Docs Menu
Docs Home
/
MongoDB Cloud Manager
/
Security
/
Secure with Authentication

Manage LDAP Authentication for your Cloud Manager Project

On this page

  • Considerations
  • Enable LDAP Authentication
  • Reset Authentication and TLS Settings
  • Rotate LDAP Authentication Passwords

Note

Starting with MongoDB 8.0, LDAP authentication and authorization is deprecated. The feature is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.

For details, see LDAP Deprecation.

Cloud Manager enables you to configure the Authentication Mechanisms that all clients, including the Cloud Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.

MongoDB Enterprise supports proxying authentication requests to a Lightweight Directory Access Protocol (LDAP) service.

LDAP is only available on MongoDB Enterprise builds. If you have existing deployments running on a MongoDB Community build, you must upgrade them to MongoDB Enterprise before you can enable LDAP for your Cloud Manager project.

Considerations

MongoDB Enterprise supports simple and SASL binding to Lightweight Directory Access Protocol (LDAP) servers via saslauthd and operating system libraries:

  • MongoDB Enterprise for Linux can bind to an LDAP server either via saslauthd or through the operating system libraries.

  • MongoDB Enterprise for Windows can bind to an LDAP server through the operating system libraries.

To learn how to set up LDAP and SASL, see LDAP Proxy Authentication and LDAP Authorization sections in the MongoDB manual.

Enable LDAP Authentication

This procedure describes how to configure and enable LDAP authentication for deployments that use Automation.

1

In MongoDB Cloud Manager, go to the Deployment page for your project.

  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If the Deployment page is not already displayed, click Deployment in the sidebar.

    The Deployment page displays.

2

Go to the Security page.

Click the Security tab for your deployment.

The Security page displays.

3

Go to the Security Settings dialog for your deployment.

Do one of the following actions:

  • If this is your first time configuring TLS, authentication, or authorization settings for this project, click Get Started.

  • If you have already configured TLS authentication, or authorization settings for this project, click Edit.

4

Specify the TLS Settings.

Field
Action

MongoDB Deployment Transport Layer Security (TLS)

Toggle this slider to ON.

TLS CA File Path

The TLS Certificate Authority file is a .pem-format certificate file that contains the root certificate chain from the Certificate Authority. The MongoDB Agent uses this same Certificate Authority file to connect to every item in your deployment.

The encrypted private key for the .pem certificate file must be in PKCS #1 format. The MongoDB Agent doesn't support the PKCS #8 format.

Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:

  • Type the file path on all Linux hosts in the first box.

  • Type the file path on all Windows hosts in the second box.

This enables the net.tls.CAFile setting for the MongoDB processes in the project.

Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified.

Client Certificate Mode

Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.

Accepted values are:

Optional

Every client may present a valid TLS certificate when connecting to MongoDB deployments. MongoDB Agents might use TLS certificates if you don't set the mongod tlsMode to None.

Required

Every MongoDB deployment in this project starts with TLS-encrypted network connections. All Agents must use TLS to connect to any MongoDB deployment.

5

Choose the authentication mechanism.

6

Configure the LDAP Authorization Settings. (Optional)

Important

Starting with MongoDB 3.4, you can authenticate users using LDAP, Kerberos, or X.509 certificates without requiring local user documents in the $external database as long as you enable LDAP authorization first. When such a user successfully authenticates, MongoDB performs a query against the LDAP server to retrieve all groups which that LDAP user possesses and transforms those groups into their equivalent MongoDB roles.

Skip this step if you selected Saslauthd in the previous step.

If you selected Native LDAP Authentication, complete the following steps:

  1. Provide the following values:

    Setting
    Value

    Server URL

    Specify the hostname:port combination of one or more LDAP servers.

    Transport Security

    Select TLS to encrypt your LDAP queries. If you do not need to encrypt the LDAP queries, select None.

    Timeout (ms)

    Specify how long an authentication request should wait before timing out.

    Bind Method

    Select either SASL or Simple.

    IMPORTANT: If you choose the Simple bind method, select TLS from the Transport Security because the Simple bind method passes the password in plain text.

    SASL Mechanisms

    Specify which SASL authentication service MongoDB uses with the LDAP server.

    Query User (LDAP Bind DN)

    Specify the LDAP Distinguished Name to which MongoDB binds when connecting to the LDAP server.

    Query Password (LDAP Bind DN)

    Specify the password with which MongoDB binds when connecting to an LDAP server.

    LDAP User Cache Invalidation Interval (s)

    Specify how long MongoDB waits to flush the LDAP user cache. Defaults to 30 seconds.

    User to Distinguished Name Mapping

    Specify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.

    Validate LDAP Server Config

    Select ON to validate the LDAP server configuration or OFF to skip validation.

    If ON and the configuration is invalid, the MongoDB deployment will not start.

  2. In the LDAP Authorization section, enter values for the following fields:

    Setting
    Value

    LDAP Authorization

    Toggle to ON to enable LDAP authorization.

    Authorization Query Template

    Specify a template for an LDAP query URL to retrieve a list of LDAP groups for an LDAP user.

    User to Distinguished Name Mapping

    Specify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.

7

Configure the Agents to use {{mechanism}} to connect to your MongoDB deployment.

Note

Remember

Cloud Manager limits Agents to using one mechanism per deployment.

  1. Select the {{mechanism}} option from the Agent Auth Mechanism section.

  2. Provide credentials for the MongoDB Agent:

    Setting
    Value

    MongoDB Agent Username

    Enter the LDAP username.

    MongoDB Agent Password

    Enter the password for Agent's LDAP Username.

    MongoDB Agent LDAP Group DN

    If you enabled LDAP Authorization, enter the DN of the group of which the MongoDB Agent user is a member.

8

Click Save Settings.

