I'm looking for a way to configure MongoDB to use Linux PAM to manage user passwords. This way when a user changes their password, it doesn't have to be manually updated in Mongodb.
Searching for help for this online only returns one result which is a blog article that mentions this is possible but doesn't describe how this is done.
The official documentation skips over setting up PAM and talks about LDAP.
How can I configure Mongodb to authenticate db users via Linux PAM?
Unfortunately, MongoDB authentication using PAM Linux seems to be configurable only in MongoDB Enterprise Edition.
This is because PAM Authentication requires PLAIN Authentication Mechanism, available only in MongoDB Enterprise Edition as mentionned in the documentation:
PLAIN (LDAP SASL) External authentication using LDAP. You can also use PLAIN for authenticating in-database users. PLAIN transmits passwords in plain text. This mechanism is available only in MongoDB Enterprise.
BTW, in MongoDB Enterprise Edition, you can enable PAM Authentication using the following (tested on Debian Stretch):
Install saslauthd
apt-get install sasl2-bin
vi /etc/default/saslauthd
START=yes
/etc/init.d/saslauthd restart
At this step you may test your sasl configuration with ("myuser" is your unix user):
testsaslauthd -u <myuser> -p <SecretPassword>
This should output a success message:
0: OK "Success."
Create a MongoDB user "myuser"
Replace "myuser" with the user with whom you want to authenticate.
mongo admin
db.getSiblingDB("$external").createUser(
{
user : "myuser",
roles: [ { role: "read", db: "mydb" } ]
}
)
Configure MongoDB to enable PLAIN Authentication Mechanism
vi /etc/mongod.conf
security:
authorization: enabled
setParameter:
authenticationMechanisms: PLAIN,MONGODB-X509,SCRAM-SHA-1,SCRAM-SHA-256
You should add the (Linux) mongodb user to the sasl group (this makes sure that MongoDB has the permission to access saslauthd)
adduser mongodb sasl
Restart mongod
systemctl restart mongod.service
Connect to MongoDB
Now, on MongoDB Enterprise, you should be able to authenticate using your linux username/pwd:
mongo --authenticationMechanism=PLAIN --authenticationDatabase='$external' -u myuser mydb
MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("********-****-****-****-************") }
MongoDB server version: 4.0.7
MongoDB Enterprise >
On MongoDB Community Edition, it sadly fails with an "Unsupported mechanism" error:
MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
2019-03-25T18:26:51.307+0100 E QUERY [js] Error: Unsupported mechanism 'PLAIN' on authentication database '$external' :
connect#src/mongo/shell/mongo.js:343:13
#(connect):3:6
exception: connect failed
Related
I've a VMWare VM with Ubuntu 16.04.5 and just installed MongoDb 3.6 (not the latest, but it matches production environment)
Inside remote shell, I can run mongo and so my mongod service is working.
This is parts of /etc/mongod.conf file about auth
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1, 192.168.1.50
security:
suthorization: enabled
I created this user into the db admin
> use admin
switched to db admin
> show users
{
"_id" : "admin.realtebo",
"user" : "realtebo",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
Then I restarted mongod service.
The problem
I cannot no more access using mongo shell client, it refuses my connection
mongo -u realtebo -p passsword_i_setup_for_user_realtebo
MongoDB shell version v3.6.9
connecting to: mongodb://127.0.0.1:27017
2019-01-16T09:06:51.416+0100 W NETWORK [thread1]
Failed to connect to 127.0.0.1:27017,
in(checking socket for error after poll), reason: Connection refused
2019-01-16T09:06:51.416+0100 E QUERY [thread1]
Error: couldn't connect to server 127.0.0.1:27017,
connection attempt failed :
connect#src/mongo/shell/mongo.js:257:13
#(connect):1:6
exception: connect failed
Important notes
Sure, removing authorization: true and restarting, I can access again, so the daeom in running well, but I'd like to learn the right way: using user and password is the minimum
I verified that this exact user/password combo is working developing a little nodejs app that works using these credentials, and fails without using them, so password is right
I tried to remove auth and verified that "Studio 3T" (a mongodb client) on Windows host can succesfully access MongoDb on the guest, so there are no port/firewalls/other problems with the VM
Othe tries
Failed specifying the auth db, admin as you can see some lines above here.
mongo -u realtebo -p passsword_i_setup_for_user_realtebo --authenticationDatabase admin
Simple questions, I hope
What's the right way to create something like a superuser with user and password in mongodb? And then which 'method' must I use from win client and from linux shell client to access it?
I know that I then must create another user, a readWrite I suppose, for a single and specific db, but this is not the actual question. For now I need to be able to login as a super user to manage it
It's not an authentication problem, actually the server does not start at all ("Connection refused") because of an error in the /etc/mongod.conf file, should be:
security:
authorization: enabled
Also it's mandatory to add the option --authenticationDatabase admin when starting a client.
It was a so simple stupid error.
