LDAP configuration for mongo throws permission denied

Question

I'm fairly new to MongoDB and LDAP. I'm trying to use LDAP to authenticate users to mongo. these are the steps I have done so far.

Created a saslauthd.conf file inside /etc folder which contains the following line:

ldap_servers: ldap://com.myldap.server
ldap_use_sasl: yes
ldap_mech: DIGEST-MD5
ldap_auth_method: fastbind

created a muxdir inside /var/run/saslauthd which now looks like /var/run/saslauthd/mux
set the permission to 755 using sudo chmod 755 /var/run/saslauthd
Modified the /etc/sysconfig/saslauthd to have the following

MECH=ldap

Uncommented the line on the same file which says:

DAEMONOPTS=--user saslauth

Now when i tried to test the authentication mechanism using the following command:

testsaslauthd -u username -p password -f /var/run/saslauthd/mux

I'm getting the following message:

connect(): Permission Denied

my work is based on this and this Could anyone point out what i'm missing here? thanks in advance.

UPDATE:

I tried the test command with sudo like below:

sudo testsaslauthd -u username -p password -f /var/run/saslauthd/mux

And I'm getting the following:

connect() : Connection refused

Make sure that you have the `cyrus-sasl-md5` package also installed (this is the name of the package on Amazon Linux at least). You can verify with the `pluginviewer` utility that you have this plugin installed. — Bertold Kolics, Apr 23 '16 at 02:41
@Gurkha, sorry if I ask a stupid question, but as you said that you're fairly new to LDAP, allow me to ask if you actually have a LDAP server listening on `ldap://com.myldap.server` and you can reach it by `telnet com.myldap.server 389`. — Héctor Valverde, Apr 25 '16 at 21:44
@Gurkha the package name is the same on CentOS/RedHat Linux (I checked version 6.7) — Bertold Kolics, Apr 26 '16 at 02:32

Héctor Valverde · Accepted Answer · 2016-04-26T17:03:19.477

2

Thanks for your question. I've enjoyed setting up my environment to try to reproduce the error. You'll be glad to heard that I don't think it's a difficult problem to overcome. However, I've probably spent more time than I desired setting up MongoDB, cyrus-sasl-md5, settings permissions, etc. when nothing is actually related with your problem, at least at a first glance.

Your problem (and I'm 90% sure) is either your saslauthd daemon is not running or it's not properly configured. Let's take a look at the following:

Check the service status. The output of service saslauthd status should be similar to mine, pasted below. Note some key values such as the location of the init script, /etc/init.d/saslauthd/ in my case; and the socket, /var/run/saslauthd/mux, the same file location you need to put in testsaslauthd [...] -f /var/run/saslauthd/mux command.

root@hectorvp-pc:~# service saslauthd status                                                                                                                   
● saslauthd.service - LSB: saslauthd startup script
   Loaded: loaded (/etc/init.d/saslauthd)
   Active: active (running) since Tue 2016-04-26 12:04:59 BST; 1s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 11569 ExecStop=/etc/init.d/saslauthd stop (code=exited, status=0/SUCCESS)
  Process: 11586 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
   Memory: 2.0M
   CGroup: /system.slice/saslauthd.service
           ├─11606 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─11607 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─11608 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           ├─11609 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5
           └─11610 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -n 5

Apr 26 12:04:59 hectorvp-pc systemd[1]: Starting LSB: saslauthd startup script...
Apr 26 12:04:59 hectorvp-pc saslauthd[11586]: * Starting SASL Authentication Daemon saslauthd
Apr 26 12:04:59 hectorvp-pc saslauthd[11606]: detach_tty      : master pid is: 11606
Apr 26 12:04:59 hectorvp-pc saslauthd[11606]: ipc_init        : listening on socket: /var/run/saslauthd/mux
Apr 26 12:04:59 hectorvp-pc systemd[1]: Started LSB: saslauthd startup script.
Apr 26 12:04:59 hectorvp-pc saslauthd[11586]: ...done.

If the service is not running, just start it with service saslauthd start and check the status again (service saslauthd status) to check any possible upstream error.

It's also likely your ldap server is not running or missconfigured. You can take a look to the service status as above (service slapd status).

Please, try this and tell us about the outcome.

EDIT (26/04/2016): From the conversation in the comments of this answer, I've extracted some more steps. Please, apologize for the extensive conversation below the answer, its summarized here:

Debug saslauthd service: As indicated here, this service uses the system logs. In my case (Ubuntu) those logs are in /var/log/syslog but they might be in /var/log/messages in your case. At least by default. Look at this logs at the time you try to start the service and see if you see any error message that might give you some further insights about what the problem is.

The error appearing in /var/logs/messages was: could not bind to socket : /var/run/saslauthd/mux , bind: address already in use.

