Authentication failure with External User Credentials

.NET SDK
1

Server: Enterprise Edition 5.0.0 build 3519, configured with external authentication against Active Directory/LDAP
SDK Version: 2.5.2 from Nuget, verifed against build from master (commit b0b10869f83ccc379391bacf34f7d0d432fc4576)

We have setup Couchbase Enterprise using the Docker “couchbase:enterprise” image and configured security to use saslauthd to authenticate against our Active Directory domain with instructions from https://developer.couchbase.com/documentation/server/5.0/security/security-saslauthd-new.html#topic_bcf_jmq_wq. We are able to successfully login to the web console with External credentials.

Attempting to access couchbase using the .NET Client SDK and External credentials fails, but using Couchbase credentials, it works as expected. The external credentials are in the Admin role so security permissions shouldn’t be a factor.

Below is my sample C# script:

var config = new ClientConfiguration()
{
	Servers = new List<Uri>() { new Uri("http://couchbase:8091") }
};
IAuthenticator authenticator = new PasswordAuthenticator("LDAPUser", "password");
config.SetAuthenticator(authenticator);
var cluster = new Cluster(config);
var bucket = cluster.OpenBucket("beer-sample");
var response = bucket.Get<Beer>("21st_amendment_brewery_cafe");

This generates the following error:
“The node ipaddress:11210 that the key was mapped to is either down or unreachable. The SDK will continue to try to connect every 1000ms. Until it can connect every operation routed to it will fail with this exception.”

The log contains the following message:
“Couchbase.Authentication.SASL.ScramShaMechanism - Server Final Message ipaddress:11210 - cc23b4d1-056a-4cb1-9e73-c7b42260e908: Status code: AuthenticationError [32] (Context: , Ref #: 7fdc053a-75f9-4839-98b6-313ed28c84ba)”

Additionally, I’ve reproduced the same behavior, success for Couchbase user and failure for External user via the When_Valid_Credentials_Provided_Authenticate_Returns_True() integration test found in Couchbase.IntegrationTests.ScramShaMechanismTests. When I update the test case to my couchbase server and use our external test user, the test fails, but passes using a Couchbase user.

Finally, I’m able to successfully access documents with External Credentials and the same server using both the Node.js and Python SDK’s.

1 Like
2

@TechnoAg -

Thanks for the detailed post; based upon what you have reported here, it looks like a possible bug in the C# client with respect to Auth using external credentials. We’ll get back to you after looking deeper into it.

-Jeff

4

Hi @TechnoAg

We have a theory where external authentication in 5.0 does not support SCRAM-SHA1 but the SDK defaults to using the highest version available from the server.

I’ve created NCBC-1575 to track our investigation.

Thanks

5

We see a successful authentication from saslauthd when we run it in debug. Does that reenforce the theory?

6

Hi @gwyden

No, I don’t believe debug should affect which SASL authentication mechanism is used. Do you mean your application is running in debug or the Couchbase .NET SDK?

I have created a fix for what we found when using SCRAM with an external auth store (eg LDAP), see ticket NCBC-1575. We create pre-release nuget packages as each change is merged, I’ll share a link once my change has been accepted and you can test if you want to.

Thanks

1 Like
7

I was more making reference to running the saslauthd daemon in debug mode which shows the authentication requests and their subsequent success response coming from the daemon itself.

8

Hi @TechnoAg @gwyden

My fix to force plain SASL via configuration has now been merged and can be seen in this pre-release nuget package. Because this is a pre-release package we would recommend it to be used only in testing environments as it has not gone through our full release testing suite. However, this change will be part of the next official release which is currently scheduled for 5th December 2017.

Also, please be aware that this configuration is expected to be combined with SSL to ensure credentials are secured as username and passwords will be sent in plain text.