I fixed the following typo, note the s instead of a in suthorization
security:
suthorization: enabled
Restarted service
From linux shell I can succesfully connect using
mongo -u realtebo -p passsword_i_setup_for_user_realtebo --authenticationDatabase admin
From windows client I setup auth method on legacy and entered username and password
Now all works
Just upgraded from Debian8 to Debian9. My MongoDB instance was upgraded as well (2.4 -> 3.2). Authentication is enabled.
In 2.4 when logging from localhost you could simply connect via mongo and was granted administrative privileges:
mongo
After doing some research it seems to me that in 3.2 you MUST login via some user/password combination even from localhost. But that seems awfully inconvenient.
mongo localhost/admin -u superAdminUser -p
So my question is whether that is really true and you do need to always use user/password combination? Or maybe I missed something and logging as superuser from localhost is still possible with no user/password?
if you start Mongodb by the following command , you will need to insert user name and password
mongod --dbpath /var/lib/mongo/ --auth &
also check /etc/mongod.conf file , you can enable/disable authentication .
security.authorization : enabled
As I know there is no way to disable authentication on local host only .
you can disable/enable authentication for all hosts which want to connect to Database
I want to connect to a remote database using Robomongo. I can connect to to database but an error says that:
Failed to load list of databases
What should I do?
It took me 7 days to figure it out. When I have upgraded to Robo 3T version 1.3. it started working just fine. My previous version was 1.2.
Good to know if you are having this issue.
In my experience, it is related to failed database user/password authentication. So probably your IP connection to server is successful but you failed to connect to db. I suggest to double check your database username/password and try again.
And better to show what is inside "Show error details".
Go to Connection Settings -> Authentication
- Provide Database name, username, password
- Now test the connection
I ran into the same issue, then I provided the above info which solved my issue
Refer: (Vaibhav's post) Point 3.Populate DB name and username and password How to connect Robomongo to MongoDB
I have faced the same problem after updating the MongoDB version from 3.6 to 4.2 and previously I was using the Robo 3T version 1.2. So I just updated the Robo 3T version from 1.2 to 1.3 and it's started working again.
This is because whatever user you are connecting as does not have the privileges to list the databases.
https://docs.mongodb.com/manual/reference/built-in-roles/
Note that a user/role can connect and interact with a specific database/collection, but in order for Robomongo to list out the databases/collections, you need to let it connect to your database using a user that has listDatabases privileges.
check that your user has read/write & list all Databases privileges.
I had the same error ("failed to load a list of databases"). Due to some reason all my databases and collections got removed. Apparently, Robomongo couldn't handle the situation when there are no databases/collections available on the server.
To solve the issue, I connected to Mongo Shell, created a database, and created a collection there:
mongo (start mongo shell)
use local (create database named local)
db.createCollection("somename")
After that, I could connect to the Mongo server
Update: I've faced this issue again, and this time it has been caused by the fact that it was a new Mongo installation on a virtual machine, and connections from other hosts weren't allowed, so I had to modify bindIP from 127.0.0.1 to 0.0.0.0 in /etc/mongod.conf
net:
bindIp: 0.0.0.0
port: 27017
and restart mongo sudo service mongod restart
Got the same issue when using mongodb version v4.2.0, but the auth settings don't help. Keep getting the following logs when connecting from Robo 3T(i.e.mongoRobo).
2019-09-30T16:41:52.286-0400 I NETWORK [listener] connection accepted from 127.0.0.1:53862 #1 (1 connection now open)
2019-09-30T16:41:52.286-0400 I NETWORK [conn1] received client metadata from 127.0.0.1:53862 conn1: { application: { name: "robo3t" }, driver: { name: "MongoDB Internal Client", version: "3.4.3-10-g865d2fb" }, os: { type: "Darwin", name: "Mac OS X", architecture: "x86_64", version: "17.7.0" } }
2019-09-30T16:41:52.292-0400 E - [conn1] Assertion: Location34348: cannot translate opcode 2010 src/mongo/rpc/message.h 120
2019-09-30T16:41:52.292-0400 I NETWORK [conn1] DBException handling request, closing client connection: Location34348: cannot translate opcode 2010
2019-09-30T16:41:52.292-0400 I NETWORK [conn1] end connection 127.0.0.1:53862 (0 connections now open)
Finally resolved it by upgrading Robo 3T to v1.3(mac)
I just found out that I have to upgrade to the latest version that supports latest version of MongoDB. It worked without any authentication.
I had the same issue when I upgraded mongodb from 3.2 to 5.0 and tried to connect on Robo 3T 1.2.
Then I installed Mongo Compass, issue resolved. Issue would be resolved installing Robo 3T 1.3 too.
If you are using mongod --auth --dbpath /data/db1 command to start MongoDB, remove --auth and start it.
mongod --dbpath /data/db1
Now Robomongo will be able to connect without authentication. But starting without authentication is not safe. So take another terminal and create a user for your db using mongo command as described in this article.
use myDB
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "dbAdminAnyDatabase", db: "admin" } ]
}
)
Now restart your MongoDB with --auth. Connect with Robomongo after configuring above authentication details in its connection settings.
mongod --auth --dbpath /data/db1
I had the same problem (using Robomongo), then, I created an user with his password to connect to the database, and now It is working ok
In my case i changed the configurations of my connection:
You go to: Manager connection >> Edit >> authentication >> rename to database to: admin
when I loaded the my connection all databases appeared.
