mongocli atlas security ldap save

On this page

Syntax

Options
Output
Example

This version of the documentation is archived and no longer supported. View the current documentation to learn how to upgrade your version of MongoCLI.

The security ldap save command configures Atlas to use your own Lightweight Directory Access Protocol (LDAP) server to authenticate and authorize MongoDB users. A single LDAP over TLS congifuration applies to all clusters in a project.

You can also configure user authentication and authorization with LDAP using the Atlas UI and API.

You can run the mongocli atlas security ldap verify command to verify the LDAP configuration. If the LDAP configuration status is Pending, you can watch for the configuration request to complete using the mongocli atlas security ldap verify status watch command.

Syntax

mongocli atlas security ldap save|create|update
     --authenticationEnabled true|false
     [ --authorizationEnabled true|false ]
     [ --authzQueryTemplate <LDAP-query-template> ]
     --bindPassword <bind-password>
     --bindUsername <bind-username>
     [ --caCertificate <CA-certificate> ]
     --hostname <LDAP-server-hostname>
     [ --output|-o <output-format> ]
     [ --port ]
     [ --profile|-P <name-of-profile> ]
     [ --projectId <id-of-project> ]

Note

Use -h or --help to view the command-line help for this command.

Options

Option

Type

Description

Required?

--authenticationEnabled

string

Flag to enable or diable user authentication with LDAP. Valid values are:

true to enable user authentication with LDAP
false to disable user authentication with LDAP

yes

--authorizationEnabled

string

Flag to enable or disable user authorization with LDAP. Valid values are:

true to enable user authorization with LDAP
false to disable user authorization with LDAP

To enable user authorization with LDAP, you must also enable user authentication with LDAP.

--authzQueryTemplate

string

LDAP query template to execute to obtain the LDAP groups to which the authenticated user belongs. The query is relative to the host specified with the --hostname option.

The query format must conform to RFC 4515 and RFC 4516. Use the {USER} placeholder in the URL to substitute the authenticated username.

If omitted, defaults to the following:

{USER}?memberOf?base

Atlas uses this for user authorization only. Specify an empty string to delete a previously assigned value. For example:

--authzQueryTemplate ""

--bindPassword

string

Password to use to authenticate the bindUsername.

yes

--bindUsername

string

User distinguished name (DN) to use to connect to the LDAP server. Value must be the full DN, such as CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com.

yes

--caCertificate

string

CA certificate to use to verify the identity of the LDAP server. Atlas accepts self-signed certificates.

Specify an empty string to delete a previously assigned value. For example:

--caCertificate ""

--hostname

string

Hostname or IP address of the LDAP server. The server must be accessible from the public internet or peered to your Atlas cluster with Network Peering.

--output, -o

string

Command output format. Valid values are:

json for output in JSON format
go-template for custom output using the Go template
go-template-file for custom output specified using Go template file

If omitted, the command returns output in the default format.

--port

int

Port that the LDAP server listens for client connections. If omitted, defaults to 636.

--profile, -P

string

Name of the profile to use for accessing the Atlas project. If omitted, uses the default profile.

--projectId

string

Unique identifier of the project. If omitted, uses the project ID in the profile or environment variable.

yes

Output

If the command succeeds, it returns the following output in the default format. If the command returns errors, see Troubleshooting for recommended solutions.

HOSTNAME                 PORT             AUTHENTICATION   AUTHORIZATION
<LDAP-server-hostname>   <port-number>    true|false       true|false

The default output contains a subset of the fields returned by this command. For the complete list of JSON fields returned by the command, see the API reference.

Example

The following example uses the mongocli atlas security ldap save command to configure an LDAP server to authenticate and authorize MongoDB users. The command uses the default profile for accessing the Atlas project.

mongocli atlas security ldap save --authenticationEnabled true --authorizationEnabled true --hostname atlas-ldaps-01.ldap.myteam.com --bindUsername "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com" --bindPassword changeMe

The previous command prints the following to the terminal:

HOSTNAME                         PORT   AUTHENTICATION   AUTHORIZATION
atlas-ldaps-01.ldap.myteam.com   636    true             true

mongocli atlas security ldap save --authenticationEnabled true --authorizationEnabled true --hostname atlas-ldaps-01.ldap.myteam.com --bindUsername "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com" --bindPassword changeMe --output json

The previous command prints the following fields to the terminal:

{
  "ldap": {
    "authenticationEnabled": true,
    "authorizationEnabled": true,
    "hostname": "atlas-ldaps-01.ldap.myteam.com",
    "port": 636,
    "bindUsername": "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com"
  }
}

Back

LDAP

Verify an LDAP Configuration