DOCS-4231: mongod/mongos requires access to saslauthd dir

ravindk89 · ravindk89 · commit f6e76b927e9e · 2019-01-08T14:08:38.000-05:00
diff --git a/source/core/security-ldap.txt b/source/core/security-ldap.txt
@@ -32,6 +32,9 @@ MongoDB 3.4 supports simple and SASL binding to LDAP servers via:
   Linux MongoDB servers supports binding to an LDAP server via the
   ``saslauthd`` daemon.
 
+  .. include:: /includes/fact-saslauthd-permission.rst
+
+
 Previous versions of MongoDB support LDAP authentication using ``saslauthd``.
 This restricted LDAP authentication support to Linux MongoDB deployments only.
 
@@ -294,7 +297,11 @@ Or, if using the :doc:`YAML configuration file
 
 You need to create or update the ``saslauthd.conf`` file with the parameters
 appropriate for your LDAP server. Documenting ``saslauthd.conf`` is out
-of scope for this documentation. The following tutorials provide basic
+of scope for this documentation. 
+
+.. include:: /includes/fact-saslauthd-permission.rst
+
+The following tutorials provide basic
 information on configuring ``saslauthd.conf`` to work with two popular
 LDAP services:
 
diff --git a/source/includes/fact-saslauthd-permission.rst b/source/includes/fact-saslauthd-permission.rst
@@ -0,0 +1,14 @@
+.. important:: 
+
+   The parent directory of the ``saslauthd`` Unix domain socket file
+   specified to :setting:`security.sasl.saslauthdSocketPath` or
+   :parameter:`--setParameter saslauthdPath <saslauthdPath>` must grant 
+   read and execute  (``r-x``) permissions for either: 
+
+   - The user starting the :binary:`mongod <bin.mongod>` or 
+     :binary:`mongos <bin.mongos>`, *or* 
+   - a group to which that user belongs.
+
+   The ``mongod`` or ``mongos`` cannot successfully authenticate via
+   ``saslauthd`` without the specified permission on the ``saslauthd`` 
+   directory and its contents.
diff --git a/source/includes/steps-configure-ldap-mongodb.yaml b/source/includes/steps-configure-ldap-mongodb.yaml
@@ -38,6 +38,8 @@ pre: |
 
   - :parameter:`saslauthdPath` parameter set to the path to the Unix-domain Socket of the ``saslauthd`` instance.
 
+    .. include:: /includes/fact-saslauthd-permission.rst
+
   If you use the :setting:`~security.authorization` option to enforce
   authentication, you will need privileges to create a user.
 action:
diff --git a/source/includes/steps-configure-ldap-saslauthd-activedir.yaml b/source/includes/steps-configure-ldap-saslauthd-activedir.yaml
@@ -75,8 +75,8 @@ post: |
   - ``0: NO "authentication failed"`` indicates a username, password, or
     configuration error.
 
-  .. note::
+  Modify the file path with respect to the location of the 
+  ``saslauthd`` directory on the host operating system.
 
-      ``/var/run/saslauthd`` directory must have permissions set to
-      ``755`` for MongoDB to successfully authenticate.
+  .. include:: /includes/fact-saslauthd-permission.rst
 ...
