自管理LDAP代理身份验证
在此页面上
MongoDB Enterprise supports proxying authentication requests to a Lightweight Directory Access Protocol (LDAP) service.
MongoDB supports simple and SASL binding to LDAP servers:
Via | 说明 |
|---|---|
Operating system libraries | MongoDB supports binding to an LDAP server via operating system libraries. This allows MongoDB servers on Linux and Windows to use an LDAP server for authentication. In earlier versions, MongoDB on Microsoft Windows cannot connect to LDAP servers. |
| MongoDB servers on Linux supports binding to an LDAP server via
the Not available for MongoDB on Windows. |
Considerations
A full description of LDAP is beyond the scope of this documentation. This page assumes prior knowledge of LDAP.
This documentation only describes MongoDB LDAP authentication, and does not replace other resources on LDAP. We encourage you to thoroughly familiarize yourself with LDAP and its related subject matter before configuring LDAP authentication.
MongoDB can provide professional services for optimal configuration of LDAP authentication for your MongoDB deployment.
连接池
When connecting to the LDAP server for authentication/authorization, MongoDB, by default:
Uses connection pooling if run:
on Windows or
on Linux where MongoDB Enterprise binaries are linked against libldap_r.
Does not use connection pooling if run:
on Linux where MongoDB Enterprise binaries are linked against libldap.
To change the connection pooling behavior, update the
ldapUseConnectionPool parameter.
saslauthd and Directory Permissions
重要
为 security.sasl.saslauthdSocketPath 或 --setParameter saslauthdPath 指定的 saslauthd Unix 域套接字文件的父目录必须授予以下任一项读取和执行 (r-x) 的权限:
如果没有指定 saslauthd 目录及其内容的权限,mongod 或 mongos 无法通过 saslauthd 成功进行身份验证。
libldap 和 libldap_r
对于与 libldap 链接的 MongoDB 4.2 企业版二进制文件(例如在 RHEL 上运行时),对 libldap 的访问是同步进行的,会产生一些性能/延迟成本。
对于链接到 libldap_r MongoDB 4.2 Enterprise 二进制文件,与早期 MongoDB 版本相比,行为没有变化。
Managing LDAP Users on the MongoDB server
When using LDAP authentication without LDAP authorization, user management requires managing users both on
the LDAP server and the MongoDB server. For each user authenticating via
LDAP, MongoDB requires a user on the $external database whose name
exactly matches the authentication username. Changes to a user on the
LDAP server may require changes to the corresponding MongoDB
$external user.
要将 客户端会话和因果一致性保证 与 $external 身份验证用户(Kerberos、LDAP 或 X.509 用户)结合使用,用户名不能大于 10k 字节。
例子
A user authenticates as sam@dba.example.com. The MongoDB server
binds to the LDAP server and authenticates the user, respecting any
username transformations.
On successful authentication, the MongoDB server then checks the
$external database for a user sam@dba.example.com and
grants the authenticated user the roles and privileges associated to
that user.
To manage users on the MongoDB server, you must authenticate as an LDAP user
whose corresponding MongoDB $external user has user administrative
privileges on the $external database, such as those provided by
userAdmin.
重要
If no $external users have user administrative privileges on
$external database, you cannot perform user management for LDAP
authentication. This scenario may occur if you configure users prior to
enabling LDAP authentication, but do not create the appropriate user
administrators.
Managing existing non-LDAP users
If there are existing users not on the $external database, you must meet
the following requirements for each user to ensure continued access:
User has a corresponding user object on the LDAP server
User exists on the
$externaldatabase with equivalent roles and privileges
If you want to continue allowing access by users not on the
$external database, you must configure setParameter
authenticationMechanisms to include SCRAM-SHA-1 and/or
SCRAM-SHA-256 as appropriate. Users must then specify
--authenticationMechanism SCRAM-SHA-1 or
SCRAM-SHA-256 when authenticating.
Deploying LDAP authentication on a replica set
For replica sets, configure LDAP authentication on secondary and arbiter members first before configuring the primary. This also applies to shard replica sets, or config server replica sets. Configure one replica set member at a time to maintain a majority of members for write availability.
Deploying LDAP authentication on a sharded cluster
In sharded clusters, you must configure LDAP
authentication on the config servers and each
mongos for cluster-level users. You can optionally configure LDAP
authorization on each shard for shard-local users.
LDAP Authentication via the Operating System LDAP libraries
The LDAP authentication via OS libraries process is summarized below:
A client authenticates to MongoDB, providing a user's credentials.
If the username requires mapping to an LDAP DN prior to binding against the LDAP server, MongoDB can apply transformations based on the configured
security.ldap.userToDNMappingsetting.MongoDB binds to an LDAP server specified in
security.ldap.serversusing the provided username or, if a transformation was applied, the transformed username.MongoDB uses simple binding by default, but can also use
saslbinding if configured insecurity.ldap.bind.methodandsecurity.ldap.bind.saslMechanisms.If a transformation requires querying the LDAP server, or if the LDAP server disallows anonymous binds, MongoDB uses the username and password specified to
security.ldap.bind.queryUserandsecurity.ldap.bind.queryPasswordto bind to the LDAP server before attempting to authenticate the provided user credentials.The LDAP server returns the result of the bind attempt to MongoDB. On success, MongoDB attempts to authorize the user.
The MongoDB server attempts to map the username to a user on the
$externaldatabase, assigning the user any roles or privileges associated to a matching user. If MongoDB cannot find a matching user, authentication fails.The client can perform those actions for which MongoDB granted the authenticated user roles or privileges.
To use LDAP for authentication via operating system libraries, specify the
following settings as a part of your mongod or mongos
configuration file:
选项 | 说明 | 必需 |
|---|---|---|
Quote-enclosed comma-separated list of LDAP servers in You can prefix LDAP servers with If your connection string specifies If your connection string specifies | YES | |
Used to specify the method the Defaults to | NO, unless using | |
NO, unless setting | ||
The LDAP entity, identified by its distinguished name (DN) or SASL name, with which the MongoDB server authenticates, or binds, when connecting to an LDAP server. Use with The user specified must have the appropriate privileges to execute queries on the LDAP server. | NO, unless specifying a query as part of a
| |
The password used to authenticate to an LDAP server when using
| NO, unless specifying
| |
Windows MongoDB deployments can use the operating system credentials in
place of | NO, unless replacing | |
Clients may authenticate using a username whose format is incompatible
with the format expected by the configured
If you specify a | NO, unless client authenticate using usernames that require transformation. |
LDAP Authentication via saslauthd
警告
MongoDB Enterprise for Windows 不支持通过 saslauthd 绑定。
Considerations
Linux MongoDB 服务器支持通过
saslauthd守护进程绑定到 LDAP 服务器。在客户端和服务器之间以及
saslauthd和 LDAP 服务器之间使用安全加密或可信连接。LDAP 服务器使用SASL PLAIN机制,以明文形式发送和接收数据。您应该只使用可信通道,如 VPN、使用 TLS/SSL 加密的连接或可信有线网络。
配置
To configure the MongoDB server to bind to the LDAP server using via
saslauthd, start the mongod using either
the following command line options or the following configuration
file settings:
--authto enable access control,--setParameterwith theauthenticationMechanismsset toPLAIN, and--setParameterwith thesaslauthdPathparameter set to the path to the Unix-domain Socket of thesaslauthdinstance. Specify an empty string""to use the default Unix-domain socket path.
Include any other command line options required for your
deployment. For complete documentation on mongod
command line options, see mongod.
security.authorization设置为enabled,setParameterwith theauthenticationMechanismsparameter set toPLAIN, andsetParameterwith thesaslauthdPathset to the path to the Unix-domain Socket of the saslauthd instance. Specify an empty string""to use the default Unix-domain socket path.
Include any other configuration file settings required for your deployment. For complete documentation on configuration files, see YAML configuration file.
You need to create or update the saslauthd.conf file with the parameters
appropriate for your LDAP server. Documenting saslauthd.conf is out
of scope for this documentation.
重要
为 security.sasl.saslauthdSocketPath 或 --setParameter saslauthdPath 指定的 saslauthd Unix 域套接字文件的父目录必须授予以下任一项读取和执行 (r-x) 的权限:
如果没有指定 saslauthd 目录及其内容的权限,mongod 或 mongos 无法通过 saslauthd 成功进行身份验证。
The following tutorials provide basic
information on configuring saslauthd.conf to work with two popular
LDAP services:
Please see the documentation for saslauthd as well as your specific
LDAP service for guidance.
Connect to a MongoDB server via LDAP authentication
To authenticate to a MongoDB server via LDAP authentication, use
db.auth() on the $external database with the following
parameters:
选项 | 说明 |
|---|---|
| The username to authenticate as. |
| The password to authenticate with. |
| Set to |