mongoldap
On this page
MongoDB Enterprise
Note
Starting in MongoDB 8.0, LDAP authentication and authorization is deprecated. LDAP is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.
For details, see LDAP Deprecation.
Synopsis
MongoDB Enterprise provides
mongoldap
for testing MongoDB's LDAP configuration
options against a running LDAP server or set
of servers.
To validate the LDAP options in the configuration file, set the
mongoldap
--config
option to the configuration file's
path.
To test the LDAP configuration options, you must specify a --user
and --password
. mongoldap
simulates authentication to a
MongoDB server running with the provided configuration options and credentials.
mongoldap
returns a report that includes the success or failure of
any step in the LDAP authentication or authorization procedure. Error messages
include information on specific errors encountered and potential advice for
resolving the error.
When configuring options related to LDAP authorization, mongoldap
executes an LDAP query
constructed using the provided configuration options and username, and returns
a list of roles on the admin
database which the user is authorized for.
You can use this information when configuring LDAP authorization roles for user access control. For example, use
mongoldap
to ensure your configuration allows privileged users to
gain the necessary roles to perform their expected tasks. Similarly, use
mongoldap
to ensure your configuration disallows non-privileged
users from gaining roles for accessing the MongoDB server, or performing
unauthorized actions.
When configuring options related to LDAP authentication, use mongoldap
to ensure that the authentication
operation works as expected.
Run mongoldap
from the system command line, not in the
mongosh
.
This document provides a complete overview of all command line options for
mongoldap
.
Installation
The mongoldap
tool is part of the MongoDB Database Tools Extra
package, and can be installed with the MongoDB Server or as a
standalone installation.
Install with Server
To install mongoldap
as part of a MongoDB Enterprise Server
installation:
Follow the instructions for your platform: Install MongoDB Enterprise Server
After completing the installation,
mongoldap
and the other included tools are available in the same location as the Server.Note
For the Windows
.msi
installer wizard, the Complete installation option includesmongoldap
.
Install as Standalone
To install mongoldap
as a standalone installation:
Follow the download link for MongoDB Enterprise Edition: MongoDB Enterprise Download Center
Select your Platform (operating system) from the dropdown menu, then select the appropriate Package for your platform according to the following chart:
OSPackageLinux
tgz
packageWindows
zip
packagemacOS
tgz
packageOnce downloaded, unpack the archive and copy
mongoldap
to a location on your hard drive.Tip
Linux and macOS users may wish to copy
mongoldap
to a filesystem location that is defined in the$PATH
environment variable, such as/usr/bin
. Doing so allows referencingmongoldap
directly on the command line by name, without needing to specify its full path, or first navigating to its parent directory. See the installation guide for your platform for more information.
Usage
Note
A full description of LDAP or Active Directory is beyond the scope of this documentation.
Consider the following sample configuration file, designed to support LDAP authentication and authorization via Active Directory:
security: authorization: "enabled" ldap: servers: "activedirectory.example.net" bind: queryUser: "mongodbadmin@dba.example.com" queryPassword: "secret123" userToDNMapping: '[ { match : "(.+)", ldapQuery: "DC=example,DC=com??sub?(userPrincipalName={0})" } ]' authz: queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))" setParameter: authenticationMechanisms: "PLAIN"
You can use mongoldap
to validate the configuration file, which
returns a report of the procedure. You must specify a username and password
for mongoldap
.
mongoldap --config=<path-to-config> --user="bob@dba.example.com" --password="secret123"
If the provided credentials are valid, and the LDAP options in the configuration files are valid, the output might be as follows:
Checking that an LDAP server has been specified... [OK] LDAP server found Connecting to LDAP server... [OK] Connected to LDAP server Parsing MongoDB to LDAP DN mappings.. [OK] MongoDB to LDAP DN mappings appear to be valid Attempting to authenticate against the LDAP server... [OK] Successful authentication performed Checking if LDAP authorization has been enabled by configuration... [OK] LDAP authorization enabled Parsing LDAP query template.. [OK] LDAP query configuration template appears valid Executing query against LDAP server... [OK] Successfully acquired the following roles: ...
Behavior
Starting in MongoDB 5.1, mongoldap
supports prefixing LDAP
server with srv:
and srv_raw:
.
