Show/Hide Toolbars

MongoDB Notes

Navigation: MongoDB Authorization and Roles

Authorization Using LDAP

Scroll Prev Top Next More

 

In this procedure, you will configure MongoDB to use LDAP for authorization by setting up a set of roles.

 

Prerequisites

 

LDAP server is installed and configured.

Roles with privileges are defined. See this example.

Groups matching the roles are loaded into LDAP.

The MongoDB replica set has been configured and started with the appropriate external authentication.

LDAP access control allows anonymous user access to the RootDSE.

 

Procedure (Ubuntu)

 

1.Log into the primary member.

 

mongo --port 31210 --host mongodb.waysysweb.us.com

 

2.Authenticate.  In this case, you are using LDAP authentication.

 

db.getSiblingDB("$external").auth(

   {

     mechanism: "PLAIN",

     user: "uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com",

     pwd:  "secret",

     digestPassword: false

   }

)

 

3.Create a JavaScript file to create the desired roles set up in your LDAP server.  (See example below.)

4.In the MongoDB shell, execute the JavaScript with: load("loadroles.js"), where loadroles.js is the name of the JavaScript file.

 

Example Javascript File to Load Roles

 

db = db.getSiblingDB("admin");

var rl = {role: "cn=SecOff,ou=Groups,dc=waysysweb,dc=us,dc=com", privileges: [], roles: [{role: "userAdminAnyDatabase", db: "admin"}] };

//db.createRole(rl);

 

var rl = {role: "cn=SysAdmin,ou=Groups,dc=waysysweb,dc=us,dc=com", privileges: [], roles: [{role: "clusterManager", db: "admin"}] }

db.createRole(rl)

 

var rl = {role: "cn=DbAdmin,ou=Groups,dc=waysysweb,dc=us,dc=com", privileges: [], roles: [{role: "dbAdminAnyDatabase", db: "admin"}] }

db.createRole(rl)

 

var rl = {role: "cn=Dev,ou=Groups,dc=waysysweb,dc=us,dc=com", privileges: [], roles: [{role: "readWrite", db: "admin"}] }

db.createRole(rl)

 

 

Example mongod Configuration File

 

systemLog:

  destination: file

  path:  /home/vagrant/data/r0/mongodb.log

storage:

  dbPath: /home/vagrant/data/r0 

processManagement:

  fork: true

security:

  clusterAuthMode: keyFile

  keyFile: /home/vagrant/mk

  ldap:

    servers: "ldap.waysysweb.us.com:389"

    authz:

      queryTemplate: "dc=waysysweb,dc=us,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"

    bind:

      queryUser: "cn=admin,dc=waysysweb,dc=us,dc=com"

      queryPassword: "jamaica"

      method: "simple"

    transportSecurity: none

net:

  bindIp: mongodb.waysysweb.us.com

  port: 31210

replication:

  replSetName: repl

setParameter:

  authenticationMechanisms: PLAIN 

 

Issues

 

In this example, the attribute security.ldap.transportSecurity must be set to none in the mongod configuration file, since TLS is not implemented in this example.

In this example, you are not transforming user names, so you must use the full distinguished name of the user when logging in.

 

References

 

Authentication with LDAP

Mongoldap

Authenticate and Authorize Users Using Active Directory via Native LDAP

Examples of Roles in MongoDB and LDAP