• Security >
• Enable Authentication for an Ops Manager Project >
• Enable LDAP Authentication for your Ops Manager Project

Enable LDAP Authentication for your Ops Manager Project

Ops Manager enables you to configure the Authentication Mechanisms that all clients, including the Ops Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.

MongoDB Enterprise supports proxying authentication requests to a Lightweight Directory Access Protocol (LDAP) service.

LDAP is only available on MongoDB Enterprise builds. If you have existing deployments running on a MongoDB Community build, you must upgrade them to MongoDB Enterprise before you can enable LDAP for your Ops Manager project.

Considerations

MongoDB Enterprise supports simple and SASL binding to Lightweight Directory Access Protocol (LDAP) servers via saslauthd and operating system libraries:

• MongoDB Enterprise for Linux can bind to an LDAP server either via saslauthd or starting in MongoDB 3.4, via the operating system libraries.
• Starting in MongoDB version 3.4, MongoDB Enterprise for Windows can bind to an LDAP server via the operating system libraries.

The LDAP Proxy Authentication and LDAP Authorization sections in the MongoDB manual provide more information about LDAP and MongoDB. Setting up LDAP and SASL is beyond the scope of this document.

Procedure

This procedure describes how to configure and enable LDAP authentication when using Automation. If Ops Manager doesn’t manage Monitoring or Backup, you must manually configure them to use LDAP. To configure LDAP, see Configure MongoDB Agent for LDAP

Note

If you want to reset Authentication and SSL settings for your project, first unmanage any MongoDB deployments that Ops Manager manages in your project.

1

Navigate to the Authentication & TLS Settings dialog for your deployment.

1. If it is not already displayed, select the organization that contains your desired project from the office icon Organizations menu in the navigation bar.
2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
3. If it is not already displayed, click Deployment in the sidebar.
4. Click the Security tab.
5. Click the Authentication & SSL tab.
6. Click Edit Settings.

2

Select LDAP.

1. Check LDAP.

2. Select the appropriate type of LDAP authentication.

   Important

   • If you are using LDAP Authorization, you must select Native LDAP Authentication.
   • If you are not using LDAP authorization, you must add users to the $external database in your MongoDB deployment. For an example, see LDAP Authentication.

3. Click Next.

3

Configure the LDAP Authorization Settings. (Optional)

Important

Using LDAP Authorization, MongoDB 3.4 allows authenticating users via LDAP, Kerberos, and X.509 certificates without requiring local user documents in the $external database as long as you enable LDAP authorization first. When such a user successfully authenticates, MongoDB performs a query against the LDAP server to retrieve all groups which that LDAP user possesses and transforms those groups into their equivalent MongoDB roles.

This feature is available only for MongoDB 3.4 or later.

If you do not use LDAP Authorization, you can click Skip.

If you use LDAP Authorization, complete the following steps.

1. Enter values for the following fields:

   Setting	Value
   Authorization Query Template	Specify a template for an LDAP query URL to retrieve the list of LDAP groups for an LDAP user.
   User to Distinguished Name Mapping	Specify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.

2. Click Use LDAP Authorization.

3. Provide the following values:

   Setting	Value
   Servers	Specify the hostname:port combination of one or more LDAP servers.
   Transport Security	Select TLS to encrypt your LDAP queries. If you do not need to encrypt the LDAP queries, select None.
   Timeout (ms)	Specify how long an authentication request should wait before timing out.
   Bind Method	Select either Simple or SASL. Important If you choose the Simple bind method, select TLS from the Transport Security because the Simple bind method passes the password in plain text.
   SASL Mechanisms	Specify which SASL authentication service MongoDB uses with the LDAP server.
   Query User	Specify the LDAP Distinguished Name to which MongoDB binds when connecting to the LDAP server.
   Query Password	Specify the password with which MongoDB binds when connecting to an LDAP server.
   LDAP User Cache Invalidation Interval (s)	Specify how long MongoDB waits to flush the LDAP user cache. Defaults to 30 seconds.
   Validate LDAP Server Config	Select True to validate the LDAP server configuration or False to skip validation. If True and the configuration is invalid, the MongoDB deployment will not start.

4. Click Next.

4

Configure SSL if desired.

1. Toggle the Enable SSL slider to Yes.
2. Click Next.

Note

See Enable TLS for a Deployment for SSL setup instructions.

Recommend Using TLS/SSL with LDAP

By default, LDAP traffic is sent as plain text. This means that credentials (username and password) are exposed to basic network threats like sniffers and replay. Use LDAPS (LDAP over TLS/SSL) to encrypt authentication. Many modern directory services, such as Active Directory, require encrypted connections.

5

Configure the Agents to use LDAP (PLAIN) to connect to your MongoDB deployment.

Remember

Ops Manager limits Agents to using one mechanism per deployment.

1. Select LDAP (PLAIN) from the Agent Auth Mechanism drop-down menu.

2. For each Agent, provide:

   Setting	Value
   <Agent> LDAP Username	Enter the LDAP username.
   <Agent> LDAP Password	Enter the password for Agent’s LDAP Username.
   <Agent> LDAP Group DN	Enter the Distinguished Name for the Agent’s LDAP Group. Note Provide the Agent’s LDAP Group DN only if you use LDAP Authorization. Each Agent should have and use its own LDAP Group DN.

3. Click Save.

Only configure the Agents you installed.

Example

If you did not install the Backup, do not configure the Backup.

6

Click Review & Deploy to review your changes.

7

Click Confirm & Deploy to deploy your changes.

Otherwise, click Cancel and you can make additional changes.

8

Create MongoDB Roles for LDAP Groups. (Optional)

After enabling LDAP Authorization, you need to create custom MongoDB roles for each LDAP Group you specified for LDAP Authorization.

←   Enable Username and Password Authentication for your Ops Manager Project Enable Kerberos Authentication for your Ops Manager Project  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.