can't connect to mongodb atlas (authenticateScramSha1 fails)

[timotheecour]

this issue tracks the 2nd issue mentioned in https://github.com/SSPkrolik/nimongo/issues/87#issuecomment-670798705 to keep https://github.com/SSPkrolik/nimongo/issues/87 focused on mongodb+srv.

copying over that post for context:

thanks for your quick reply! I've looked at https://www.mongodb.com/blog/post/mongodb-3-6-here-to-SRV-you-with-easier-replica-set-connections?jmp=fcb&utm_source=4244&utm_medium=FBPAGE&utm_term=4&linkId=50841309 and ran the python code mentioned in We can see how this works in practice on a MongoDB Atlas cluster with a simple Python script. and extracted the 1st entry, and than verified it works on mongo shell via:

$homebrew_D/opt/mongodb-community-shell/bin/mongo "mongodb://myuser:mypassword@mongoatlas1-shard-00-00.xxx.mongodb.net:27017/test?ssl=true&authSource=admin&replicaSet=atlas-yyy-shard-0"

but then using that uri fails with nimongo with:

/Users/timothee/git_clone/nim/nimongo/nimongo/mongo.nim(969) newMongoDatabase
/Users/timothee/git_clone/nim/nimongo/nimongo/mongo.nim(965) newMongoDatabase
/Users/timothee/git_clone/nim/nimongo/nimongo/mongo.nim(848) authenticateScramSha1
/Users/timothee/git_clone/nim/nimongo/nimongo/mongo.nim(404) one
/Users/timothee/git_clone/nim/nimongo/nimongo/mongo.nim(310) performFind
/Users/timothee/.choosenim/toolchains/nim-1.2.0/lib/pure/streams.nim(570) readInt32
/Users/timothee/.choosenim/toolchains/nim-1.2.0/lib/pure/streams.nim(382) read
Error: unhandled exception: cannot read from stream [IOError]

so I guess this is because of your point regarding SCRAM256 vs SCRAM1 ?

just trying to get anything working, happy to use whatever temporary workarounds; any idea of whether I could be using a C/C++ library and wrap that for the authenticateScramSha1 part?

Also, unless you have a high end account, Atlas forces you to SCRAM256 auth (rather than standard SCRAM1). That is a quasi unique change to force smaller users to Compass, their commercial client.

I just tried on M10 (non free tier), I don't see an option for SCRAM1 ? maybe I'm missing something?

links

EDIT: see https://github.com/ba0f3/scram.nim which mentions: Salted Challenge Response Authentication Mechanism (SCRAM-SHA-1 SCRAM-SHA-256 SCRAM-SHA-512)

[timotheecour]

• @JohnAD @ba0f3 here's an update:
• I created a new mongo atlas cluster with version 3.6.19 (instead of 4.x), which defaults to authMechanism=SCRAM-SHA-1, and I can connect to it via mongo shell without srv as follows:

this is the minimal uri options that work: mongo "mongodb://myuser:mypass@mongoatlas4-shard-xxx.mongodb.net:27017/admin?ssl=true" --norc (adding &authMechanism=SCRAM-SHA-1 in uri also works)

it won't work if i remove ?ssl=true.

given that nimongo README says ssl is not supported, this could ssl be the reason? (i also tried with -d:ssl, didnt' help obviously)

• looking at sources in _mongoc_cluster_get_auth_cmd_scram, besides saslStart, mechanism, payload, autoAuthorize, it also adds options{skipEmptyExchange:true}} to the initial msg; however that didn't help.

/cc @SSPkrolik My comment in https://github.com/SSPkrolik/nimongo/issues/87#issuecomment-670988161 still holds here; can't nimongo wrap libmongoc for complex parts such as authentication?

• I also created a cluster with version 4.4 and an AWS IAM user (which needs 4.4), and I can connect using mongo shell (or C/C++ api), but not with nimongo (not that it was surprising since it's not mentioned in nimongo)

links

• https://github.com/mongodb/mongo-c-driver
• see also brew formula that builds libmongoc: Homebrew/Library/Taps/homebrew/homebrew-core/Formula/mongo-c-driver.rb
• $git_clone_D/mongo-c-driver/src/libmongoc/doc/authentication.rst

[JohnAD]

Just got finished w my contract work. As top priority, I'll work on getting my fork to work with SHA256 and my Atlas cluster. I'll then apply it to nimongo, which should be quick since much code is still similar.

[timotheecour]

I'll work on getting my fork to work with SHA256 and my Atlas cluster.

that's great to hear. Note though that the problem may lie elsewhere according to the last experiment in https://github.com/SSPkrolik/nimongo/issues/89#issuecomment-670989242 where I'm using a mongo atlas cluster with version 3.6 for which authMechanism=SCRAM-SHA-1; so it may relate to ?ssl=true instead.

Also note the similar issue I reported in https://github.com/mashingan/anonimongo/issues/5 for anonimongo

[JohnAD]

I got SSL working; but my sandbox account at Atlas is still requiring SHA256; so trying that now...

If curious, the latest commit is here: https://github.com/JohnAD/mongopool/commit/15cf50c1f826e371554c7e95f71fd50a94362d50

First pass was not successful; but I'm not surprised. I suspect I'll be digging into the details of the hashed packets passed back-and-forth during negotiation before I'm done.

I am explicitly passing in the auth mechanism in the URI: mongodb://testuser:PASS@cluster0-shard-00-00-eyjxi.mongodb.net:27017/test?ssl=true&authSource=admin&authMechanism=SCRAM-SHA-256

[timotheecour]

note: some (partial) success here: https://github.com/mashingan/anonimongo/issues/5#issuecomment-671200396

[Q-Master]

Seems that this is a bit abandoned repo. You can try to make an issue in my fork. https://github.com/Q-Master/nimongo

[disruptek]

There's a fork with atlas support, for reference, at https://GitHub.com/sesco-llc/mongo if it helps.