You can configure the database server to
authenticate wire listener users with a pluggable authentication module (PAM).
About this task
You create a user for the wire listener for PAM connections. The wire listener uses the PAM
user to look up system catalog-related information before sending client connection requests to the
database server for authentication. The database server authenticates the client users through
PAM.
Procedure
To configure PAM authentication for MongoDB
clients:
-
Set the IFMXMONGOAUTH environment variable.
For example:
setenv IFMXMONGOAUTH 1
-
Create a PAM service file that is named /etc/pam.d/pam_mongo and has the
following contents:
auth required $ONEDB_HOME/lib/pam_mongo.so file=mongohash
account required $ONEDB_HOME/lib/pam_mongo.so
Replace $ONEDB_HOME with the value of the $ONEDB_HOME
environment variable.
-
On AIX® 64-bit computers,
create a symbolic link that is named 64
that points to the lib directory by
running the following commands:
cd $ONEDB_HOME/lib
ln -s . 64
-
Edit the sqlhosts file to add a connection that uses PAM. Include the
s=4 option. Specify the PAM service pam_mongo with the
pam_serv option. Specify the password authentication mode with the
pamauth option.
For
example:
ol_onedb onsoctcp myhost 40000 s=4,pam_serv=pam_mongo,pamauth=password
-
Enable connections from mapped users by setting the USERMAPPING configuration parameter to
BASIC or ADMIN in the onconfig file.
-
Set up mapping to an operating system user that has no privileges.
For example, on a typical Linux™ system, the user
nobody is appropriate. Add the
following line to the
/etc/onedb/allowed.surrogates
file:
users:nobody
-
Restart the database server.
-
Create a PAM user for the wire listener. The user must be internally authenticated and map to
the user nobody.
For example, create a user that is named
mongo by running the following SQL in the
sysmaster
database:
CREATE USER 'mongo' WITH PASSWORD 'aPassword'
PROPERTIES USER 'nobody';
GRANT CONNECT TO 'mongo';
-
Verify the creation of the user by running the following statement:
SELECT * FROM sysuser:sysmongousers
WHERE username='mongo';
The result of the query shows the user and hashed password:
username mongo
hashed_password bbb8f9630d5c6e094b9aedd945893faf
-
Set the following parameters in the wire listener configuration file:
-
Restart the wire listener.
-
Create users that the database server authenticates with PAM by running the SQL statement
CREATE USER.
If you have existing MongoDB users,
you must re-create those users in the database server.