RedHat Linux OpenLDAP Server connection lost when MongoDB attempts to connect

104 views
Skip to first unread message

Johnny Gringo

unread,
Sep 13, 2018, 6:08:12 PM9/13/18
to mongodb-user
When I have the slapd( aka. OpenLDAP Sever) running and I add this to the mongod.conf file as follows
#security
security:
  ldap:
    servers: localhost:389
    bind:
      queryUser: ldapadm
      queryPassword: #######
    authz:
      queryTemplate: "{USER}?memberOf?base"

When the mongod daemon start ups it is able to connect to the ldap server retrieve the proper base dn, but when it closes that connection and spawns a fork to start up another connection to the ldap server the connection is accepted then immediately lost. This is the mongod.log file.
-- Unit mongod.service has begun starting up.
Sep 13 13:17:14 localhost.localdomain slapd[2755]: conn=1018 op=2 SRCH base="dc=rit,dc=local" scope=2 deref=0
Sep 13 13:17:14 localhost.localdomain slapd[2755]: conn=1018 op=2 SRCH attr=objectClass uid userPassword uidNu
Sep 13 13:17:14 localhost.localdomain slapd[2755]: <= bdb_equality_candidates: (uid) not indexed
Sep 13 13:17:14 localhost.localdomain slapd[2755]: conn=1018 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 13 13:17:14 localhost.localdomain mongod[5572]: 2018-09-13T13:17:14.233-0400 I CONTROL  [main] Automatical
Sep 13 13:17:14 localhost.localdomain mongod[5572]: about to fork child process, waiting until server is ready
Sep 13 13:17:14 localhost.localdomain mongod[5572]: forked process: 5575
Sep 13 13:17:14 localhost.localdomain slapd[2755]: conn=1019 fd=22 ACCEPT from IP=[::1]:60582 (IP=[::]:389)
Sep 13 13:17:14 localhost.localdomain slapd[2755]: conn=1019 fd=22 closed (connection lost)
Sep 13 13:17:14 localhost.localdomain mongod[5572]: ERROR: child process failed, exited with error number 1
Sep 13 13:17:14 localhost.localdomain mongod[5572]: To see additional information in this output, start withou
Sep 13 13:17:14 localhost.localdomain systemd[1]: mongod.service: control process exited, code=exited status=1
Sep 13 13:17:14 localhost.localdomain systemd[1]: Failed to start MongoDB Database Server.
-- Subject: Unit mongod.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit mongod.service has failed.
--
-- The result is failed.
Sep 13 13:17:14 localhost.localdomain systemd[1]: Unit mongod.service entered failed state.
Sep 13 13:17:14 localhost.localdomain systemd[1]: mongod.service failed.
Sep 13 13:17:14 localhost.localdomain polkitd[778]: Unregistered Authentication Agent for unix-process:5560:14

It appears the fork child process fails because of the slapd connection lost, which I am not sure why that would be occurring since only moments before there was an established connection.
Any help would be very much appreciated

Robert Cochran

unread,
Sep 13, 2018, 8:01:50 PM9/13/18
to mongodb-user
Hi!

Can you specify the operating system version, and the version of OpenLDAP, and the version of the MongoDB server you are using? Did you install OpenLDAP through a RedHat-provided RPM package, or did you compile OpenLDAP yourself?

I don't know the nature of your problem and cannot answer your question. But with added information, others may be able to help.

Thanks so much

Bob 

Robert Cochran

unread,
Sep 13, 2018, 10:08:21 PM9/13/18
to mongodb-user
Hi!

I think I understand what might be happening. You are running slapd on port 389 and that is a privileged port. MongoDB can't [query?] the ldap database on that port, since it is not the root user.  

I think I'm fairly "warm" with this guess. Still, it is a guess. I could be wrong. 

You might want to try binding slapd to an unprivileged port and changing your mongod.conf accordingly to test this out.

Thanks

Bob

Johnny Gringo

unread,
Sep 14, 2018, 11:41:34 AM9/14/18
to mongodb-user

The version of MongoDB I am using is v4.0.2 and I am using a Centos 7 virtual machine. I installed openldap with several provided rpm packages. I understand what your are saying about 389 being a privileged port but if that were true then how does MongoDB get the base dn before it forks the child process. I will still give it a try and let you know what happens but I don't think that is the issue.

