Configure MongoDB Agent for LDAP

On this page

Prerequisites

Create and Configure User in MongoDB

Cloud Manager will no longer support Automation, Backup, and Monitoring for MongoDB 3.6 and 4.0 after August 30th, 2024. Please upgrade your MongoDB deployment or migrate to Atlas.

OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.: The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.

Note

Starting with MongoDB 8.0, LDAP authentication and authorization is deprecated. The feature is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.

For details, see LDAP Deprecation.

If your MongoDB deployment enforces access control, the MongoDB Agent must authenticate to MongoDB as a user with the proper access. If you use Automation, Cloud Manager takes care of this for you.

MongoDB Enterprise supports simple and SASL binding to LDAP servers via saslauthd and operating system libraries:

MongoDB Enterprise for Linux can bind to an LDAP server either via saslauthd or via operating system libraries.
MongoDB Enterprise for Windows can bind to an LDAP server via the operating system libraries.

MongoDB Agent support authenticating to MongoDB instances using LDAP.

Note

With Automation, Cloud Manager manages MongoDB Agent authentication for you. To learn more about authentication, see Enable LDAP Authentication for your Cloud Manager Project.

Prerequisites

Configure Deployments to Use Authentication

The MongoDB Agent interacts with the MongoDB databases in your deployment as a MongoDB user would. As a result, you must configure your MongoDB deployment and the MongoDB Agent to support authentication.

You can specify the deployment's authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the authentication mechanism you want the MongoDB Agent to use. The MongoDB Agent can use any supported authentication mechanism.

Set Require TLS Certificate Environment Variable

On the MongoDB Agent hosts, you must set the TLS_REQCERT environment variable to demand.

Example

In a Red Hat Enterprise Linux host, open the /etc/openldap/ldap.conf file and add the following setting and value:

TLS_REQCERT demand

You can use your application to set this environment variable.

Considerations

If Automation does not manage your deployment, you must configure LDAP authentication separately for each function.

To configure LDAP authentication, add a host or edit an existing host's configuration.

Create and Configure User in MongoDB

To automate MongoDB instances that use LDAP authentication, add a MongoDB user that possesses the required roles and privileges to the $external database in MongoDB. The $external database allows mongod to consult an external source, such as an LDAP server, to authenticate.

Use the following commands to create the users from mongosh:

db.getSiblingDB("$external").createUser(
  {
    user : "<username>",
    roles : [
      { role : "clusterAdmin", db : "admin" },
      { role : "readWriteAnyDatabase", db : "admin" },
      { role : "userAdminAnyDatabase", db : "admin" },
      { role : "dbAdminAnyDatabase", db : "admin" },
      { role : "backup", db : "admin" },
      { role : "restore", db : "admin" }
    ]
  }
)

To learn more about the required access, see Required Access for MongoDB Agent.

To back up MongoDB 4.0 or later instances that use LDAP authentication, add a user that possess the required roles to the $external database in MongoDB. The $external database stores credentials for external authentication and authorization details.

Use the following mongosh command to create the user:

db.getSiblingDB("$external").createUser(
    {
      user : "<username>",
      roles: [ {
        role: "clusterAdmin", db: "admin"
      } ]
    }
)

db.getSiblingDB("$external").createUser(
   {
     user: "<username>",
     roles: [ {
       role: "backup", db: "admin"
     } ]
   }
)

To learn more about the required access, see Required Access for MongoDB Agent Backup

To monitor MongoDB 4.0 or later instances that use LDAP authentication, add a user to the $external database in MongoDB. The $external database stores credentials for external authentication and authorization details. Assign this user the roles provided in the following example.

Use the following mongosh command to create the user:

db.getSiblingDB("$external").createUser(
    {
      user : "<username>",
      roles: [ { role: "clusterMonitor", db: "admin" } ]
    }
)

To learn what roles this function requires, see Monitoring settings.

Back

Configure for SCRAM-SHA

Configure for Kerberos