0

After setting up all the root, chain, server and client certificates, I'm able to establish TLS X509 connection to mongodb via the mongo client.

Next, I added the x509 user grep'd out of the client cert to the $external db.

I set-up a php test script to test the x509 login from a client using the client cert:

<?php
$mongoClient = null;
$context = stream_context_create(
    array(
        "ssl" => array(
            "local_cert" => "/home/mshallop/code/database/ome-mongo/certsByEnv/badLatitude/intermediate/certs/dapi.cert.pem"
        )
    )
);

$options = array(
    'ssl'           =>      true,
    'username'      =>      '[email protected],O=MyCompany,ST=California,C=US',
    'authSource'    =>      '$external',
    'authMechanism' =>      'MONGODB-X509'
);

try {
    $mongoClient = new MongoClient(
        '127.0.0.1',
        $options,
        array("context" => $context)
    );
} catch (MongoConnectionException $e) {
    echo $e->getMessage() . PHP_EOL;
}
if (is_null($mongoClient)) exit('mongo client is null' . PHP_EOL);
var_dump(iterator_to_array($mongoClient->atl->pgTest_tst->find().limit(1)));

The results I get back on the console are:

Failed to connect to: 127.0.0.1:27017: Cannot setup SSL, is ext/openssl loaded?
mongo client is null

And in the mongod log I see:

Fri Oct 16 14:35:27.165 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:34398 #11 (2 connections now open)
Fri Oct 16 14:35:27.166 W -        [conn11] DBException thrown :: caused by :: 9001 socket exception [CLOSED] for 127.0.0.1:34398

The openSSL extension is loaded (php -i | grep -i openssl):

SSL Version => OpenSSL/1.0.1f
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version => OpenSSL 1.0.1f 6 Jan 2014
OpenSSL support => enabled

And in the PHP mongo extension, I see:

mongo

MongoDB Support => enabled
Version => 1.6.10
Streams Support => enabled
SSL Support => enabled
                   Supported Authentication Mechanisms                   
MONGODB-CR => enabled
SCRAM-SHA-1 => enabled
MONGODB-X509 => enabled
GSSAPI (Kerberos) => disabled
PLAIN => disabled

Directive => Local Value => Master Value
mongo.allow_empty_keys => 0 => 0
mongo.chunk_size => 261120 => 261120
mongo.cmd => $ => $
mongo.default_host => localhost => localhost
mongo.default_port => 27017 => 27017
mongo.is_master_interval => 15 => 15
mongo.long_as_object => 0 => 0
mongo.native_long => 1 => 1
mongo.ping_interval => 5 => 5

One last tidbit - I tried entering this command via the mongo client to authenticate the client user:

> db.getSiblingDB("$external").auth(
... {
... mechanism: "MONGODB-X509",
... user: "[email protected],O=MyCompany,ST=California,C=US"
... }
... )
Error: 18 Username "[email protected],O=MyCompany,ST=California,C=US" does not match the provided client certificate user ""
0

Just to make sure the x509 user I created still exists after several restarts, I attempted to re-enter the user and got this:

> db.getSiblingDB("$external").runCommand(
... {
... createUser: "[email protected],O=MyCompany,ST=California,C=US",

... roles: [ 
... { role: 'readWrite', db: 'atl' },
... { role: 'userAdminAnyDatabase', db: 'admin' }
... ],
... writeConcern : { w: "majority", wtimeout:5000 }
... }
... )
{
    "ok" : 0,
    "errmsg" : "User \"[email protected],O=MyCompany,ST=California,C=US@$external\" already exists",
    "code" : 11000

And am sort-of stuck at this point...so here's my questions:

  1. What are some of the other db.getSiblingDB("$external"). commands? Is there an option to list the existing external users already created - so I can ensure that the user was actually added correctly?
  2. Why am I getting the "cannot set SSL" error on the console after exec'ing the PHP stub?
  3. If I had to start over, how would I remove the entry I already made into the $external table?

Thanks!

--mike

PS: Here's the mongo log dump from the php-stub request:

