Navigation

Authenticate Using SASL and LDAP with OpenLDAP

MongoDB Enterprise provides support for proxy authentication of users. This allows administrators to configure a MongoDB cluster to authenticate users by proxying authentication requests to a specified Lightweight Directory Access Protocol (LDAP) service.

Note

For MongoDB 4.2 (and 4.0.9) Enterprise binaries linked against libldap (such as when running on RHEL), access to the libldap is synchronized, incurring some performance/latency costs.

For MongoDB 4.2 (and 4.0.9) Enterprise binaries linked against libldap_r, there is no change in behavior from earlier MongoDB versions.

Warning

MongoDB Enterprise for Windows does not support binding via saslauthd.

  • Linux MongoDB servers support binding to an LDAP server via the saslauthd daemon.
  • Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the LDAP server. The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. You should use only a trusted channel such as a VPN, a connection encrypted with TLS/SSL, or a trusted wired network.

LDAP support for user authentication requires proper configuration of the saslauthd daemon process as well as the MongoDB server.

1

On systems that configure saslauthd with the /etc/sysconfig/saslauthd file, such as Red Hat Enterprise Linux, Fedora, CentOS, and Amazon Linux AMI, set the mechanism MECH to ldap:

MECH=ldap

On systems that configure saslauthd with the /etc/default/saslauthd file, such as Ubuntu, set the MECHANISMS option to ldap:

MECHANISMS="ldap"
2

On certain Linux distributions, saslauthd starts with the caching of authentication credentials enabled. Until restarted or until the cache expires, saslauthd will not contact the LDAP server to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its cache, even in the LDAP server is down or if the cached users' credentials are revoked.

To set the expiration time (in seconds) for the authentication cache, see the -t option of saslauthd.

3

If the saslauthd.conf file does not exist, create it. The saslauthd.conf file usually resides in the /etc folder. If specifying a different file path, see the -O option of saslauthd.

To connect to an OpenLDAP server, update the saslauthd.conf file with the following configuration options:

ldap_servers: <ldap uri>
ldap_search_base: <search base>
ldap_filter: <filter>

The ldap_servers specifies the uri of the LDAP server used for authentication. In general, for OpenLDAP installed on the local machine, you can specify the value ldap://localhost:389 or if using LDAP over TLS/SSL, you can specify the value ldaps://localhost:636.

The ldap_search_base specifies distinguished name to which the search is relative. The search includes the base or objects below.

The ldap_filter specifies the search filter.

The values for these configuration options should correspond to the values specific for your test. For example, to filter on email, specify ldap_filter: (mail=%n) instead.

A sample saslauthd.conf file for OpenLDAP includes the following content:

ldap_servers: ldaps://ad.example.net
ldap_search_base: ou=Users,dc=example,dc=com
ldap_filter: (uid=%u)

To use this sample OpenLDAP configuration, create users with a uid attribute (login name) and place under the Users organizational unit (ou) under the domain components (dc) example and com.

For more information on saslauthd configuration, see http://www.openldap.org/doc/admin24/guide.html#Configuringsaslauthd.

4

Use testsaslauthd utility to test the saslauthd configuration. For example:

testsaslauthd -u testuser -p testpassword -f /var/run/saslauthd/mux
  • 0: OK "Success" indicates successful authentication.
  • 0: NO "authentication failed" indicates a username, password, or configuration error.

Modify the file path with respect to the location of the saslauthd directory on the host operating system.

Important

The parent directory of the saslauthd Unix domain socket file specified to security.sasl.saslauthdSocketPath or --setParameter saslauthdPath must grant read and execute (r-x) permissions for either:

  • The user starting the mongod or mongos, or
  • A group to which that user belongs.

The mongod or mongos cannot successfully authenticate via saslauthd without the specified permission on the saslauthd directory and its contents.

1

Add the user to the $external database in MongoDB. To specify the user's privileges, assign roles to the user.

Changed in version 3.6.3: To use sessions with $external authentication users (i.e. Kerberos, LDAP, x.509 users), the usernames cannot be greater than 10k bytes.

For example, the following adds a user with read-only access to the records database.

db.getSiblingDB("$external").createUser(
{
user : <username>,
roles: [ { role: "read", db: "records" } ]
}
)

Add additional principals as needed. For more information about creating and managing users, see User Management Commands.

2

To configure the MongoDB server to use the saslauthd instance for proxy authentication, include the following options when starting mongod:

  • --auth command line option or security.authorization setting,
  • authenticationMechanisms parameter set to PLAIN, and
  • saslauthdPath parameter set to the path to the Unix-domain Socket of the saslauthd instance.

    Important

    The parent directory of the saslauthd Unix domain socket file specified to security.sasl.saslauthdSocketPath or --setParameter saslauthdPath must grant read and execute (r-x) permissions for either:

    • The user starting the mongod or mongos, or
    • A group to which that user belongs.

    The mongod or mongos cannot successfully authenticate via saslauthd without the specified permission on the saslauthd directory and its contents.

If you use the authorization option to enforce authentication, you will need privileges to create a user.

For socket path of /<some>/<path>/saslauthd, set the saslauthdPath to /<some>/<path>/saslauthd/mux, as in the following command line example:

mongod --auth --setParameter saslauthdPath=/<some>/<path>/saslauthd/mux --setParameter authenticationMechanisms=PLAIN

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.

Or if using a YAML format configuration file, specify the following settings in the file:

security:
authorization: enabled
setParameter:
saslauthdPath: /<some>/<path>/saslauthd/mux
authenticationMechanisms: PLAIN

Or, if using the older configuration file format:

auth=true
setParameter=saslauthdPath=/<some>/<path>/saslauthd/mux
setParameter=authenticationMechanisms=PLAIN

To use the default Unix-domain socket path, set the saslauthdPath to the empty string "", as in the following command line example:

mongod --auth --setParameter saslauthdPath="" --setParameter authenticationMechanisms=PLAIN

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.

Or if using a YAML format configuration file, specify the following settings in the file:

security:
authorization: enabled
setParameter:
saslauthdPath: ""
authenticationMechanisms: PLAIN

Or, if using the older configuration file format:

auth=true
setParameter=saslauthdPath=""
setParameter=authenticationMechanisms=PLAIN

Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. For more information, see Localhost Binding Compatibility Changes.

3

You can authenticate from the command line during connection, or connect first and then authenticate using db.auth() method.

The server forwards the password in plain text. In general, use only on a trusted channel (VPN, TLS/SSL, trusted wired network). See Considerations.

Give Feedback

On this page

  • Considerations
  • Configure saslauthd
  • Configure MongoDB