If your connection string specifies "srv:<DNS_NAME>"
, mongoldap
verifies that "_ldap._tcp.gc._msdcs.<DNS_NAME>"
exists for SRV to
support Active Directory. If not found, mongoldap
verifies that
"_ldap._tcp.<DNS_NAME>"
exists for SRV. If an SRV record cannot be
found, mongoldap
warns you to use "srv_raw:<DNS_NAME>"
instead.
If your connection string specifies "srv_raw:<DNS_NAME>"
,
mongoldap
performs an SRV record lookup for "<DNS NAME>"
.
Options
--config=<filename>, -f=<filename>
Specifies a configuration file for runtime configuration options. The options are equivalent to the command-line configuration options. See Self-Managed Configuration File Options for more information.
mongoldap
uses any configuration options related to Self-Managed LDAP Proxy Authentication or LDAP Authorization on Self-Managed Deployments for testing LDAP authentication or authorization.Requires specifying
--user
. May accept--password
for testing LDAP authentication.Ensure the configuration file uses ASCII encoding. The
mongoldap
instance does not support configuration files with non-ASCII encoding, including UTF-8.
--user=<string>
Username for
mongoldap
to use when attempting LDAP authentication or authorization.
--password=<string>
Password of the
--user
formongoldap
to use when attempting LDAP authentication. Not required for LDAP authorization.
--ldapServers=<host1>:<port>,<host2>:<port>,...,<hostN>:<port>
The LDAP server against which the
mongoldap
authenticates users or determines what actions a user is authorized to perform on a given database. If the LDAP server specified has any replicated instances, you may specify the host and port of each replicated server in a comma-delimited list.If your LDAP infrastructure partitions the LDAP directory over multiple LDAP servers, specify one LDAP server or any of its replicated instances to
--ldapServers
. MongoDB supports following LDAP referrals as defined in RFC 4511 4.1.10. Do not use--ldapServers
for listing every LDAP server in your infrastructure.If unset,
mongoldap
cannot use LDAP authentication or authorization.
--ldapQueryUser=<string>
Available in MongoDB Enterprise only.
The identity with which
mongoldap
binds as, when connecting to or performing queries on an LDAP server.Only required if any of the following are true:
Using LDAP authorization.
Using an LDAP query for
username transformation
.The LDAP server disallows anonymous binds
You must use
--ldapQueryUser
with--ldapQueryPassword
.If unset,
mongoldap
will not attempt to bind to the LDAP server.Note
Windows MongoDB deployments can use
--ldapBindWithOSDefaults
instead of--ldapQueryUser
and--ldapQueryPassword
. You cannot specify both--ldapQueryUser
and--ldapBindWithOSDefaults
at the same time.
Available in MongoDB Enterprise only.
The password used to bind to an LDAP server when using
--ldapQueryUser
. You must use --ldapQueryPassword
with
--ldapQueryUser
.
If not set, mongoldap
does not attempt to bind to the LDAP server.
You can configure this setting on a running mongoldap
using
setParameter
.
The ldapQueryPassword
setParameter
command accepts either a
string or an array of strings. If ldapQueryPassword
is set to an array,
MongoDB tries each password in order until one succeeds. Use a password array
to roll over the LDAP account password without downtime.
Note
Windows MongoDB deployments can use --ldapBindWithOSDefaults
instead of --ldapQueryUser
and --ldapQueryPassword
.
You cannot specify both --ldapQueryPassword
and
--ldapBindWithOSDefaults
at the same time.
--ldapBindWithOSDefaults=<bool>
Default: false
Available in MongoDB Enterprise for the Windows platform only.
Allows
mongoldap
to authenticate, or bind, using your Windows login credentials when connecting to the LDAP server.Only required if:
Using LDAP authorization.
Using an LDAP query for
username transformation
.The LDAP server disallows anonymous binds
Use
--ldapBindWithOSDefaults
to replace--ldapQueryUser
and--ldapQueryPassword
.
--ldapBindMethod=<string>
Default: simple
Available in MongoDB Enterprise only.
The method
mongoldap
uses to authenticate to an LDAP server. Use with--ldapQueryUser
and--ldapQueryPassword
to connect to the LDAP server.--ldapBindMethod
supports the following values:ValueDescriptionsimple
mongoldap
uses simple authentication.sasl
mongoldap
uses SASL protocol for authentication.If you specify
sasl
, you can configure the available SASL mechanisms using--ldapBindSaslMechanisms
.mongoldap
defaults to usingDIGEST-MD5
mechanism.
--ldapBindSaslMechanisms=<string>
Default: DIGEST-MD5
Available in MongoDB Enterprise only.
A comma-separated list of SASL mechanisms
mongoldap
can use when authenticating to the LDAP server. Themongoldap
and the LDAP server must agree on at least one mechanism. Themongoldap
dynamically loads any SASL mechanism libraries installed on the host machine at runtime.Install and configure the appropriate libraries for the selected SASL mechanism(s) on both the
mongoldap
host and the remote LDAP server host. Your operating system may include certain SASL libraries by default. Defer to the documentation associated with each SASL mechanism for guidance on installation and configuration.If using the
GSSAPI
SASL mechanism for use with Kerberos Authentication on Self-Managed Deployments, verify the following for themongoldap
host machine:Linux
The
KRB5_CLIENT_KTNAME
environment variable resolves to the name of the client Linux Keytab Files for the host machine. For more on Kerberos environment variables, please defer to the Kerberos documentation.The client keytab includes a User Principal for the
mongoldap
to use when connecting to the LDAP server and execute LDAP queries.
Windows
- If connecting to an Active Directory server, the Windows
Kerberos configuration automatically generates a
Ticket-Granting-Ticket
when the user logs onto the system. Set
--ldapBindWithOSDefaults
totrue
to allowmongoldap
to use the generated credentials when connecting to the Active Directory server and execute queries.
Set
--ldapBindMethod
tosasl
to use this option.Note
For a complete list of SASL mechanisms see the IANA listing. Defer to the documentation for your LDAP or Active Directory service for identifying the SASL mechanisms compatible with the service.
MongoDB is not a source of SASL mechanism libraries, nor is the MongoDB documentation a definitive source for installing or configuring any given SASL mechanism. For documentation and support, defer to the SASL mechanism library vendor or owner.
For more information on SASL, defer to the following resources:
For Linux, please see the Cyrus SASL documentation.
For Windows, please see the Windows SASL documentation.
--ldapTransportSecurity=<string>
Default: tls
Available in MongoDB Enterprise only.
By default,
mongoldap
creates a TLS/SSL secured connection to the LDAP server.For Linux deployments, you must configure the appropriate TLS Options in
/etc/openldap/ldap.conf
file. Your operating system's package manager creates this file as part of the MongoDB Enterprise installation, via thelibldap
dependency. See the documentation forTLS Options
in the ldap.conf OpenLDAP documentation for more complete instructions.For Windows deployment, you must add the LDAP server CA certificates to the Windows certificate management tool. The exact name and functionality of the tool may vary depending on operating system version. Please see the documentation for your version of Windows for more information on certificate management.
Set
--ldapTransportSecurity
tonone
to disable TLS/SSL betweenmongoldap
and the LDAP server.Warning
Setting
--ldapTransportSecurity
tonone
transmits plaintext information and possibly credentials betweenmongoldap
and the LDAP server.
--ldapTimeoutMS=<int>
Default: 10000
Available in MongoDB Enterprise only.
The amount of time in milliseconds
mongoldap
should wait for an LDAP server to respond to a request.Increasing the value of
--ldapTimeoutMS
may prevent connection failure between the MongoDB server and the LDAP server, if the source of the failure is a connection timeout. Decreasing the value of--ldapTimeoutMS
reduces the time MongoDB waits for a response from the LDAP server.
--ldapUserToDNMapping=<string>
Available in MongoDB Enterprise only.
Maps the username provided to
mongoldap
for authentication to a LDAP Distinguished Name (DN). You may need to use--ldapUserToDNMapping
to transform a username into an LDAP DN in the following scenarios:Performing LDAP authentication with simple LDAP binding, where users authenticate to MongoDB with usernames that are not full LDAP DNs.
Using an
LDAP authorization query template
that requires a DN.Transforming the usernames of clients authenticating to Mongo DB using different authentication mechanisms (e.g. x.509, kerberos) to a full LDAP DN for authorization.
--ldapUserToDNMapping
expects a quote-enclosed JSON-string representing an ordered array of documents. Each document contains a regular expressionmatch
and either asubstitution
orldapQuery
template used for transforming the incoming username.Each document in the array has the following form:
{ match: "<regex>" substitution: "<LDAP DN>" | ldapQuery: "<LDAP Query>" } FieldDescriptionExamplematch
An ECMAScript-formatted regular expression (regex) to match against a provided username. Each parenthesis-enclosed section represents a regex capture group used by
substitution
orldapQuery
."(.+)ENGINEERING"
"(.+)DBA"
substitution
An LDAP distinguished name (DN) formatting template that converts the authentication name matched by the
match
regex into a LDAP DN. Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username via thematch
regex.The result of the substitution must be an RFC4514 escaped string.
