Friday, October 24, 2014

Business Problems: Using MongoDB with AD leveraging Centrify

About MongoDB

MongoDB is becoming increasingly popular alternative to other database offerings.  What's really refreshing about it is that unlike some other established database leaders (Ahem.... big O) they do provide several mechanisms for authentication.  This means flexibility!

As of this writing, MongoDB offers the following authentication mechanisms:
  • X.509 certificates
  • LDAP with AD or OpenLDAP leveraging SASL
  • Kerberos

What's the business problem here?

Typically the folks dealing with apps and databases are not experts on authentication.  This means cognitive, cooperation and coordination issues and obviously time-to-production challenges.
In addition, if your Linux/UNIX infrastructure does not implement a robust set of access control technologies, each additional node adds to the problem.

This post covers
  • SASL (plain) integration leveraging PAM
  • Limiting Access using Centrify Access components

How Centrify can accelerate and secure MongoDB deployments?

  • By providing THE most robust and thoroughly tested way of integrating non-Windows platforms (Unix/Linux/OS X) to Active Directory.
    • No need to worry about setting up multiple LDAP servers (Centrify is sites and services aware)
    • In the SASL use case, no need to worry about plaintext communications since ultimately Centrify uses Kerberos.
    • In the GSSAPI/Kerberos, Centrify maintains the environment for you and provides tools for ease of management.
  • Faster results - time to market these capabilities
  • Enhancing security by implementing privileged user management.

Basics:  What is SASL?

As per Wikipedia:  "Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL."

The key here is that MongoDB supports SASL and SASL can use PAM.  Since Centrify makes PAM work with AD out of the Box, implementation is very simple:

Implementation  (on CentOS)

Note:  You will need the Enterprise Edition of MongoDB to get this going.  For instructions of how to set up, go here:   (use CentOS to follow along) - I will be elevating with dzdo:

Test and Configure SASLAUTHD

Step 1:  Make SASL(saslauthd)  is in your system and working and they cyrus-sasl-plain is installed
$ cat /etc/redhat-release
CentOS release 6.5 (Final)
$  adinfo -v
adinfo (CentrifyDC 5.2.0-218)
$ service saslauthd status
saslauthd is stopped
$  rpm -qa | grep cyrus-sasl-plain

If the cyrus-sasl-plain package is not present, use yum or other utilities to add it.
The saslauthd is stopped, this means that the service is not set to start automatically.

Step 2:  Make sure that SASL is configured to work with PAM and identify the path for the socket.
$ cat /etc/sysconfig/saslauthd | grep MECH
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
$ cat /etc/sysconfig/saslauthd | grep SOCKETDIR

Step 3: Test SASL by determining your valid AD users and testing interactively
# to determine who can log in to your computer from AD
$ adquery user
cosmo.kramer:x:1149240408:1149240408:Cosmo Kramer:/home/cosmo.kramer:/bin/bash
george:x:1149240406:1149240406:George Constanza:/home/george:/bin/bash

Step 4: To start saslauthd interactively  (with PAM support and verbose)
$ dzdo saslauthd -a pam -d
saslauthd[4022] :main            : num_procs  : 5
saslauthd[4022] :main            : mech_option: NULL
saslauthd[4022] :main            : run_path   : /var/run/saslauthd
saslauthd[4022] :main            : auth_mech  : pam
saslauthd[4022] :ipc_init        : using accept lock file: /var/run/saslauthd/mux.accept

Step 5: In another terminal or SSH session, test SASL with PAM using testsaslauthd

$ testsaslauthd -u cosmo.kramer -p <kramer's password> -s login -f /var/run/saslauthd/mux
0: OK "Success."

This means that SASL with PAM is working as expected.

Step 6: Now you can make SASL start automatically if needed
$ dzdo chkconfig saslauthd on

$ chkconfig  | grep saslauthd
saslauthd       0:off   1:off   2:on    3:on    4:on    5:on    6:off

Create a PAM configuration file for mongod
Step 7: Because we've configured SASL to use PAM, now we need a configuration file that has the system or centrify entries.  In my example, I'm piggybacking on the sshd config since I already know it works with AD users.  We also want to make sure that the "other" PAM config file is leveraging the Centrify PAM modules as well

$ cp /etc/pam.d/sshd /etc/pam.d/mongod
$ cp /etc/pam.d/sshd /etc/pam.d/other

Ultimately, for both auth, account, password and session, these files include password-auth (in CentOS), which basically has the Centrify PAM directives - here's an excerpt of password-auth:

cat /etc/pam.d/password-auth
# lines inserted by Centrify Direct Control (CentrifyDC 5.2.0-218)
auth       sufficient
auth       requisite deny
account    sufficient
account    requisite deny
session    required homedir
password   sufficient try_first_pass
password   requisite deny

This is what makes the magic happen.  The video below covers steps 1 thru 7.

Configure MongoDB

Step 8: Configure MongoDB Security for SASL and restart it.

Set the following parameters in the /etc/mongodb.conf file:

Auth has to be set to true and the parameter saslauthdPath has to be set to the socket in /var/run/saslauthd/mux  - Make sure the folder and file have the correct permissions.  Finally, the authenticationMechanisms havs to include Plain (for SASL).

