Navigation

mongocli atlas security ldap save

The security ldap save command configures Atlas to use your own Lightweight Directory Access Protocol (LDAP) server to authenticate and authorize MongoDB users. A single LDAP over TLS congifuration applies to all clusters in a project.

You can also configure user authentication and authorization with LDAP using the Atlas UI and API.

You can run the mongocli atlas security ldap verify command to verify the LDAP configuration. If the LDAP configuration status is Pending, you can watch for the configuration request to complete using the mongocli atlas security ldap verify status watch command.

mongocli atlas security ldap save|create|update
--authenticationEnabled true|false
[ --authorizationEnabled true|false ]
[ --authzQueryTemplate <LDAP-query-template> ]
--bindPassword <bind-password>
--bindUsername <bind-username>
[ --caCertificate <CA-certificate> ]
--hostname <LDAP-server-hostname>
[ --output|-o <output-format> ]
[ --port ]
[ --profile|-P <name-of-profile> ]
[ --projectId <id-of-project> ]
Note

Use -h or --help to view the command-line help for this command.

Option
Type
Description
Required?
--authenticationEnabled
string

Flag to enable or diable user authentication with LDAP. Valid values are:

  • true to enable user authentication with LDAP
  • false to disable user authentication with LDAP
yes
--authorizationEnabled
string

Flag to enable or disable user authorization with LDAP. Valid values are:

  • true to enable user authorization with LDAP
  • false to disable user authorization with LDAP

To enable user authorization with LDAP, you must also enable user authentication with LDAP.

no
--authzQueryTemplate
string

LDAP query template to execute to obtain the LDAP groups to which the authenticated user belongs. The query is relative to the host specified with the --hostname option.

The query format must conform to RFC 4515 and RFC 4516. Use the {USER} placeholder in the URL to substitute the authenticated username.

If omitted, defaults to the following:

{USER}?memberOf?base

Atlas uses this for user authorization only. Specify an empty string to delete a previously assigned value. For example:

--authzQueryTemplate ""
no
--bindPassword
string
Password to use to authenticate the bindUsername.
yes
--bindUsername
string
User distinguished name (DN) to use to connect to the LDAP server. Value must be the full DN, such as CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com.
yes
--caCertificate
string

CA certificate to use to verify the identity of the LDAP server. Atlas accepts self-signed certificates.

Specify an empty string to delete a previously assigned value. For example:

--caCertificate ""
no
--hostname
string
Hostname or IP address of the LDAP server. The server must be accessible from the public internet or peered to your Atlas cluster with Network Peering.
--output, -o
string

Command output format. Valid values are:

  • json for output in JSON format
  • go-template for custom output using the Go template
  • go-template-file for custom output specified using the Go template file

If omitted, the command returns output in the default format.

no
--port
int
Port that the LDAP server listens for client connections. If omitted, defaults to 636.
no
--profile, -P
string
Name of the profile to use for accessing the Atlas project. If omitted, uses the default profile.
no
--projectId
string

Unique identifier of the project. If omitted, uses the project ID in the profile or environment variable.

yes

If the command succeeds, it returns the following output in the default format. If the command returns errors, see Troubleshooting for recommended solutions.

HOSTNAME PORT AUTHENTICATION AUTHORIZATION
<LDAP-server-hostname> <port-number> true|false true|false

The default output contains a subset of the fields returned by this command. For the complete list of JSON fields returned by the command, see the API reference.

The following example uses the mongocli atlas security ldap save command to configure an LDAP server to authenticate and authorize MongoDB users. The command uses the default profile for accessing the Atlas project.

mongocli atlas security ldap save --authenticationEnabled true --authorizationEnabled true --hostname atlas-ldaps-01.ldap.myteam.com --bindUsername "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com" --bindPassword changeMe

The previous command prints the following to the terminal:

HOSTNAME PORT AUTHENTICATION AUTHORIZATION
atlas-ldaps-01.ldap.myteam.com 636 true true
Give Feedback