Error: not authorized on admin to execute command { usersInfo: 1.0 } : - on external user authenticated with NativeLdap (Mongo ver. 3.4.2)

1,335 views
Skip to first unread message

Prachi S

unread,
Apr 9, 2017, 3:03:58 AM4/9/17
to mongodb-user
In a new Mongo instance (ver 3.4.2, enterprise version), I have set up NativeLDAP to authenticate/authorize DBAs to log in. But upon login, the user cannot run any command. I keep getting:

 Error: not authorized on admin to execute command { usersInfo: 1.0 } :

The role created for login as roles as follows: (sensitive data redacted)

var admin = db.getSiblingDB("admin")
admin.createRole(
   {
     role: "CN=DBA-group,ou=administrative,ou=groups,ou=xxxx,dc=or,DC=xxxx,DC=com",
     privileges: [],
     roles: [ "userAdminAnyDatabase", "root", "readWrite" ]
   }
)

Log shows following:
2017-04-07T04:30:24.157+0000 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
2017-04-07T04:30:24.159+0000 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2017-04-07T04:30:34.989+0000 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { usersInfo: 1.0 }
2017-04-07T04:30:44.722+0000 I ACCESS   [LDAPUserCacheInvalidator] Invalidating user cache entries of external users

Can anyone advice  what is missing? I have used following doc:

Thanks in advance
Prachi

P.S: This is my first time posting, so please forgive any mistakes.

Kevin Adistambha

unread,
Apr 12, 2017, 3:01:19 AM4/12/17
to mongodb-user

Hi Prachi,

LDAP authentication/authorization is part of MongoDB Enterprise edition which is a commercially supported product. If your organisation/company already has a commercial subscription I would suggest to open a case in the Commercial Support Portal. They would be able to provide you with the support required to set up LDAP.

Alternatively if you are evaluating MongoDB Enterprise and interested, please send me a private message with your contact details and I can request a MongoDB Account Executive to contact you.

Best regards,
Kevin

Reply all
Reply to author
Forward
0 new messages