Show/Hide Toolbars

MongoDB Notes

Navigation: MongoDB Authentication

Authentication with LDAP

 Scroll Prev Top Next More

Mongo Authentication - Replica Set

Client Authentication

LDAP

Internal Authentication

Keyfile

Operating System

Linux

 

In this procedure, you will configure a MongoDB replica set with three members using LDAP authentication for clients and keyfile authentication among members.   LDAP authentication is available only in the Enterprise Edition of MongoDB.  This procedure does not make use of the saslauthd utility.  It uses the operating system libraries.

 

Prerequisites

 

Set up a virtual machine running the LDAP server with users added to the directory.

Start this virtual machine.

Generate a Keyfile

The replica set has been configured and a user with root role has been added.

 

Procedure

 

1.Create three configuration files to specify the LDAP authentication.  (See example configuration file with authentication.)

2.Restart the mongod members without authentication.

 

mongod -f init1.yaml

mongod -f init2.yaml

mongod -f init3.yaml

 

3.Log into primary member with the MongoDB shell.

 

mongo --port 31210 --host mongodb.waysysweb.us.com 

Note: Be sure to log into the primary member of the replica set.

 

4.Authenticate with this commands:

 

use admin

db.auth('userAdmin', 'badges')

 

5.Create user administrative role in MongoDB, using the corresponding group distinguished name in LDAP.

 

use admin

var rl = {role: "cn=SecOff,ou=Groups,dc=waysysweb,dc=us,dc=com", privileges: [], roles: [{role: "userAdminAnyDatabase", db: "admin"}] }

db.createRole(rl)

 

6.Shut down the mongod members with the command: killall mongod

 

7.Restart the members with the authentication configuration files.

 

mongod -f cc1.yaml  --auth

mongod -f cc2.yaml  --auth

mongod -f cc3.yaml  --auth

 

8.Log into the MongoDB shell:

 

mongo --port 31210 --host mongodb.waysysweb.us.com 

 

9.Authenticate to MongoDB, using the $external database.  The mechanism attribute must be set to "PLAIN".

 

db.getSiblingDB("$external").auth(

   {

     mechanism: "PLAIN",

     user: "uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com",

     pwd:  "secret",

     digestPassword: false

   }

)

 

Testing the LDAP Configuration

 

You can check the configuration of MongoDB to use LDAP by using the mongoldap command, where cc1.yaml is a mongod configuration file.  Use the full distinguished name of a user in the LDAP directory.

 

mongoldap --config cc1.yaml --user 'uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com' --password secret

 

Issues

 

In this example, you are not transforming user names, so you must use the full distinguished name of the user when logging in.

 

Example Configuration File With Authentication

 

systemLog:

  destination: file

  path:  /home/vagrant/data/r0/mongodb.log

storage:

  dbPath: /home/vagrant/data/r0 

processManagement:

  fork: true

security:

  clusterAuthMode: keyFile

  keyFile: /home/vagrant/mk

  ldap:

    servers: "ldap.waysysweb.us.com:389"

    authz:

      queryTemplate: "dc=waysysweb,dc=us,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"

    bind:

      queryUser: "cn=admin,dc=waysysweb,dc=us,dc=com"

      queryPassword: "jamaica"

      method: "simple"

    transportSecurity: none

net:

  bindIp: mongodb.waysysweb.us.com

  port: 31210

replication:

   replSetName: repl

setParameter:

  authenticationMechanisms: PLAIN 

 

References

 

LDAP Proxy Authentication

Authorization Using LDAP