Configuring database server authentication with PAM (UNIX, Linux)

You can configure the database server to authenticate wire listener users with a pluggable authentication module (PAM).

About this task

You create a user for the wire listener for PAM connections. The wire listener uses the PAM user to look up system catalog-related information before sending client connection requests to the database server for authentication. The database server authenticates the client users through PAM.

Procedure

To configure PAM authentication for MongoDB clients:
  1. Set the IFMXMONGOAUTH environment variable.
    For example:
    setenv IFMXMONGOAUTH 1
  2. Create a PAM service file that is named /etc/pam.d/pam_mongo and has the following contents:
    auth    required $ONEDB_HOME/lib/pam_mongo.so file=mongohash 
    account required $ONEDB_HOME/lib/pam_mongo.so

    Replace $ONEDB_HOME with the value of the $ONEDB_HOME environment variable.

  3. On AIX® 64-bit computers, create a symbolic link that is named 64 that points to the lib directory by running the following commands:
    cd $ONEDB_HOME/lib
    ln -s . 64
  4. Edit the sqlhosts file to add a connection that uses PAM. Include the s=4 option. Specify the PAM service pam_mongo with the pam_serv option. Specify the password authentication mode with the pamauth option.
    For example:
    ol_onedb onsoctcp myhost 40000 s=4,pam_serv=pam_mongo,pamauth=password
  5. Enable connections from mapped users by setting the USERMAPPING configuration parameter to BASIC or ADMIN in the onconfig file.
  6. Set up mapping to an operating system user that has no privileges.
    For example, on a typical Linux™ system, the user nobody is appropriate. Add the following line to the /etc/onedb/allowed.surrogates file:
    users:nobody
  7. Restart the database server.
  8. Create a PAM user for the wire listener. The user must be internally authenticated and map to the user nobody.
    For example, create a user that is named mongo by running the following SQL in the sysmaster database:
    CREATE USER 'mongo' WITH PASSWORD 'aPassword' 
         PROPERTIES USER 'nobody';
    GRANT CONNECT TO 'mongo';
  9. Verify the creation of the user by running the following statement:
    SELECT * FROM sysuser:sysmongousers
            WHERE username='mongo';

    The result of the query shows the user and hashed password:

    username   mongo
    hashed_password  bbb8f9630d5c6e094b9aedd945893faf
  10. Set the following parameters in the wire listener configuration file:
    • Enable authentication: Set authentication.enable=true.
    • Specify PAM authentication: Set db.authentication=onedb-mongodb-cr.
    • Optional. Specify the authentication timeout period: Set the listener.authentication.timeout parameter to the number of milliseconds for authentication timeout.
    • Specify the mapped user and password for connections and specify to encode and hash the password: Set the url parameter. Include the NONCE property set to any 16 character string that contains only the digits 0-9 and the lower-case characters a-f (extended grep: [0-9a-f]{16}). For example:
      url=jdbc:onedb://10.168.8.135:40000/sysmaster;USER=mongo;
           PASSWORD=aPassword;NONCE=0123456789abcdef
  11. Restart the wire listener.
  12. Create users that the database server authenticates with PAM by running the SQL statement CREATE USER.
    If you have existing MongoDB users, you must re-create those users in the database server.