- Security >
- Authentication >
- Enterprise Authentication Mechanisms >
- LDAP Proxy Authority Authentication
LDAP Proxy Authority Authentication¶
MongoDB Enterprise supports proxy authentication through a Lightweight Directory Access Protocol (LDAP) service.
Considerations¶
MongoDB Enterprise for Windows does not include LDAP support for authentication. However, MongoDB Enterprise for Linux supports using LDAP authentication with an ActiveDirectory server.
MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version 2.4 and version 2.6 shards. See Upgrade MongoDB to 2.6 for upgrade instructions.
Use secure encrypted or trusted connections between clients and the server,
as well as between saslauthd
and the LDAP server. The LDAP server uses
the SASL PLAIN
mechanism, sending and receiving data in plain text.
You should use only a trusted channel such as a VPN, a connection encrypted
with TLS/SSL, or a trusted wired network.
MongoDB Configuration¶
To configure the MongoDB server to use LDAP authentication mechanism, use the following command line options:
--auth
to enable access control,--authenticationMechanisms
set toPLAIN
, and--saslauthdPath
parameter set to the path to the Unix-domain Socket of the saslauthd instance.
Or, if using the YAML configuration file, use the following settings:
security.authorization
set toenabled
,setParameter.authenticationMechanisms
set toPLAIN
, andsetParameter.saslauthdPath
set to the path to the Unix-domain Socket of the saslauthd instance.
LDAP User¶
In order to authenticate a user with the LDAP authentication mechanism,
add a corresponding user to the
$external
database. You do not need to save the user’s password in
MongoDB.
The $external
database is the authentication database for the LDAP user. To authenticate the LDAP
user, you must authenticate against the $external
database. When
authenticating, specify PLAIN
for the authentication mechanism .
LDAP authentication requires that MongoDB forward the user’s password in
plain text. As such, you must specify digestPassword
set to false
during authentication.
Additional Information¶
For information on configuring MongoDB to use LDAP and authenticating users using LDAP, see: