LDAP Deprecation
On this page
Starting in MongoDB 8.0, LDAP authentication and authorization is deprecated. LDAP is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.
You should migrate from LDAP to Workforce Identity Federation (OIDC authentication) for human users and Workload Identity Federation (OAuth 2.0) for programmatic users.
With Workforce Identity Federation, you can manage human user access to Atlas Clusters from any identity provider that supports OIDC, including Microsoft Entra ID, Okta, and Ping Identity.
With Workload Identity Federation, you can manage application access to Atlas Clusters from any authorization system that supports OAuth 2.0. You can use cloud provider application users, which include Azure Service Principals, Azure Managed Identities, and Google Cloud Platform (GCP) service accounts.
Get Started
To get started with Workforce and Workload Identity Federation in Atlas, see:
To get started with Workforce Identity Federation in MongoDB server, see Self-Managed OpenID Connect Authentication.
LDAP migration information will be available in the future.
Details
The following sections describe additional details with the advantages of Workforce and Workload Identity Federation compared to LDAP.
Atlas and Atlas for Government
Cost efficiency: For Atlas Developer and Pro support, LDAP has a fee as part of the Advanced Security package. Workforce and Workload Identity Federation don't have an additional fee. For pricing, see:
Improved network security: LDAP requires a public Fully Qualified Domain Name (FQDN), which creates a potential firewall vulnerability. With Workforce Identity Federation, you can use an Internet connected Identity Provider (IdP) and synchronize part of the user directory to your IdP to improve security with Workforce Identity Federation.
Improved credentials handling: Unlike LDAP, user credentials aren't sent to or stored in MongoDB with Identity Federation.
Modern authentication policies for human users: Workforce Identity Federation allows authentication through IdP, which enables the use of modern authentication policies.
Simple configuration: LDAP users require a complex network configuration for Atlas. Identity Federation has a simpler configuration.
Authentication without passwords for application users: Identity Federation supports authentication without passwords for applications running on specific cloud resources. This also eliminates periodically renewing credentials.
Improved security with access tokens: Identity Federation grants access through short term access tokens, which improves security when compared to LDAP. Access tokens are typically valid for one hour. The time period can be customized based on the identity provider.
MongoDB Server On-premises Implementations
In addition to the last two points in the previous list, MongoDB on-premises server implementations also have the following additional consideration:
Reduced cross-application risk: With OIDC and OAuth 2.0, access tokens are granted for specific resources using audience claims. If a token is compromised, the token has a limited lifetime and scope to limit access.