Successfully authenticated but not able to authorize using Windows LDAP on Mongo 3.4 enterprise version

[akki.v...@gmail.com]

Hi,

I installed Mongodb 3.4 Enterprise version on windows and is trying to use windows Active Directory for LDAP authentication and authorization.

I'm able to successfully authenticate but when I'm trying to create roles for authorization it is saying not authorized on admin to execute command!

My Active directory is AD DS(LDAP enabled)

OU=testauth, Group=RootU, User=testu2(member of RootU), DC=mongo,DC=test,DC=com

Steps I followed are :

1.

conf file:

systemLog:

  destination: file

  path: "C:\\data\\db\\mongo.log"

  logAppend: true

storage:

  dbPath: "C:\\data\\db"

security:

  authorization: "enabled"

  ldap:

    transportSecurity: "none"

    servers: localhost

    authz:

       queryTemplate: "{USER}"

    userToDNMapping: '[{ match : "(.+)", ldapQuery: "CN={0},OU=testauth,DC=mongo,DC=test,DC=com" }]'

    

    bind:

      queryUser: "X...@mongo.test.com"

      queryPassword: "xxxxxx"

2. when I ran mongoldap to check connection it successfully connected and authenticated

3. started mongod with that conf file 

4. Started mongo (mongo --port 27017)

5. Authenticated using -- db.getSiblingDB("$external").auth({user: 'testu2', pwd: 'XXXXX', mechanism: 'PLAIN'});  -- successfully authenticated  

6. Then switched to admin using db=db.getSiblingDB('admin'); or use admin

7. Then tried to create roles using db.createRole({role:"CN=RootU,OU=testauth,DC=mongo,DC=test,DC=com", privileges:[], roles: ['userAdminAnyDatabase']});

I also tried db.createRole({role:"CN=RootU,CN=testauth,DC=mongo,DC=test,DC=com", privileges:[], roles: ['userAdminAnyDatabase']});

RootU is the group 

testauth is the organizational unit

this is the error it is showing:

2017-02-19T00:39:29.415+0000 E QUERY    [thread1] Error: not authorized on admin to execute command { createRole: "CN=RootU

,OU=testauth,DC=mongo,DC=test,DC=com", privileges: [], roles: [ "userAdminAnyDatabase" ], writeConcern: { w: "majority", wtimeout: 300000.0 } } :

_getErrorWithCode@src/mongo/shell/utils.js:25:13

DB.prototype.createRole@src/mongo/shell/db.js:1553:1

@(shell):1:1

I tried to create role disabling auth and is able to add but when I start mongo with authentication enabled it is showing the above error

Is there something I'm missing?

Please guide me on how to authorize using windows AD LDAP.

Thanks,

Venkat 

[Wan Bachtiar]

I’m able to successfully authenticate but when I’m trying to create roles for authorization it is saying not authorized on admin to execute command! then tried to create roles using db.createRole({role:”CN=RootU,OU=testauth,DC=mongo,DC=test,DC=com”, privileges:[], roles: [‘userAdminAnyDatabase’]});

Hi Venkat,

For MongoDB v3.4 Enterprise support on binding to an LDAP server via Operating System libraries (Windows AD), see Authenticate and Authorize Users Using Active Directory via Native LDAP.

Note that the MongoDB Enterprise edition is a commercially supported product. If your company already has a commercial subscription I would suggest to open a case in the Commercial Support Portal.

Alternatively if you are evaluating MongoDB Enterprise and interested, send me a private message with your contact details and I can request a MongoDB Account Executive to contact you.

Regards,

Wan.

​