Start mongod process. Start mongo process.
On the mongo shell you have opened type first rs.status() then rs.initiate() then rs.status().
My version is 1.4.3 Robo3T.
What worked for me is;
Go to MongoDB Connections and edit related connection
Go to Connection Settings
Under Authentication tab check the "Manually Specify visible
databases" and fill in the dbName you need to access.
It should fix.
I faced a similar issue but it was due to my own mistake. I added replication configuration int the /etc/mongod.conf file (i.e replSet name) and restarted the mongod.service without doing an rs.initiate()
After doing an rs.initiate() and doing a restart of mongod.service, my issue was resolved.
This issue only exists with ROBO3T 1.2 update to a higher version and it will go. The reason behind it is version 1.2 takes authentication but when we don't provide credentials in case of local it does not run listdatabase on startup
I have mongo db install on ec2 server and auth= true is turned on /etc/mongodb.conf but still any one can connect from remote using
mongo ipaddress. So how to revoke this access and permit user via authentication only.
You have to configure users specifically to handle authentication. There is no authentication as such like mysql. Access mongo console and configure users, add those credentials to your application which should connect to mongodb server. Follow the below steps in mongo console.
use admin
db.addUser("username", "Password")
use another_database_name
db.addUser("project1", "Password")
Restart mongodb instance with authentication enabled.
mongod --auth --config /etc/mongodb/mongodb.conf
I have a Bitnami MEAN instance running on EC2. After much finagling, I've been able to successfully connect to the DB using the local shell. I created authenticated users with all of the permissions necessary to access the data, and when I run the below code -- I am able to access the DB with no problem.
sudo mongo admin -u <USERNAME-p <PASSWORD>
That said, when I try to repeat this using a remote connection I am repeatedly given an "auth failed" error from MongoDB.
mongo <HOST>:<PORT>/<DATABASE> -u <USERNAME> -p <PASSWORD>
...
This is strange because I am using the exact same credentials as I do in running the local shell. The only difference is I'm including the host and port information. I've since also confirmed that my remote connection DOES work if I disable the auth parameter in mongodb.config.
mongo <HOST>:<PORT>/<DATABASE>
Obviously, in production I want to be able to authenticate. Do any of you have suggestions as to why there is a discrepancy between remote and local authentication?
I was facing the same issue.
The problem for me:
My local mongo shell was v2.6.10. It uses an authentication method called MONGODB-CR that has been deprecated.
My server version is v3.0.4. It uses an authentication method called SCRAM-SHA-1.
Try to check your local shell and remote server versions with:
mongo --version
mongod --version
If they are different, upgrade your local shell to v3. (I had to uninstall and install it again.)
I had previously be installing MongoDB version 3.2.12 and was able to connect to a remote instance using:
mongo -u ‘<USERNAME>’ -p ‘<PASSWORD>’ --host <REPLICA_SET>/<HOST>:<PORT> admin
I am creating a new cluster with version 3.4.2 and was not able to connect with the same command. After trying many different options I was finally able to figure out that I needed to add --authenticationDatabase before the admin database.
mongo -u ‘<USERNAME>’ -p ‘<PASSWORD>’ --host <REPLICA_SET>/<HOST>:<PORT> --authenticationDatabase admin
If you're using more recent versions of MongoDB (server version 4.2.6 / shell version v3.6.9 in my case) you don't have to force them to match like in #Alexandre's example. For instance, if you're getting this error:
[thread1] Error: Authentication failed. :
DB.prototype._authOrThrow#src/mongo/shell/db.js:1608:20
You can connect with this syntax:
mongo --host mongodb://username:password#IP:PORT/ --authenticationDatabase admin
Install the same version both on the server and on the client solved the problem for me.
As #Alexandre explained above, it is probably a problem of password encryption.
MongoDB version 3.2.7
I tried successfully with the two methods:
mongo --host "your_host" --port "your_port" --username "your_user" --password "your_pass" --authenticationDatabase "your_admin_db"
mongo "your_host:your_port/your_db" --username "your_user" --password "your_pass" --authenticationDatabase "your_admin_db"
Besides, make sure that your server is available for remote accesses. See details about net.bindIp at https://docs.mongodb.com/v3.2/reference/configuration-options/
This is mainly due to security reasons.
When you have access to the local environment, it is easy to supposed that you are an administrator of the system or a developer because you have access to the machine itself.
If you don't have access to the local machine, you can't guarantee this, and since a database security is really important (in most cases), it makes sense not to enable remote access. You can, of course, disable this, but it is not recommended.
Hope I helped.
Just in case someone bumps into the same problem, the authenticationDatabase is only required if you created the user in ANOTHER database. If you create the user in the database you connect to, no problems.
So be careful : use then create user .
If you happen to create your user in the admin database then yes you need the authenticationDatabase flag.