MongoDB Notes
For authorization using LDAP, MongoDB uses the LDAP query template from which it form and LDAP URI. To construct the query template, you need to understand how an LDAP URI is constructed. You also need to understand how your LDAP directory is laid out.
Determining Roles Using LDAP
MongoDB determines roles for authenticated user using LDAP
When using LDAP for authorization, MongoDB starts with the user name of the authenticated user and performs these steps. This process assumes the user authenticates with the user's full distinguished name that is listed in the LDAP directory.
1.Using the query template and the user name, MongoDB constructs an LDAP query for the groups of which the user is a member.
2.MongoDB queries the LDAP directory for those groups.
3.Using the distinguished names of these groups, MongoDB looks up the roles and privileges for the user in the admin MongoDB database.
LDAP URI
A typical LDAP URI may look similar to this:
ldap://ldap.waysysweb.us.com/dc=waysysweb,dc=us,dc=com??sub?(&(objectClass=groupOfNames)(member='uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com'))
This query is intended to return the groups to which the user with a uid of ajones belongs. See Example LDIF File to Load Groups to see how the groups are defined in the directory. The purpose of the query is to return the entry for the groups of which the user is a member. The distinguished names of these entries should match roles in the MongoDB admin database.
Your directory may be configured in any of several different ways. The LDAP query may need to be very different from what is shown here.
The highlighted portion of the above command represents the string that needs to be in the LDAP query. This portion consists of fields separated by question marks. This table lists the components of this URI.
Component Description |
Example |
Comment |
|---|---|---|
Protocol |
ldap: |
ldap - basic, unencrypted communication ldaps - LDAP over SSL ldapi - LDAP over IPC
|
Host |
//ldap.waysysweb.us.com |
The domain name of the server on which LDAP is running. The IP address can also be used.
|
Port |
(not shown above) |
No port means the connection should use the default port. The default for basic ldap is 389.
|
Base distinguished name |
dc=waysysweb,dc=us,dc=com |
This field provides the starting point for the query.
|
Attributes |
(empty) |
This field lists the attributes to be returned. In this example, all attributes are desired, so the field is empty.
|
Scope |
sub |
See Query Scope below. Sub is almost always the desired scope.
|
Filter |
(&(objectClass=groupOfNames)(member='uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com')) |
An LDAP filter that searches entries with an object class of groupOfNames for those that have a member attribute of user ajones. |
Query Scope
In the LDAP URI, the scope of the query can have one of these values:
Scope |
Definition |
|---|---|
base |
searches only the entry specified in the base distinguished name
|
one |
searches only the immediate children of the base distinguished name. Only the children are searched; the actual base distinguished name is not searched.
|
sub |
searches the entry specified in the base distinguished name and all of its descendants. That is, it performs a subtree search starting at the base distinguished name. This is the default. |
The Filter
The most significant part of the LDAP query is the filter. The correct filter will depend on how your directory is configured. In this case, there are two search clauses:
•The object class of the entry must be groupOfNames. As shown in the LDIF file used to load groups, these entries store a list of members who are users.
•The entry must have an attribute member equal to the user 'uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com'.
Your directory may use different object classes for groups and different representations of users.
The Query Template
The query template that MongoDB can use to generate the LDAP URI above is:
(&(objectClass=groupOfNames)(member={USER}))
The string {USER} is placed where the distinguished name of the user would be. This arrangement assumes that user authenticate with their distinguished names as entered in the LDAP directory. In this case, user will have distinguished names like 'uid=ajones,ou=Users,dc=waysysweb,dc=us,dc=com'.
