forked from mongodb/mongo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmongokerberos.1
409 lines (397 loc) · 12.3 KB
/
mongokerberos.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
.TH mongokerberos 1
.SH MONGOKERBEROS
.SH SYNOPSIS
Starting in version 4.4, MongoDB Enterprise provides
\fBmongokerberos\f1\f1 for testing MongoDB\(aqs Kerberos and GSSAPI
\fBconfiguration options\f1 against a
running Kerberos deployment. \fBmongokerberos\f1\f1 can be used
in one of two modes: \fIserver\f1 and \fIclient\f1\&.
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Mode
.IP \(bu 4
Description
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Server
.IP \(bu 4
In \fIserver mode\f1, \fBmongokerberos\f1\f1 analyzes
Kerberos\-related configurations on the server, and returns a
report which includes error messages for any configurations that
are problematic. For usage, see \fBServer Mode\f1
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Client
.IP \(bu 4
In \fIclient mode\f1, \fBmongokerberos\f1\f1 tests Kerberos
authentication for a provided username, and returns a report
which includes the success or failure of each step in the
Kerberos authentication procedure. For usage, see
\fBClient Mode\f1
.RE
.RE
.PP
Error messages for both modes include information on specific errors
encountered and potential advice for resolving the error.
.PP
\fBmongokerberos\f1\f1 supports the following deployment types,
in both server and client modes:
.RS
.IP \(bu 2
Linux MongoDB clients authenticating to MIT Kerberos deployments on
\fBsupported Linux platforms\f1\&.
.IP \(bu 2
Windows MongoDB clients authenticating to Windows Active Directory
deployments on
\fBsupported Windows platforms\f1\&.
.IP \(bu 2
Linux MongoDB clients authenticating to Windows Active Directory
deployments.
.RE
.PP
MongoDB Enterprise and \fBmongokerberos\f1\f1 only support the
MIT implementation (https://kerberos.org/)
of Kerberos.
.PP
Generally, when configuring options related to
\fBKerberos authentication\f1, it is good practice
to verify your configuration with \fBmongokerberos\f1\f1\&.
.PP
\fBmongokerberos\f1\f1 is a testing and verification tool; it does not
edit any files or configure any services. For configuring Kerberos on
your platform please consult the MIT Kerberos documentation (https://web.mit.edu/kerberos/krb5\-latest/doc/), or your platform\(aqs
documentation. For configuring MongoDB to authenticate using Kerberos,
please reference the following tutorials:
.RS
.IP \(bu 2
\fBConfigure MongoDB with Kerberos Authentication on Linux\f1
.IP \(bu 2
\fBConfigure MongoDB with Kerberos Authentication on Windows\f1\&.
.RE
.PP
This document provides a complete overview of all command line options
for \fBmongokerberos\f1\f1\&.
.SH INSTALLATION
.PP
The \fBmongokerberos\f1\f1 tool is part of the \fIMongoDB Database Tools Extra\f1
package, and can be \fBinstalled with the MongoDB Server\f1 or as a
\fBstandalone installation\f1\&.
.SS INSTALL WITH SERVER
.PP
To install \fBmongokerberos\f1\f1 as part of a MongoDB Enterprise Server
installation:
.RS
.IP \(bu 2
Follow the instructions for your platform:
\fBInstall MongoDB Enterprise Server\f1
.IP \(bu 2
After completing the installation, \fBmongokerberos\f1\f1 and the other
included tools are available in the same location as the Server.
.IP
For the Windows \fB\&.msi\f1 installer wizard, the
Complete installation option includes \fBmongokerberos\f1\f1\&.
.RE
.SS INSTALL AS STANDALONE
.PP
To install \fBmongokerberos\f1\f1 as a standalone installation:
.RS
.IP \(bu 2
Follow the download link for MongoDB Enterprise Edition:
MongoDB Enterprise Download Center (https://www.mongodb.com/try/download/enterprise?tck=docs_server)
.IP \(bu 2
Select your Platform (operating system) from the dropdown
menu, then select the appropriate Package for your
platform according to the following chart:
.RS
.IP \(bu 4
.RS
.IP \(bu 6
OS
.IP \(bu 6
Package
.RE
.IP \(bu 4
.RS
.IP \(bu 6
Linux
.IP \(bu 6
\fBtgz\f1 package
.RE
.IP \(bu 4
.RS
.IP \(bu 6
Windows
.IP \(bu 6
\fBzip\f1 package
.RE
.IP \(bu 4
.RS
.IP \(bu 6
macOS
.IP \(bu 6
\fBtgz\f1 package
.RE
.RE
.IP \(bu 2
Once downloaded, unpack the archive and copy \fBmongokerberos\f1\f1 to a
location on your hard drive.
.IP
Linux and macOS users may wish to copy \fBmongokerberos\f1\f1 to a filesystem
location that is defined in the \fB$PATH\f1 environment variable, such
as \fB/usr/bin\f1\&. Doing so allows referencing \fBmongokerberos\f1\f1 directly
on the command line by name, without needing to specify its full
path, or first navigating to its parent directory. See the
\fBinstallation guide\f1 for your platform
for more information.
.RE
.SH USAGE
.PP
\fBmongokerberos\f1\f1 can be run in two modes: \fIserver\f1 and
\fIclient\f1\&.
.PP
Run \fBmongokerberos\f1\f1 from the system command line, not in the
\fBmongosh\f1\f1\&.
.SS SERVER MODE
.PP
Running \fBmongokerberos\f1\f1 in server mode performs a series of
verification steps against your system\(aqs Kerberos configuration,
including checking for proper DNS resolution, validation of the Kerberos
system keytab file, and testing against the MongoDB service principal
for your \fBmongod\f1\f1 or \fBmongos\f1\f1 instance.
.PP
Before you can use \fBmongokerberos\f1\f1 in server mode, you must:
.RS
.IP \(bu 2
Configure Kerberos on your platform according to your platform\(aqs
documentation.
.IP \(bu 2
Create the MongoDB service principal for use with your
\fBmongod\f1\f1 or \fBmongos\f1\f1 instance, as described
in the following steps:
.RS
.IP \(bu 4
\fBConfigure Service Principal on Linux\f1
.IP \(bu 4
\fBConfigure Service Principal on Windows\f1
.RE
.RE
.PP
Once you have completed these steps, you can run
\fBmongokerberos\f1\f1 in server mode using the
\fB\-\-server\f1 flag as follows:
.PP
.EX
mongokerberos \-\-server
.EE
.PP
If Kerberos has been configured properly on the server, and the service
principal created successfully, the output might resemble the following:
.PP
.EX
Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.
Verifying DNS resolution works with Kerberos service at <hostname>...
[OK] DNS test successful.
Getting MIT Kerberos KRB5 environment variables...
* KRB5CCNAME: not set.
* KRB5_CLIENT_KTNAME: not set.
* KRB5_CONFIG: not set.
* KRB5_KTNAME: not set.
* KRB5_TRACE: not set.
[OK]
Verifying existence of KRB5 keytab FILE:/etc/krb5.keytab...
[OK] KRB5 keytab exists and is populated.
Checking principal(s) in KRB5 keytab...
Found the following principals for MongoDB service mongodb:
* mongodb/[email protected]
Found the following kvnos in keytab entries for service mongodb:
* 3
[OK] KRB5 keytab is valid.
Fetching KRB5 Config...
KRB5 config profile resolved as:
<Your Kerberos profile file will be output here>
[OK] KRB5 config profile resolved without errors.
Attempting to initiate security context with service credentials...
[OK] Security context initiated successfully.
.EE
.PP
The final message indicates that the system\(aqs Kerberos configuration is
ready to be used with MongoDB. If any errors are encountered with
the configuration, they will be presented as part of the above output.
.SS CLIENT MODE
.PP
Running \fBmongokerberos\f1\f1 in client mode tests authentication
against your system\(aqs Kerberos environment, performing each step in the
Kerberos authentication process, including checking for proper DNS
resolution, verification of the Kerberos client keytab file, and testing
whether a ticket can be successfully granted. Running
\fBmongokerberos\f1\f1 in client mode simulates the client
authentication procedure of \fBmongosh\f1\f1\&.
.PP
Before you can use \fBmongokerberos\f1\f1 in client mode, you must
first have configured Kerberos on your platform according to your
platform\(aqs documentation. Optionally, you may also choose to run
\fBmongokerberos\f1\f1 in
\fBserver mode\f1 first to verify that your
platform\(aqs Kerberos configuration is valid before using client mode.
.PP
Once you have completed these steps, you can run
\fBmongokerberos\f1\f1 in client mode to test user authentication,
using the \fB\-\-client\f1 flag as follows:
.PP
.EX
mongokerberos \-\-client \-\-username <username>
.EE
.PP
You must provide a valid username, which is used to request a Kerberos
ticket as part of the authentication procedure. Your platform\(aqs
Kerberos infrastructure must be aware of this user.
.PP
If the provided credentials are valid, and the Kerberos options in the
configuration files are valid, the output might resemble the following:
.PP
.EX
Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.
Verifying DNS resolution works with Kerberos service at <hostname>...
