配置MongoDB以通过Linux PAM验证用户密码 [英] Configuring MongoDB to authenticate user's password via Linux PAM

问题描述

我正在寻找一种配置MongoDB以使用Linux PAM来管理用户密码的方法.这样，当用户更改密码时，不必在Mongodb中进行手动更新.

I'm looking for a way to configure MongoDB to use Linux PAM to manage user passwords. This way when a user changes their password, it doesn't have to be manually updated in Mongodb.

为此在线搜索帮助仅返回一个结果，即博客文章是可能的，但没有描述如何做到这一点.

Searching for help for this online only returns one result which is a blog article that mentions this is possible but doesn't describe how this is done.

官方文档跳过了设置PAM的内容，而讨论了LDAP.

The official documentation skips over setting up PAM and talks about LDAP.

推荐答案

不幸的是，使用PAM Linux进行MongoDB身份验证似乎只能在 MongoDB Enterprise Edition 中进行配置.

Unfortunately, MongoDB authentication using PAM Linux seems to be configurable only in MongoDB Enterprise Edition.

这是因为PAM身份验证需要PLAIN身份验证机制，该机制仅在文档:

This is because PAM Authentication requires PLAIN Authentication Mechanism, available only in MongoDB Enterprise Edition as mentionned in the documentation:

普通(LDAP SASL)使用LDAP的外部身份验证.您还可以使用PLAIN对数据库中的用户进行身份验证. PLAIN以纯文本格式传输密码. 此机制仅在MongoDB Enterprise中可用.

顺便说一句，在MongoDB Enterprise Edition中，您可以使用以下功能(在 Debian Stretch 上进行测试)来启用PAM身份验证:

BTW, in MongoDB Enterprise Edition, you can enable PAM Authentication using the following (tested on Debian Stretch):

apt-get install sasl2-bin

vi /etc/default/saslauthd

START=yes

/etc/init.d/saslauthd restart

在此步骤中，您可以使用("myuser"是您的Unix用户)测试您的sasl配置:

At this step you may test your sasl configuration with ("myuser" is your unix user):

testsaslauthd -u <myuser> -p <SecretPassword>

这应该输出一条成功消息:

This should output a success message:

0: OK "Success."

创建MongoDB用户"myuser"

将"myuser"替换为要与之进行身份验证的用户.

Create a MongoDB user "myuser"

Replace "myuser" with the user with whom you want to authenticate.

mongo admin

db.getSiblingDB("$external").createUser(
    {
      user : "myuser",
      roles: [ { role: "read", db: "mydb" } ]
    }
)

配置MongoDB以启用PLAIN身份验证机制

vi /etc/mongod.conf

security:
  authorization: enabled

setParameter:
  authenticationMechanisms: PLAIN,MONGODB-X509,SCRAM-SHA-1,SCRAM-SHA-256

您应该将(Linux)mongodb用户添加到sasl组(这确保MongoDB有权访问saslauthd)

You should add the (Linux) mongodb user to the sasl group (this makes sure that MongoDB has the permission to access saslauthd)

adduser mongodb sasl

重启mongod

systemctl restart mongod.service

现在，在MongoDB Enterprise上，您应该能够使用Linux用户名/pwd进行身份验证:

Now, on MongoDB Enterprise, you should be able to authenticate using your linux username/pwd:

mongo --authenticationMechanism=PLAIN --authenticationDatabase='$external' -u myuser mydb

MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("********-****-****-****-************") }
MongoDB server version: 4.0.7
MongoDB Enterprise > 

在MongoDB社区版上，它不幸失败并显示不受支持的机制"错误:

On MongoDB Community Edition, it sadly fails with an "Unsupported mechanism" error:

MongoDB shell version v4.0.7
connecting to: mongodb://127.0.0.1:27017/mydb?authMechanism=PLAIN&authSource=%24external&gssapiServiceName=mongodb
2019-03-25T18:26:51.307+0100 E QUERY    [js] Error: Unsupported mechanism 'PLAIN' on authentication database '$external' :
connect@src/mongo/shell/mongo.js:343:13
@(connect):3:6
exception: connect failed

这篇关于配置MongoDB以通过Linux PAM验证用户密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！