MongoDB LDAP and Kerberos Authentication with Cent-mysql教程-PHP中文网

首页

数据库

mysql教程

MongoDB LDAP and Kerberos Authentication with Cent

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 07, 2016 pm 04:40 PM

andauthkerberosldapmongodb

By Alex Komyagin at MongoDB with the help of Felderi Santiago at Centrify and Robertson Pimentel at Centrify Overview Centrify provides unified identity management solutions that result in single sign-on (SSO) for users and a simplified id

By Alex Komyagin at MongoDB with the help of Felderi Santiago at Centrify and Robertson Pimentel at Centrify

Overview

Centrify provides unified identity management solutions that result in single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify’s Server Suite integrates Linux systems into Active Directory domains to enable centralized authentication, access control, privilege user management and auditing access for compliance needs.

Since version 2.4, MongoDB Enterprise allows authentication with Microsoft Active Directory Services using LDAP and Kerberos protocols. On Linux systems it is now possible to leverage Centrify’s Server Suite solution for integrating MongoDB with Active Directory.

The use of Centrify’s Active Directory integration with MongoDB greatly simplifies setup process and allows MongoDB to seamlessly integrate into the most complex Active Directory environments found at enterprise customer sites with hundreds or thousands of employees.

Requirements

Existing Active Directory domain
MongoDB Enterprise 2.4 or greater
Centrify Suite

All further MongoDB commands in this paper are given for the current latest stable release, MongoDB 2.6.5. The Linux OS used is RHEL6.4. The Centrify Server Suite version is 2014.1.

Setup procedure

Preparing a new MongoDB Linux server

In existing Enterprise environments that are already using Centrify and MongoDB there are usually specific guidelines on setting up Linux systems. Here we will cover the most basic steps needed, that can be used as a quick reference:

1. Configure hostname and DNS resolution

For Centrify and MongoDB to function properly you must set a hostname on the system and make sure it’s configured to use the proper Active Directory-aware DNS server instance IP address. You can update the hostname using commands that resemble the following:

<b>$ nano /etc/sysconfig/network</b>
HOSTNAME=lin-client.mongotest.com
<b>$ reboot</b>
<b>$ hostname -f</b>
lin-client.mongotest.com

Next, verify the DNS settings and add additional servers, if needed:

<b>$ nano /etc/resolv.conf</b>
search mongotest.com
nameserver 10.10.42.250

2. Install MongoDB Enterprise

The installation process is well outlined in our Documentation. It’s recommended to turn SELinux off for this exercise:

<b>$ nano /etc/selinux/config</b>
SELINUX=disabled

Since MongoDB grants user privileges through role-based authorization, there should be an LDAP and a Kerberos user created in mongodb:

<b>$ service mongod start
$ mongo
> db.getSiblingDB("$external").createUser(
    {
      user : "alex",
      roles: [ { role: "root" , db : "admin"} ]
    }
)
> db.getSiblingDB("$external").createUser(
   {
     user: "alex@MONGOTEST.COM",
     roles: [ { role: "root", db: "admin" } ]
   }
)</b>

“alex” is a user listed in AD and who is a member of the “Domain Users” group and has “support” set as its Organizational Unit.

3. Install Centrify agent

Unpack the Centrify suite archive and install the centrify-dc package. Then join the server to your domain as a workstation:

<b>$ rpm -ihv centrifydc-5.2.0-rhel3-x86_64.rpm</b>
<b>$ adjoin -V -w -u ldap_admin mongotest.com</b>
ldap_admin@MONGOTEST.COM's password:

Here “ldap_admin” is user who is a member of the “Domain Admins” group in AD.

Setting up MongoDB with LDAP authentication using Centrify

Centrify agent manages all communications with Active Directory, and MongoDB can use the Centrify PAM module to authenticate LDAP users.