To restart MongoDB with service, use:

$ service mongod restart

Test SASL/PAM authentication with MongoDB

To test, you'll need an externally identified user.  We will use the same user we used to test SASL

Step 9:  Create an externally identified user in MongoDB

$ mongo
MongoDB shell version: 2.6.5
connecting to: test
> db.getSiblingDB("admin")
> use $external
switched to db $external
> db.createUser({user:"cosmo.kramer",

The output should be:

Successfully added user: {
        "user" : "cosmo.kramer",
        "roles" : [
                        "role" : "read",
                        "db" : "reporting"

Step 10: Test SASL authentication inside MongoDB

$ mongo
MongoDB shell version: 2.6.5
connecting to: test
> db.getSiblingDB("$external").auth({mechanism: "PLAIN",user:'cosmo.kramer',pwd:'<kramer's password>',digestPassword: false})

The output should be:


The output of 1 means Success.  This is a very simple process for using the PLAIN method, but what's the issue here?  The password is in plaintext, even in our testing it was visible.  We will improve on this by using Kerberos, but first, let's add some access controls by leveraging the authorization components of Centrify.

The video below covers steps 8-10

Limiting access to MongoDB using PAM granular access controls leveraging Centrify

You may want to add an additional layer of security, for example, in a shared system, you may want to grant a super-set of users access to the box, but limit who can log in to MongoDB via SASL with PAM.  For this, you have the ability to create a role with the PAM mongod access right.

Step 10:  Create the MongoDB PAM Access right

  1. In Access Manager, navigate to Zone > Authorization > UNIX Rights Definitions > PAM Access
  2. Right Click and Select Add PAM Right, and set it up like this:
    Name: MongoDB
    Application: mongodb

At this point, if you have any role with the MongoDB database profile, you can add this PAM access right to make sure that they have access to MongoDB;  other users with just the ssh right, will be able to log into the box, but won't be able to log into MongoDB.

The video below showcases how to leverage PAM Access rights as an additional security layer for MongoDB with Centrify:


  1. Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best. Mongo Database Services

  2. Not Able to Troubleshoot MongoDB Installation Issue? Contact to DB Installation & Configuration Support
    Sometime when users install MongoDB they found installation issue when they run the command in CMD “Connection failed”. Actually this error occurs only when you cannot find the directory like “C:\data\db” and also check which version of Windows you are using. By this way you can easily solve your problem but if not then contact to Cognegic’s DB Installation Support or DB Configuration Support for quick and reliable solution.
    For More Info:
    Contact Number: 1-800-450-8670
    Email Address-
    Company’s Address- 507 Copper Square Drive Bethel Connecticut (USA) 06801

  3. How to Solve MongoDB Installation Issue on CentOS through DB Installation Support
    If you are not able to install MongoDB on your CentOS or confronting any type of technical issue regarding any database then you can contact to DB Configuration Support and DB Installation and Configuration Support. We quickly detect issues that might threaten its performance or security. We always alert you if any critical issues have been occurred.
    For More Info:
    Contact Number: 1-800-450-8670
    Email Address-
    Company’s Address- 507 Copper Square Drive Bethel Connecticut (USA) 06801

  4. How to Troubleshoot MongoDB Error Message? Contact to MongoDB Technical Support
    On the off chance that you are endeavoring to run MongoDB in your terminal then it gives you a blunder message. May be conceivable there is a linguistic structure mistake that is the reason you need to confront this issue. On the off chance that you have no clue how to manage this sentence structure blunder at that point rapidly attempt to contact MongoDB Online Support or MongoDB Customer Support USA. When you get associated with our specialized specialists, you will get Support for MongoDB Database Software and investigate your issues.
    For More Info:
    Contact Number: 1-800-450-8670
    Email Address-
    Company’s Address- 507 Copper Square Drive Bethel Connecticut (USA) 06801

  5. The most effective method to Solve MongoDB Internet Connection Failure Issue through MongoDB Technical Support
    In the event that you are confronting this web association issue with respect to MongoDB and on the off chance that it isn't work fine at that point rapidly check your web association first. In the event that again your MongoDB not impeccably working than contact to your IT chairman and request that he tackle this web network issue. At last, if as yet happening a similar issue then you can pick our MongoDB Online Support or MongoDB Customer Support USA to determine your web with respect to issues.
    For More Info:
    Contact Number: 1-800-450-8670
    Email Address-
    Company’s Address- 507 Copper Square Drive Bethel Connecticut (USA) 06801

  6. Neglected to Solve Connection Issue in MongoDB? Contact to MongoDB Technical Support
    In the event that you are going up against MongoDB association issue then what wills you does? How you can make sense of which part of your framework make this association issue? Well! Keep in mind that, MongoDB gives a few apparatuses to diagnosing execution issues of your whole application and foundations. In any case, on the off chance that you don't how to do it at that point promptly contact to MongoDB Online Support or MongoDB Customer Support USA. Here our expert specialists stroll through number of execution situations and give propel support to dispose of your concern.
    For More Info:
    Contact Number: 1-800-450-8670
    Email Address-
    Company’s Address- 507 Copper Square Drive Bethel Connecticut (USA) 06801