This mechanism is available only in MongoDB Enterprise.
BTW, in MongoDB Enterprise Edition, you can enable PAM Authentication using the following (tested on Debian Stretch):
Install saslauthd
apt-get install sasl2-bin
vi /etc/default/saslauthd
START=yes
/etc/init.d/saslauthd restart
At this step you may test your sasl configuration with ("myuser" is your unix user):
testsaslauthd -u <myuser> -p <SecretPassword>
This should output a success message:
0: OK "Success."
Create a MongoDB user "myuser"
Replace "myuser" with the user with whom you want to authenticate.
mongo admin
db.getSiblingDB("$external").createUser(
{
user : "myuser",
roles: [ { role: "read", db: "mydb" } ]
}
)
Configure MongoDB to enable PLAIN Authentication Mechanism
vi /etc/mongod.conf
security:
authorization: enabled
setParameter:
authenticationMechanisms: PLAIN,MONGODB-X509,SCRAM-SHA-1,SCRAM-SHA-256
You should add the (Linux) mongodb user to the sasl group (this makes sure that MongoDB has the permission to access saslauthd)
adduser mongodb sasl
Restart mongod
systemctl restart mongod.service
Connect to MongoDB
Now, on MongoDB Enterprise, you should be able to authenticate using your linux username/pwd:
mongo --authenticationMechanism=PLAIN --authenticationDatabase='$external' -u myuser mydb
MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("********-****-****-****-************") }
MongoDB server version: 4.0.7
MongoDB Enterprise >
On MongoDB Community Edition, it sadly fails with an "Unsupported mechanism" error:
MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
2019-03-25T18:26:51.307+0100 E QUERY [js] Error: Unsupported mechanism 'PLAIN' on authentication database '$external' :
connect@src/mongo/shell/mongo.js:343:13
@(connect):3:6
exception: connect failed
来源:https://stackoverflow.com/questions/54600693/configuring-mongodb-to-authenticate-users-password-via-linux-pam