"cn={0},ou=engineering, dc=example,dc=com"
ldapQuery
A LDAP query formatting template that inserts the authentication name matched by the
match
regex into an LDAP query URI encoded respecting RFC4515 and RFC4516. Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username via thematch
expression.mongoldap
executes the query against the LDAP server to retrieve the LDAP DN for the authenticated user.mongoldap
requires exactly one returned result for the transformation to be successful, ormongoldap
skips this transformation."ou=engineering,dc=example, dc=com??one?(user={0})"
Note
For each document in the array, you must use either
substitution
orldapQuery
. You cannot specify both in the same document.When performing authentication or authorization,
mongoldap
steps through each document in the array in the given order, checking the authentication username against thematch
filter. If a match is found,mongoldap
applies the transformation and uses the output for authenticating the user.mongoldap
does not check the remaining documents in the array.If the given document does not match the provided authentication name,
mongoldap
continues through the list of documents to find additional matches. If no matches are found in any document, or the transformation the document describes fails,mongoldap
returns an error.mongoldap
also returns an error if one of the transformations cannot be evaluated due to networking or authentication failures to the LDAP server.mongoldap
rejects the connection request and does not check the remaining documents in the array.Starting in MongoDB 5.0,
--ldapUserToDNMapping
accepts an empty string""
or empty array[ ]
in place of a mapping documnent. If providing an empty string or empty array to--ldapUserToDNMapping
, MongoDB will map the authenticated username as the LDAP DN. Previously, providing an empty mapping document would cause mapping to fail.Example
The following shows two transformation documents. The first document matches against any string ending in
@ENGINEERING
, placing anything preceeding the suffix into a regex capture group. The second document matches against any string ending in@DBA
, placing anything preceeding the suffix into a regex capture group.Important
You must pass the array to --ldapUserToDNMapping as a string.
"[ { match: "(.+)@ENGINEERING.EXAMPLE.COM", substitution: "cn={0},ou=engineering,dc=example,dc=com" }, { match: "(.+)@DBA.EXAMPLE.COM", ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})" } ]" A user with username
alice@ENGINEERING.EXAMPLE.COM
matches the first document. The regex capture group{0}
corresponds to the stringalice
. The resulting output is the DN"cn=alice,ou=engineering,dc=example,dc=com"
.A user with username
bob@DBA.EXAMPLE.COM
matches the second document. The regex capture group{0}
corresponds to the stringbob
. The resulting output is the LDAP query"ou=dba,dc=example,dc=com??one?(user=bob)"
.mongoldap
executes this query against the LDAP server, returning the result"cn=bob,ou=dba,dc=example,dc=com"
.If
--ldapUserToDNMapping
is unset,mongoldap
applies no transformations to the username when attempting to authenticate or authorize a user against the LDAP server.
--ldapAuthzQueryTemplate=<string>
Available in MongoDB Enterprise only.
A relative LDAP query URL formatted conforming to RFC4515 and RFC4516 that
mongoldap
executes to obtain the LDAP groups to which the authenticated user belongs to. The query is relative to the host or hosts specified in--ldapServers
.In the URL, you can use the following substituion tokens:
Substitution TokenDescription{USER}
Substitutes the authenticated username, or the
transformed
username if ausername mapping
is specified.{PROVIDED_USER}
Substitutes the supplied username, i.e. before either authentication or
LDAP transformation
.When constructing the query URL, ensure that the order of LDAP parameters respects RFC4516:
[ dn [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ] If your query includes an attribute,
mongoldap
assumes that the query retrieves a the DNs which this entity is member of.If your query does not include an attribute,
mongoldap
assumes the query retrieves all entities which the user is member of.For each LDAP DN returned by the query,
mongoldap
assigns the authorized user a corresponding role on theadmin
database. If a role on the on theadmin
database exactly matches the DN,mongoldap
grants the user the roles and privileges assigned to that role. See thedb.createRole()
method for more information on creating roles.Example
This LDAP query returns any groups listed in the LDAP user object's
memberOf
attribute."{USER}?memberOf?base" Your LDAP configuration may not include the
memberOf
attribute as part of the user schema, may possess a different attribute for reporting group membership, or may not track group membership through attributes. Configure your query with respect to your own unique LDAP configuration.If unset,
mongoldap
cannot authorize users using LDAP.