1. Configure saslauthd, which is used by MongoDB as an interface between the database and the Linux PAM system.

a. Verify that “MECH=pam” is set in /etc/sysconfig/saslauthd:

<b>$ grep ^MECH /etc/sysconfig/saslauthd</b>
MECH=pam

b. Turn on the saslauthd service and ensure it is started upon reboot:

<b>$ service saslauthd start</b>
Starting saslauthd:                                     [  OK  ]
<b>$ chkconfig saslauthd on</b>
<b>$ chkconfig --list saslauthd</b>
saslauthd  0:off   1:off   2:on    3:on 4:on    5:on    6:off

2. Configure PAM to recognize the mongodb service by creating an appropriate PAM service file. We will use the sshd service file as a template, since it should’ve already been preconfigured to work with Centrify:

<b>$ cp -v /etc/pam.d/{sshd,mongodb}</b>
`/etc/pam.d/sshd' -> `/etc/pam.d/mongodb'

3. Start MongoDB with LDAP authentication enabled, by adjusting the config file:

<b>$ nano /etc/mongod.conf</b>
auth=true
setParameter=saslauthdPath=/var/run/saslauthd/mux
setParameter=authenticationMechanisms=PLAIN
<b>$ service mongod restart</b>

4. Try to authenticate as the user “alex” in MongoDB:

<b>$ mongo
> db.getSiblingDB("$external").auth(
   {
     mechanism: "PLAIN",
     user: "alex",
     pwd:  "xxx",
     digestPassword: false
   }
)</b>
1
<b>></b>

Returning a value of “1” means the authentication was successful.

Setting up MongoDB with Kerberos authentication using Centrify

Centrify agent automatically updates system Kerberos configuration (the /etc/krb5.conf file), so no manual configuration is necessary. Additionally, Centrify provides means to create Active Directory service user, service principal name and keyfile directly from the Linux server, thus making automation easier.

1. Create the “lin-client-svc” user in Active Directory with SPN and UPN for the server, and export its keytab to the “mongod_lin.keytab” file:

<b>$ adkeytab -n -P mongodb/lin-client.mongotest.com@MONGOTEST.COM -U mongodb/lin-client.mongotest.com@MONGOTEST.COM -K /home/ec2-user/mongod_lin.keytab -c "OU=support" -V --user ldap_admin lin-client-svc</b>
ldap_admin@MONGOTEST.COM's password:
<b>$ adquery user lin-client-svc -PS</b>
userPrincipalName:mongodb/lin-client.mongotest.com@MONGOTEST.COM
servicePrincipalName:mongodb/lin-client.mongotest.com

Again, the “ldap_admin” is user who is a member of the “Domain Admins” group in AD. An OU “support” will be used to create the “lin-client-svc” service user.

2. Start MongoDB with Kerberos authentication enabled, by adjusting the config file. You also need to make sure that mongod listens on the interface associated with the FQDN. For this exercise, you can just configure mongod to listen on all interfaces:

<b>$ nano /etc/mongod.conf</b>
# Listen to local interface only. Comment out to listen on all interfaces.
#bind_ip=127.0.0.1
auth=true
setParameter=authenticationMechanisms=GSSAPI
<b>$ service mongod stop</b>
<b>$ env KRB5_KTNAME=/home/ec2-user/mongod_lin.keytab mongod -f /etc/mongod.conf</b>

3. Try to authenticate as the user “alex@MONGOTEST.COM” in MongoDB:

<b>$ kinit alex@MONGOTEST.COM</b>
Password for alex@MONGOTEST.COM:
<b>$ mongo --host lin-client.mongotest.com
> db.getSiblingDB("$external").auth(
   {
     mechanism: "GSSAPI",
     user: "alex@MONGOTEST.COM",
   }
)</b>
1
<b>></b>

The return value of “1” indicates success.

Summary and more information

MongoDB supports different options for authentication, including Kerberos and LDAP external authentication. With MongoDB and Centrify integration, it is now possible to speed up enterprise deployments of MongoDB into your existing security and Active Directory infrastructure and ensure quick day-one productivity without expending days and weeks of labor dealing with open-source tools.

About Centrify

Centrify is a leading provider of unified identity management solutions that result in single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify’s Server Suite software integrates Linux systems into Active Directory domains to enable centralized authentication, access control, privilege user management and auditing access for compliance needs. Over the last 10 years, more than 5,000 customers around the world, including nearly half of the Fortune 50, have deployed and trusted Centrify solutions across millions of servers, workstations, and applications, and have regularly reduced their identity management and compliance costs by 50% or more.