We checked the mux socket using the file command: file /var/run/saslauthd/mux and the output said it was a directory. It should be a socket. Then we removed it and restarted the service. Now the service works.

edited Apr 26 '16 at 17:03

answered Apr 26 '16 at 11:33

Héctor Valverde

1,089
1
14
34

Thank you for your response. Looks like i have a problem with `saslauthd`. I did `sudo service saslauthd status` and the result was `Starting saslauthd: [ OK ]` but when i try to check the status with `sudo service saslauthd status i get `saslauthd dead but pid file exists`. Would you have any idea what that means and way to resolve it? – Gurkha Apr 26 '16 at 14:03
Ok. That means that the problem is in `saslauthd` service or its backend. You need to troubleshoot the service, its configuration, logs, make sure the LDAP server is healthy, etc ... Are you able to open a chat to work on it together? – Héctor Valverde Apr 26 '16 at 14:16
sure, how can we do this? – Gurkha Apr 26 '16 at 14:31
I've just created a chat room for the first time, can you join it? http://chat.stackoverflow.com/rooms/110286/ldap – Héctor Valverde Apr 26 '16 at 14:41
Looks like the chat room is blocked by the company, is there any other way of doing it? – Gurkha Apr 26 '16 at 14:43
Let's try here. Please, start with the following: 1) Open a shell to in your system with an user with root permissions and run `sudo tail -f /var/log/syslog`. You will see system logs at the time they are logged. 2) Then, open another shell, also as `root`, and restart the service `service saslauthd restart`. 3) You will see some new lines in syslog. They are probably telling you what's happening when the service starts. Can you see something evident? Can you tell me what you see? – Héctor Valverde Apr 26 '16 at 14:52
`sudo tail -f /var/log/syslog` gives me `tail: cannot open the dir for reading : No such file or directory` and when i try to restart, the stopping saslauthd [failed] but starting is [okay]. – Gurkha Apr 26 '16 at 14:59
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/110290/discussion-between-hector-valverde-pareja-and-gurkha). – Héctor Valverde Apr 26 '16 at 15:00
I forgot you were on RedHat, `syslog` doesn't exists. Try `/var/log/messages` instead. – Héctor Valverde Apr 26 '16 at 15:01
By the way, try to enter the chat again, please. Click on the link above. – Héctor Valverde Apr 26 '16 at 15:02
The reason why the service fails to stop but not to start is because the service is not actually running. It starts but it is stopped immediately after, possibly due to an error. – Héctor Valverde Apr 26 '16 at 15:04
thank you for your effort hector, but the chat room is block by the company firewall.I can get home after work and try to get into the chat. Now i can see the log and it says ` could not bind to socket : /var/run/saslauthd/mux , bind: address already in use` – Gurkha Apr 26 '16 at 15:07
Viola!! you found the error!! Let's try to follow up from this message. Give me a few minutes to investigate further. – Héctor Valverde Apr 26 '16 at 15:11
Seems it falls back to the permission issue. This time can be the directory where the socket is. Could you open permissions to `0777` and try? (From: http://unix.stackexchange.com/questions/79329/could-not-bind-socket-permission-denied-when-trying-to-start-ndoutils-using-uni) – Héctor Valverde Apr 26 '16 at 15:30
based on https://docs.mongodb.org/master/tutorial/configure-ldap-sasl-activedirectory/ the permission should be 755 but as per ur instruction i did try 0777 and still the same result. – Gurkha Apr 26 '16 at 15:36
Could you post your entire `/etc/sysconfig/saslauthd` file below your question, please? – Héctor Valverde Apr 26 '16 at 16:02
`SOCKETDIR=/var/run/saslauthd MECH=ldap DAEMONOPTS=--user saslauth FLAGS="-o /etc/saslauthd.conf"` – Gurkha Apr 26 '16 at 16:18
I rebooted the machine, i still get the message when i try to restart the saslauthd – Gurkha Apr 26 '16 at 16:35
Could you also (sorry for asking that much) post the output of both: 1) `ls -l /var/run/saslauthd/mux` and 2) `file /var/run/saslauthd/mux` ? – Héctor Valverde Apr 26 '16 at 16:35
result for the first one is `total 0` and the second is `/var/run/saslauthd/mux: directory` – Gurkha Apr 26 '16 at 16:39
2

Yes!! I think we're very close. It shouldn't be a `directory`. Remove it, yes, remove it with `rm -fr /var/run/saslauthd/mux` and restart the service straight forward (`service saslauthd restart`). I think we finish here. – Héctor Valverde Apr 26 '16 at 16:41
YOU ARE THE MAN!!!! thank you kind sir for taking out some time from your life! I really appreciate it. :) – Gurkha Apr 26 '16 at 16:45
AWESOME!! I spent all the afternoon yesterday setting LDAP, MongoDB and everything with Vagrant. I enjoyed a lot, I should thank you instead. – Héctor Valverde Apr 26 '16 at 16:46
yeah same here, trying to authenticate mongodb with LDAP. now at least i get authentication failed, I should be able to figure that out, at least hope so. thank you again!! – Gurkha Apr 26 '16 at 16:50
Good luck with the rest, I did followed this tutorial yesterday: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-openldap-and-phpldapadmin-on-an-ubuntu-14-04-server phpldapadmin may be useful to deal with LDAP and make sure you have everything set up. – Héctor Valverde Apr 26 '16 at 16:55
I'm sorry to bother you, i might need your help once again with authentication. – Gurkha Apr 26 '16 at 19:16
Could you raise it in a separate question and follow up there? – Héctor Valverde Apr 26 '16 at 19:18
http://stackoverflow.com/questions/36874163/sasl-ldap-authentication-failure i created a new post here, no rush, feel free to take a look anytime. if need be, i'm about to get outta office, can join you in the chat. thank you – Gurkha Apr 26 '16 at 19:34
made a little progress but still stuck there :( – Gurkha Apr 27 '16 at 16:06
I know I see. I briefly tried something earlier with no success. I'm busier today I'm afraid. Remember to keep an eye on the `/var/log/messages` every time you do something – Héctor Valverde Apr 27 '16 at 16:32
yeah, logs are not much of help, just two lines saying authentication failed. – Gurkha Apr 27 '16 at 20:13
still struggling, any luck with yours? – Gurkha Apr 29 '16 at 19:23

LDAP configuration for mongo throws permission denied

1 Answers1