Johnny Gringo

unread,
Sep 14, 2018, 12:04:33 PM9/14/18
to mongodb-user
The problem wasn't with the privileged port because I set that port to listen for any tcp traffic. However once I changed the mongod.conf file so that the ldap server setting is as follows:
security:
  ldap:
    servers: localhost
Once I made that change the connection was able to establish but once the TLS was established the child process just failed with no other log information.
Unit session-24.scope has begun starting up.
Sep 14 10:20:01 localhost.localdomain CROND[3850]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Sep 14 10:21:33 localhost.localdomain chronyd[826]: Selected source 178.128.4.44
Sep 14 10:22:34 localhost.localdomain polkitd[798]: Registered Authentication Agent for unix-process:3890:7649
Sep 14 10:22:34 localhost.localdomain systemd[1]: Starting MongoDB Database Server...
-- Subject: Unit mongod.service has begun start-up
-- Unit mongod.service has begun starting up.
Sep 14 10:22:34 localhost.localdomain slapd[1712]: conn=1010 op=2 SRCH base="dc=rit,dc=local" scope=2 deref=0
Sep 14 10:22:34 localhost.localdomain slapd[1712]: conn=1010 op=2 SRCH attr=objectClass uid userPassword uidNu
Sep 14 10:22:34 localhost.localdomain slapd[1712]: <= bdb_equality_candidates: (uid) not indexed
Sep 14 10:22:34 localhost.localdomain slapd[1712]: conn=1010 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 14 10:22:34 localhost.localdomain mongod[3903]: 2018-09-14T10:22:34.830-0400 I CONTROL  [main] Automatical
Sep 14 10:22:34 localhost.localdomain mongod[3903]: about to fork child process, waiting until server is ready
Sep 14 10:22:34 localhost.localdomain mongod[3903]: forked process: 3906
Sep 14 10:22:34 localhost.localdomain slapd[1712]: conn=1011 fd=22 ACCEPT from IP=[::1]:50110 (IP=[::]:636)
Sep 14 10:22:34 localhost.localdomain slapd[1712]: conn=1011 fd=22 TLS established tls_ssf=256 ssf=256
Sep 14 10:22:35 localhost.localdomain mongod[3903]: ERROR: child process failed, exited with error number 1
Sep 14 10:22:35 localhost.localdomain mongod[3903]: To see additional information in this output, start withou
Sep 14 10:22:35 localhost.localdomain systemd[1]: mongod.service: control process exited, code=exited status=1
Sep 14 10:22:35 localhost.localdomain systemd[1]: Failed to start MongoDB Database Server.

-- Subject: Unit mongod.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit mongod.service has failed.
--
-- The result is failed.
Sep 14 10:22:35 localhost.localdomain systemd[1]: Unit mongod.service entered failed state.
Sep 14 10:22:35 localhost.localdomain systemd[1]: mongod.service failed.
Sep 14 10:22:35 localhost.localdomain slapd[1712]: conn=1011 fd=22 closed (connection lost)
Sep 14 10:22:35 localhost.localdomain polkitd[798]: Unregistered Authentication Agent for unix-process:3890:76
Has anyone had this problem before and if so how did you solve it?
Thank you.

Robert Cochran

unread,
Sep 14, 2018, 7:03:21 PM9/14/18
to mongodb-user
Hi Johnny,

I am wondering if it is a permissions issue: there is a user named 'mongodb' on your CentOS system, and this user has read/write/execute permissions on all the required dbpath and logpath directories?

Thanks

Bob

Johnny Gringo

unread,
Sep 17, 2018, 8:06:37 AM9/17/18
to mongodb-user

Yes there is a user named mongod on my CentOS and it does have the necessary read write permissions.

Wan Bachtiar

unread,
Sep 20, 2018, 4:38:48 AM9/20/18
to mongodb-user

Sep 13 13:17:14 localhost.localdomain systemd[1]: Unit mongod.service entered failed state.

Hi Johnny,

I would recommend to use mongoldap to test your MongoDB’s LDAP configuration options against the running LDAP server. 

In addition, check the SELinux Policy for mongod i.e. via semodule.

Please note that LDAP Authorization is part of MongoDB Enterprise edition which is a commercially supported product. If your organisation/company already has a commercial subscription I would suggest to open a case in the Commercial Support Portal.

Alternatively if you are evaluating MongoDB Enterprise and interested, feel free to send me a private message with your contact details and I can request a MongoDB Account Executive to reach out.

Regards,
Wan.

Reply all
Reply to author
Forward
0 new messages