Video tutorials

Video on how to use Centrify to integrate MongoDB with Active Directory:

Video on how to enforce PAM access rights as an additional security layer for MongoDB with Centrify:

Centrify Community post and videos showcasing Active Directory integration for MongoDB: http://community.centrify.com/t5/Standard-Edition-DirectControl/MongoDB-AD-Integration-made-easy-with-Centrify/td-p/18779

MongoDB security documentation is available here: http://docs.mongodb.org/manual/security/ MongoDB user and role management tutorials: http://docs.mongodb.org/manual/administration/security-user-role-management/

原文地址：MongoDB LDAP and Kerberos Authentication with Cent, 感谢原作者分享。

声明

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系admin@php.cn

mysql：blob和其他无-SQL存储，有什么区别？May 13, 2025 am 12:14 AM

mysql'sblobissuitableForStoringBinaryDataWithInareLationalDatabase，而alenosqloptionslikemongodb，redis和calablesolutionsoluntionsoluntionsoluntionsolundortionsolunsolunsstructureddata.blobobobsimplobissimplobisslowderperformandperformanceperformancewithlararengelitiate;

mySQL添加用户：语法，选项和安全性最佳实践May 13, 2025 am 12:12 AM

toaddauserinmysql，使用：createUser'username'@'host'Indessify'password'; there'showtodoitsecurely：1）choosethehostcarecarefullytocon trolaccess.2）setResourcelimitswithoptionslikemax_queries_per_hour.3）usestrong，iniquepasswords.4）Enforcessl/tlsconnectionswith

MySQL：如何避免字符串数据类型常见错误？May 13, 2025 am 12:09 AM

toAvoidCommonMistakeswithStringDatatatPesInMysQl，CloseStringTypenuances，chosethirtightType，andManageEngencodingAndCollationsEttingsefectery.1）usecharforfixed lengengters lengengtings，varchar forbariaible lengength，varchariable length，andtext/blobforlabforlargerdata.2 seterters seterters seterters seterters

mySQL：字符串数据类型和枚举？May 13, 2025 am 12:05 AM

mysqloffersechar，varchar，text，and denumforstringdata.usecharforfixed Lengttrings，varcharerforvariable长度，文本forlarger文本，andenumforenforcingDataAntegrityWithaEtofValues。

mysql blob：如何优化斑点请求May 13, 2025 am 12:03 AM

优化MySQLBLOB请求可以通过以下策略：1.减少BLOB查询频率，使用独立请求或延迟加载；2.选择合适的BLOB类型（如TINYBLOB）；3.将BLOB数据分离到单独表中；4.在应用层压缩BLOB数据；5.对BLOB元数据建立索引。这些方法结合实际应用中的监控、缓存和数据分片，可以有效提升性能。

将用户添加到MySQL：完整的教程May 12, 2025 am 12:14 AM

掌握添加MySQL用户的方法对于数据库管理员和开发者至关重要，因为它确保数据库的安全性和访问控制。1)使用CREATEUSER命令创建新用户，2)通过GRANT命令分配权限，3)使用FLUSHPRIVILEGES确保权限生效，4)定期审计和清理用户账户以维护性能和安全。

掌握mySQL字符串数据类型：varchar vs.文本与charMay 12, 2025 am 12:12 AM

chosecharforfixed-lengthdata，varcharforvariable-lengthdata，andtextforlargetextfield.1）chariseffity forconsistent-lengthdatalikecodes.2）varcharsuitsvariable-lengthdatalikenames，ballancingflexibilitibility andperformance.3）

MySQL：字符串数据类型和索引：最佳实践May 12, 2025 am 12:11 AM

在MySQL中处理字符串数据类型和索引的最佳实践包括：1)选择合适的字符串类型，如CHAR用于固定长度，VARCHAR用于可变长度，TEXT用于大文本；2)谨慎索引，避免过度索引，针对常用查询创建索引；3)使用前缀索引和全文索引优化长字符串搜索；4)定期监控和优化索引，保持索引小巧高效。通过这些方法，可以在读取和写入性能之间取得平衡，提升数据库效率。

See all articles