[OK] DNS test successful.
Getting MIT Kerberos KRB5 environment variables...
* KRB5CCNAME: not set.
* KRB5_CLIENT_KTNAME: not set.
* KRB5_CONFIG: not set.
* KRB5_KTNAME: not set.
* KRB5_TRACE: not set.
[OK]
Verifying existence of KRB5 client keytab FILE:/path/to/client.keytab...
[OK] KRB5 client keytab exists and is populated.
Checking principal(s) in KRB5 keytab...
[OK] KRB5 keytab is valid.
Fetching KRB5 Config...
KRB5 config profile resolved as:
<Your Kerberos profile file will be output here>
[OK] KRB5 config profile resolved without errors.
Attempting client half of GSSAPI conversation...
[OK] Client half of GSSAPI conversation completed successfully.
.EE
.PP
The final message indicates that client authentication completed
successfully for the user provided. If any errors are encountered
during the authentication steps, they will be presented as part of the
above output.
.SH OPTIONS
.PP
\fBmongokerberos \-\-server\f1
.RS
.PP
Runs \fBmongokerberos\f1\f1 in server mode to test that your
platform\(aqs Kerberos configuration is valid for use with MongoDB.
.PP
See \fBServer Mode\f1 for example usage and expected
output.
.RE
.PP
\fBmongokerberos \-\-client\f1
.RS
.PP
Runs \fBmongokerberos\f1\f1 in client mode to test client
authentication against your system\(aqs Kerberos environment. Requires
specifying a valid username with \fB\-\-username\f1\f1 when running in
client mode. \fBmongokerberos\f1\f1 will request a Kerberos ticket
for this username as part of the validation procedure. Running
\fBmongokerberos\f1\f1 in client mode simulates the client
authentication procedure of \fBmongosh\f1\f1\&.
.PP
See \fBClient Mode\f1 for example usage and expected
output.
.RE
.PP
\fBmongokerberos \-\-config\f1, \fBmongokerberos \-f\f1
.RS
.PP
Specifies a configuration file for runtime configuration options.
The options are equivalent to the command\-line
configuration options. See \fBConfiguration File Options\f1 for
more information.
.PP
\fBmongokerberos\f1\f1 will read the values for
\fBsaslHostName\f1\f1 and \fBsaslServiceName\f1\f1 from this
file if present. These values can alteratively be specified with the
\fB\-\-setParameter\f1\f1 option instead.
.PP
Ensure the configuration file uses ASCII encoding. The
\fBmongokerberos\f1\f1 instance does not support configuration
files with non\-ASCII encoding, including UTF\-8.
.PP
Only valid in \fBserver mode\f1\&.
.RE
.PP
\fBmongokerberos \-\-setParameter\f1
.RS
.PP
Sets a configurable parameter. You can specify multiple
\fBsetParameter\f1 fields.
.PP
While you can use any supported parameters with \fBsetParameter\f1,
\fBmongokerberos\f1\f1 only checks for the value of the following:
.RS
.IP \(bu 2
\fBsaslHostName\f1\f1
.IP \(bu 2
\fBsaslServiceName\f1\f1
.RE
.PP
If using the \fB\-\-config\f1\f1 option with a configuration file that
also contains these values, the \fBsetParameter\f1 values will
override the values from the configuration file.
.PP
Valid in both \fBserver mode\f1
and \fBclient mode\f1\&.
.RE
.PP
\fBmongokerberos \-\-host\f1
.RS
.PP
Specify the hostname of the MongoDB server to connect to when testing
authentication.
.PP
If \fB\-\-host\f1\f1 is not specified, \fBmongokerberos\f1\f1 does
not perform any DNS validation of the hostname (i.e. PTR record
verification)
.PP
Only valid in \fBclient mode\f1\&.
.RE
.PP
\fBmongokerberos \-\-username\f1, \fBmongokerberos \-u\f1
.RS
.PP
Username for \fBmongokerberos\f1\f1 to use when attempting Kerberos
authentication. This value is required when running in
\fBclient mode\f1\&.
.PP
Only valid in \fBclient mode\f1\&.
.RE
.PP
\fBmongokerberos \-\-gssapiServiceName\f1
.RS
.PP
\fIdefault: \(aqmongodb\(aq\f1
.PP
Service principal name to use when authenticating using
GSSAPI/Kerberos.
.PP
Only valid in \fBclient mode\f1\&.
.RE
.PP
\fBmongokerberos \-\-gssapiHostName\f1
.RS
.PP
Remote hostname to use for purpose of GSSAPI/Kerberos authentication.
.PP
Only valid in \fBclient mode\f1\&.
.RE