- Security >
- Security Tutorials >
- Authentication Mechanisms >
- Authenticate Using SASL and LDAP with ActiveDirectory
Authenticate Using SASL and LDAP with ActiveDirectory¶
On this page
MongoDB Enterprise provides support for proxy authentication of users. This allows administrators to configure a MongoDB cluster to authenticate users by proxying authentication requests to a specified Lightweight Directory Access Protocol (LDAP) service.
Considerations¶
MongoDB Enterprise for Windows does not include LDAP support for authentication. However, MongoDB Enterprise for Linux supports using LDAP authentication with an ActiveDirectory server.
MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version 2.4 and version 2.6 shards. See Upgrade MongoDB to 2.6 for upgrade instructions.
Use secure encrypted or trusted connections between clients and the server,
as well as between saslauthd
and the LDAP server. The LDAP server uses
the SASL PLAIN
mechanism, sending and receiving data in plain text.
You should use only a trusted channel such as a VPN, a connection encrypted
with TLS/SSL, or a trusted wired network.
Configure saslauthd
¶
LDAP support for user authentication requires proper configuration of
the saslauthd
daemon process as well as the MongoDB server.
Specify the mechanism.¶
On systems that configure saslauthd
with the
/etc/sysconfig/saslauthd
file, such as Red Hat Enterprise Linux,
Fedora, CentOS, and Amazon Linux AMI, set the mechanism MECH
to
ldap
:
On systems that configure saslauthd
with the
/etc/default/saslauthd
file, such as Ubuntu, set the MECHANISMS
option to ldap
:
Adjust caching behavior.¶
On certain Linux distributions, saslauthd
starts with the caching
of authentication credentials enabled. Until restarted or until the
cache expires, saslauthd
will not contact the LDAP server to
re-authenticate users in its authentication cache. This allows
saslauthd
to successfully authenticate users in its cache, even in
the LDAP server is down or if the cached users’ credentials are revoked.
To set the expiration time (in seconds) for the authentication cache, see
the -t option of
saslauthd
.
Configure LDAP Options with ActiveDirectory.¶
If the saslauthd.conf
file does not exist, create it.
The saslauthd.conf
file usually resides in the /etc
folder. If specifying a different file path, see the
-O option of
saslauthd
.
To use with ActiveDirectory, start saslauthd
with the following
configuration options set in the saslauthd.conf
file:
For the <ldap uri>
, specify the uri of the ldap server. For
example, ldap_servers: ldaps://ad.example.net
.
For more information on saslauthd
configuration, see
http://www.openldap.org/doc/admin24/guide.html#Configuringsaslauthd.
Test the saslauthd
configuration.¶
Use testsaslauthd
utility to test the saslauthd
configuration. For example:
Note
/var/run/saslauthd
directory must have permissions set to
755
for MongoDB to successfully authenticate.
Configure MongoDB¶
Add user to MongoDB for authentication.¶
Add the user to the $external
database in MongoDB. To specify the
user’s privileges, assign roles to the
user.
For example, the following adds a user with read-only access to
the records
database.
Add additional principals as needed. For more information about creating and managing users, see User Management Commands.
Configure MongoDB server.¶
To configure the MongoDB server to use the saslauthd
instance for
proxy authentication, include the following options when starting mongod
:
--auth
command line option orsecurity.authorization
setting,authenticationMechanisms
parameter set toPLAIN
, andsaslauthdPath
parameter set to the path to the Unix-domain Socket of thesaslauthd
instance.
If you use the authorization
option to enforce
authentication, you will need privileges to create a user.
Use specific saslauthd
socket path.¶
For socket path of /<some>/<path>/saslauthd
, set the
saslauthdPath
to /<some>/<path>/saslauthd/mux
,
as in the following command line example:
Or if using a YAML format configuration file, specify the following settings in the file:
Or, if using the older configuration file format:
Use default Unix-domain socket path.¶
To use the default Unix-domain socket path, set the
saslauthdPath
to the empty string ""
, as in the
following command line example:
Or if using a YAML format configuration file, specify the following settings in the file:
Or, if using the older configuration file format:
Authenticate the user in the mongo
shell.¶
To authenticate when connecting with the mongo
shell, run
mongo
with the following options, substituting <host>
and <user>
, and enter your password when prompted:
Alternatively, connect without supplying credentials and call the
db.auth()
method on the $external
database.
Specify the value "PLAIN"
in the mechanism
field, the user and
password in the user
and pwd
fields respectively, and the
value false
in the digestPassword
field. You must specify
false
for digestPassword
since the server must receive an
undigested password to forward on to saslauthd
, as in the
following example:
The server forwards the password in plain text. In general, use only on a trusted channel (VPN, TLS/SSL, trusted wired network). See Considerations.