How to Configure LDAP Authentication for MongoDB

MongoDB

#Customer Stories

This is a guest post from Tom Spitzer, Vice President, Engineering of EC Wise, Inc. To expand on the MongoDB LDAP documentation, the objective of this post is to elaborate on configuring LDAP authentication for MongoDB. We will use the Mini-Clinic application presented at MongoDB World ‘17 as the illustrative example.

Mini-Clinic Windows Active Directory (AD) Users and Groups

We start by creating AD users and groups for Mini-Clinic.

The SYSInternals ADExplorer tool is a useful utility enabling one to view these objects in AD. This seems to work from Windows accounts that should not have privileges on the AD database, so be careful in how you use it!

User objects

dn: CN=scott,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Scheduler,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=page,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Practitioner,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=parker,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Pharmacist,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=Adam,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Auditor,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=Duke,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo DBA,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local

Group objects

dc: CN=Mongo Scheduler,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=scott,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo Practitioner,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=page,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo Pharmacist,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=parker,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo Auditor,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=Adam,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo DBA,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=Duke,CN=Users,DC=ecwise,DC=local

Procedure

Configure TLS/SSL for the server running MongoDB

By default, the mongod process connects to AD via TLS/SSL. You can configure ldap.transportSecurity in the MongoDB configuration file to none to disable TLS/SSL.

ldap:
transportSecurity: none

This is not recommended for production, but it can be useful for debugging when running into configuration issues.

Ensure AD server is enabled with TLS/SSL

Use ldp.exe (part of the Windows Server Remote Server Admin toolkit) to verify if AD server is actively listening for SSL. Refer to this article on LDAP over SSL verification for in-depth guidance. For example:

server: cdcorpwindc01.ecwise.local
port: 636
SSL: true

If the response includes "Host supports SSL......Established connection", then the AD server is responding to requests coming in over SSL.

Configure LDAPS (LDAP over SSL)

Export the Root CA certificates from the AD server.

  1. Click Start, Administrative Tools, Certification Authority
  2. Right-click on your CA, and select Properties
  3. In the CA Properties window, click on View Certificate
  4. In the Certificate window, click the Details tab and click Copy to File
  5. In the Certificate Export Wizard window, click Next
  6. Select Base-64 encoded X.509 (.CER), and click Next
  7. Enter the export name (e.g., c:\corpRootCa.cer), and click Next 8 Click Finish
  8. Copy certificate to the Linux server (assuming that MongoDB is running on a Linux server), for example, to /etc/openldap/certs

Note: step 6 is very important. If the certificate is not encoded with Base-64, it won't work for LDAPS. Edit /etc/openldap/ldap.conf, add a line.

TLS_CACERT /etc/openldap/certs/ecwise-root.cer

ecwise-root.cer is stored in /resource of the repo.

Specifying the TLS_CACERTDIR line is not essential here; TLS_CACERT takes the priority.

Use ldapsearch from the Linux MongoDB server to verify that LDAPS is working

ldapsearch -x -H ldaps://cdcorpwindc01.ecwise.local -b "DC=ecwise,DC=local" -D "CN=TM-EM, OU=Accounts,OU=Chengdu,OU=EC Wise Users,DC=ecwise,DC=local" -W

-b starting point to search
-D specifies the DC with which to authenticate to the server

Create User Administrative Role

MongoDB grants privileges to AD groups instead of AD users! We create MongoDB roles corresponding to AD groups, and add AD users into the AD groups. When the AD user logs into MongoDB they will be granted the role to which their AD group is assigned. Disable LDAP authentication, and execute the scripts below, which are in /init-script/create-user-administrative-role.js on the MongoDB server.

mongo create-user-administrative-role.js

var admin = db.getSiblingDB("admin")
admin.createRole(
    {
        role: "CN=Mongo DBA,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local",
        privileges: [],
        roles: [ "userAdminAnyDatabase" ]
    }
)

Edit the MongoDB configuration file

The configuration should look like

security:
  authorization: "enabled"
  ldap:
  servers: "cdcorpwindc01.ecwise.local"
  userToDNMapping:
  '[
    {
     match: "(.+)",
     ldapQuery: "CN=Users,dc=ecwise,dc=local??sub?(sAMAccountName={0})"
     }
   ]'
  authz:
    queryTemplate: "OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local??sub?(&(objectClass=group)(member={user_DN}))"
    bind:
      queryUser: "duke"
      queryPassword: "ecwise@123"
      setParameter:
      authenticationMechanisms: 'PLAIN'
DN=Distinguished name, see the <a href="https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx" target="_blank">Active Directory reference</a> for an explanation. (Of course, you will substitute your OU and DC designators for our EC Wise designators.)

Configure LDAP query template for authorization

Use queryTemplate to identify which groups the user belongs to. The queryTemplate pattern is:

(AD groups DN to search)??sub?(query condition)

So in our configuration, it means search all DNs under "OU=EC Wise Users,dc=ecwise,dc=local" and its property objectClass equals “group” and member equals the user’s DN.

** Transform incoming usernames for authentication via AD**

Usually, the user DN is not something a user enters directly. So userToDNMapping helps transform the username to a full LDAP DN, which the system will use as the user’s logical identifier.

The ldapQuery pattern is:

(AD users DN to search)??sub?(match condition)

So in our configuration, we are trying to find the user where property sAMAccountName equals user name under "CN=User,dc=ecwise,dc=local".

Configure query credentials

MongoDB requires credentials for performing a query on your Windows AD server. We’ll set up a single use account with this permission. To do so, we configure queryUser and queryPassword in the bind section to specify the user who has permission to perform query.

Create roles and users for Mini-clinic

Execute the script(init_script/init_ldap_role_user.js) in the repo with DBA user to create roles and users for Mini-clinic. 'mongo -u duke -p --authenticationMechanism PLAIN --authenticationDatabase $external init_ldap_role_user.js'

Hopefully this article has helped you to better understand how Windows Directory and LDAP can be configured with MongoDB


Download the MongoDB Security Architecture to learn more about the security capabilities of MongoDB

About the Author: Tom is a software industry and IT services veteran, having been the lead technologist at both consulting and software development companies for over twenty-five years. As part of the EC Wise senior team, he leads the company’s secure development and secure database implementation practices, which have built products and services for leading business services providers, casinos and other security sensitive industries. Over the years, Tom has made presentations at many technical conferences and written for a variety of industry publications. Prior to joining EC Wise in 1999, Tom was CTO at a venture backed Silicon Valley e-commerce startup.