Fri Oct 16 15:48:44.348 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:35121 #12 (2 connections now open)
Fri Oct 16 15:48:44.349 W -        [conn12] DBException thrown :: caused by :: 9001 socket exception [CLOSED] for 127.0.0.1:35121
Fri Oct 16 15:48:44.354 I -        [conn12] 
 0xf5bfc9 0xedfe6c 0xf17257 0xf17c9a 0xf17ca9 0xf17cf5 0xf0c4f8 0xf0eee7 0x7f886b15a182 0x7f8869c2147d
----- BEGIN BACKTRACE -----
{"backtrace":[{"b":"400000","o":"B5BFC9"},{"b":"400000","o":"ADFE6C"},{"b":"400000","o":"B17257"},{"b":"400000","o":"B17C9A"},{"b":"400000","o":"B17CA9"},{"b":"400000","o":"B17CF5"},{"b":"400000","o":"B0C4F8"},{"b":"400000","o":"B0EEE7"},{"b":"7F886B152000","o":"8182"},{"b":"7F8869B27000","o":"FA47D"}],"processInfo":{ "mongodbVersion" : "3.0.6", "gitVersion" : "1ef45a23a4c5e3480ac919b28afcba3c615488f2", "uname" : { "sysname" : "Linux", "release" : "3.16.0-38-generic", "version" : "#52~14.04.1-Ubuntu SMP Fri May 8 09:43:57 UTC 2015", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000", "buildId" : "BF5AC37B50D416FD8D6D427E561426ED60291032" }, { "b" : "7FFD6CF7F000", "elfType" : 3, "buildId" : "EFA4172E98FE6C90166BC69E025FF58D9E646CC1" }, { "b" : "7F886B152000", "path" : "/lib/x86_64-linux-gnu/libpthread.so.0", "elfType" : 3, "buildId" : "9318E8AF0BFBE444731BB0461202EF57F7C39542" }, { "b" : "7F886AEF3000", "path" : "/lib/x86_64-linux-gnu/libssl.so.1.0.0", "elfType" : 3, "buildId" : "A20EFFEC993A8441FA17F2079F923CBD04079E19" }, { "b" : "7F886AB18000", "path" : "/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", "elfType" : 3, "buildId" : "F000D29917E9B6E94A35A8F02E5C62846E5916BC" }, { "b" : "7F886A910000", "path" : "/lib/x86_64-linux-gnu/librt.so.1", "elfType" : 3, "buildId" : "92FCF41EFE012D6186E31A59AD05BDBB487769AB" }, { "b" : "7F886A70C000", "path" : "/lib/x86_64-linux-gnu/libdl.so.2", "elfType" : 3, "buildId" : "C1AE4CB7195D337A77A3C689051DABAA3980CA0C" }, { "b" : "7F886A408000", "path" : "/usr/lib/x86_64-linux-gnu/libstdc++.so.6", "elfType" : 3, "buildId" : "4BF6F7ADD8244AD86008E6BF40D90F8873892197" }, { "b" : "7F886A102000", "path" : "/lib/x86_64-linux-gnu/libm.so.6", "elfType" : 3, "buildId" : "1D76B71E905CB867B27CEF230FCB20F01A3178F5" }, { "b" : "7F8869EEC000", "path" : "/lib/x86_64-linux-gnu/libgcc_s.so.1", "elfType" : 3, "buildId" : "8D0AA71411580EE6C08809695C3984769F25725B" }, { "b" : "7F8869B27000", "path" : "/lib/x86_64-linux-gnu/libc.so.6", "elfType" : 3, "buildId" : "30C94DC66A1FE95180C3D68D2B89E576D5AE213C" }, { "b" : "7F886B370000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3, "buildId" : "9F00581AB3C73E3AEA35995A0C50D24D59A01D47" } ] }}
 mongod(_ZN5mongo15printStackTraceERSo+0x29) [0xf5bfc9]
 mongod(_ZN5mongo11DBException13traceIfNeededERKS0_+0x12C) [0xedfe6c]
 mongod(_ZN5mongo6Socket15handleRecvErrorEii+0x917) [0xf17257]
 mongod(_ZN5mongo6Socket5_recvEPci+0x6A) [0xf17c9a]
 mongod(_ZN5mongo6Socket11unsafe_recvEPci+0x9) [0xf17ca9]
 mongod(_ZN5mongo6Socket4recvEPci+0x35) [0xf17cf5]
 mongod(_ZN5mongo13MessagingPort4recvERNS_7MessageE+0xB8) [0xf0c4f8]
 mongod(_ZN5mongo17PortMessageServer17handleIncomingMsgEPv+0x327) [0xf0eee7]
 libpthread.so.0(+0x8182) [0x7f886b15a182]
 libc.so.6(clone+0x6D) [0x7f8869c2147d]
-----  END BACKTRACE  -----
Fri Oct 16 15:48:44.354 I NETWORK  [conn12] end connection 127.0.0.1:35121 (1 connection now open)
Improve this question

2 Answers 2

Reset to default
1

What are some of the other db.getSiblingDB("$external"). commands? Is there an option to list the existing external users already created - so I can ensure that the user was actually added correctly?

There doesn't appear to be a reference list in the MongoDB documentation; however, I only see $external used in doc examples for the authenticate command (i.e. db.auth() in the shell) and user management (e.g. creating a user). For the latter, I expect the following commands would apply: https://docs.mongodb.org/manual/reference/command/nav-user-management/

Why am I getting the "cannot set SSL" error on the console after exec'ing the PHP stub?

I assume that you're missing additional SSL context options. We don't have any X509 authentication examples for the legacy driver (mongo extension) you're using in our test suite, but the new driver (mongodb extension) has a few, such as this. The extension API is a bit different, but the SSL context options apply to both extensions. If I had to guess, you may need to specify peer_name, cafile, and/or capath. Note that verify_peer and verify_peer_name both default to true, so that may be failing with the correct CA file.

If I had to start over, how would I remove the entry I already made into the $external table?

Since X509 doesn't involve an external server (unlike LDAP or Kerberos), MongoDB stores the username and credentials in the system.users collection (presumably for each related database). I would suggest using db.dropUser() to remove the user.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I had the same - just install PHP 7.1 over 7.0.9 and install php-mongodb 1.2.9 and it solve it for me. (I was use php-mongodb 1.1.5 on php 7.0). I found this solution because it works fine on my laptop and fail on server. Here is what I had before upgrade server:

On my server:
php -i | grep -i mongo
/etc/php/7.0/cli/conf.d/20-mongodb.ini,
mongodb
mongodb support => enabled
mongodb version => 1.1.5
mongodb stability => stable
libmongoc version => 1.3.3
mongodb.debug => no value => no value


on local PC:
php -i | grep -i mongo
/etc/php/7.0/cli/conf.d/20-mongodb.ini,
mongodb
MongoDB support => enabled
MongoDB extension version => 1.2.9
MongoDB extension stability => stable
libmongoc bundled version => 1.5.5
libmongoc SSL => enabled
libmongoc SSL library => OpenSSL
libmongoc crypto => enabled
libmongoc crypto library => libcrypto
libmongoc crypto system profile => disabled
libmongoc SASL => enabled
mongodb.debug => no value => no value
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.