9

Click Review & Deploy to review your changes.

10

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.

11

Create MongoDB Roles for LDAP Groups. (Optional)

After enabling LDAP Authorization, you need to create custom MongoDB roles for each LDAP Group you specified for LDAP Authorization.

If Cloud Manager doesn't manage Monitoring or Backup, you must manually configure them to use LDAP. To configure LDAP, see Configure MongoDB Agent for LDAP.

Reset Authentication and TLS Settings

Note

To reset Authentication and TLS settings for your project, first unmanage any MongoDB deployments that Cloud Manager manages in your project.

Rotate LDAP Authentication Passwords

This procedure describes how to rotate LDAP authentication credentials in deployments that use Automation.

1

In MongoDB Cloud Manager, go to the Deployment page for your project.

  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it's not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If the Deployment page is not already displayed, click Deployment in the sidebar.

    The Deployment page displays.

2

Go to the Security page.

Click the Security tab for your deployment.

The Security page displays.

3

Go to the Security Settings dialog for your deployment.

Do one of the following actions:

  • If this is your first time configuring TLS, authentication, or authorization settings for this project, click Get Started.

  • If you have already configured TLS authentication, or authorization settings for this project, click Edit.

4

Specify the TLS Settings.

Field
Action

MongoDB Deployment Transport Layer Security (TLS)

Toggle this slider to ON.

TLS CA File Path

The TLS Certificate Authority file is a .pem-format certificate file that contains the root certificate chain from the Certificate Authority. The MongoDB Agent uses this same Certificate Authority file to connect to every item in your deployment.

The encrypted private key for the .pem certificate file must be in PKCS #1 format. The MongoDB Agent doesn't support the PKCS #8 format.

Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:

  • Type the file path on all Linux hosts in the first box.

  • Type the file path on all Windows hosts in the second box.

This enables the net.tls.CAFile setting for the MongoDB processes in the project.

Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified.

Client Certificate Mode

Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.

Accepted values are:

Optional

Every client may present a valid TLS certificate when connecting to MongoDB deployments. MongoDB Agents might use TLS certificates if you don't set the mongod tlsMode to None.

Required

Every MongoDB deployment in this project starts with TLS-encrypted network connections. All Agents must use TLS to connect to any MongoDB deployment.

5

Choose the authentication mechanism.

6

Rotate the LDAP Authorization Passwords. (Optional)

Important

You can authenticate users using LDAP, Kerberos, or X.509 certificates without requiring local user documents in the $external database as long as you enable LDAP authorization first. When such a user successfully authenticates, MongoDB performs a query against the LDAP server to retrieve all groups which that LDAP user possesses and transforms those groups into their equivalent MongoDB roles.

Ensure you selected Native LDAP Authentication, and then complete the following steps:

  1. Provide the following values:

    Setting
    Value

    Server URL

    Specify the hostname:port combination of one or more LDAP servers.

    Transport Security

    Select TLS to encrypt your LDAP queries. If you do not need to encrypt the LDAP queries, select None.

    Timeout (ms)

    Specify how long an authentication request should wait before timing out.

    Bind Method

    Select either SASL or Simple.

    IMPORTANT: If you choose the Simple bind method, select TLS from the Transport Security because the Simple bind method passes the password in plain text.

    SASL Mechanisms

    Specify which SASL authentication service MongoDB uses with the LDAP server.

    Query User (LDAP Bind DN)

    Specify the LDAP Distinguished Name to which MongoDB binds when connecting to the LDAP server.

    Query Password (LDAP Bind DN)

    Specify the password with which MongoDB binds when connecting to an LDAP server.

    New Query Password (LDAP Bind DN)

    Specify the new password with which MongoDB will bind when connecting to an LDAP server. Specifying a new password in this field allows you to smoothly rotate the query password.

    Important

    After you rotate the password on the LDAP server side, move the contents of the New Query Password field into the Query Password field and make the New Query Password field empty.

    LDAP User Cache Invalidation Interval (s)

    Specify how long MongoDB waits to flush the LDAP user cache. Defaults to 30 seconds.

    User to Distinguished Name Mapping

    Specify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.

    Validate LDAP Server Config

    Select ON to validate the LDAP server configuration or OFF to skip validation.

    If ON and the configuration is invalid, the MongoDB deployment will not start.

  2. In the LDAP Authorization section, enter values for the following fields:

    Setting
    Value

    LDAP Authorization

    Toggle to ON to enable LDAP authorization.

    Authorization Query Template

    Specify a template for an LDAP query URL to retrieve a list of LDAP groups for an LDAP user.

    User to Distinguished Name Mapping

    Specify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.

7

Configure the Agents to use {{mechanism}} to connect to your MongoDB deployment.

Note

Remember

Cloud Manager limits Agents to using one mechanism per deployment.

  1. Select the {{mechanism}} option from the Agent Auth Mechanism section.

  2. Provide credentials for the MongoDB Agent:

    Setting
    Value

    MongoDB Agent Username

    Enter the LDAP username.

    MongoDB Agent Password

    Enter the password for Agent's LDAP Username.

    MongoDB Agent LDAP Group DN

    If you enabled LDAP Authorization, enter the DN of the group of which the MongoDB Agent user is a member.

8

Click Save Settings.

Note

While you save the settings with a new password, MongoDB tries both passwords. After completing this procedure, you can change the password in your LDAP server. After you rotate the password on the LDAP server side, move the contents of the New Query Password field into the Query Password field and make the New Query Password field empty.

9

Click Review & Deploy to review your changes.

10

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.

11

Create MongoDB Roles for LDAP Groups. (Optional)

After enabling LDAP Authorization, you need to create custom MongoDB roles for each LDAP Group you specified for LDAP Authorization.

Back

Use Username/Password

Next

Use Kerberos