LDAP Proxy AuthenticationLDAP代理身份验证

On this page本页内容

MongoDB Enterprise supports proxying authentication requests to a Lightweight Directory Access Protocol (LDAP) service.支持将身份验证请求代理到轻型目录访问协议(LDAP)服务。

MongoDB supports simple and SASL binding to LDAP servers:MongoDB支持简单和SASL绑定到LDAP服务器:

ViaDescription描述
Operating system libraries操作系统库

Starting in version 3.4, MongoDB supports binding to an LDAP server via operating system libraries.从版本3.4开始,MongoDB支持通过操作系统库绑定到LDAP服务器。

This allows MongoDB servers on Linux and Windows to use an LDAP server for authentication.这允许Linux和Windows上的MongoDB服务器使用LDAP服务器进行身份验证。

In earlier versions, MongoDB on Microsoft Windows cannot connect to LDAP servers.在早期版本中,Microsoft Windows上的MongoDB无法连接到LDAP服务器。

saslauthd

MongoDB servers on Linux supports binding to an LDAP server via the saslauthd daemon.Linux上的MongoDB服务器支持通过saslauthd守护进程绑定到LDAP服务器。

Not available for MongoDB on Windows.不适用于Windows上的MongoDB。

Considerations注意事项

A full description of LDAP is beyond the scope of this documentation. LDAP的完整描述超出了本文档的范围。This page assumes prior knowledge of LDAP.本页假设您事先了解LDAP。

This documentation only describes MongoDB LDAP authentication, and does not replace other resources on LDAP. 本文档仅描述MongoDB LDAP身份验证,并不替换LDAP上的其他资源。We encourage you to thoroughly familiarize yourself with LDAP and its related subject matter before configuring LDAP authentication.我们鼓励您在配置LDAP身份验证之前彻底熟悉LDAP及其相关主题。

MongoDB can provide professional services for optimal configuration of LDAP authentication for your MongoDB deployment.MongoDB可以为您的MongoDB部署提供优化LDAP身份验证配置的专业服务

Connection Pool连接池

Starting in version 4.2.0, when connecting to the LDAP server for authentication/authorization, MongoDB, by default:从版本4.2.0开始,当连接到LDAP服务器进行身份验证/授权时,默认情况下,MongoDB:

  • Uses connection pooling if run:如果运行,则使用连接池:

    • on Windows or
    • on Linux where MongoDB Enterprise binaries are linked against libldap_r.在Linux上,MongoDB企业二进制文件链接到libldap_r

  • Does not use connection pooling if run:如果运行,则不使用连接池:

    • on Linux where MongoDB Enterprise binaries are linked against libldap.在Linux上,MongoDB企业二进制文件链接到libldap

To change the connection pooling behavior, update the ldapUseConnectionPool parameter.要更改连接池行为,请更新ldapUseConnectionPool参数。

saslauthd and Directory Permissions和目录权限

Important重要

The parent directory of the saslauthd Unix domain socket file specified to security.sasl.saslauthdSocketPath or --setParameter saslauthdPath must grant read and execute (r-x) permissions for either:指定为 security.sasl.saslauthdSocketPath--setParameter saslauthdPathsaslauthd Unix域套接字文件的父目录必须为以下任一项授予读取和执行(r-x)权限:

  • The user starting the mongod or mongos, or启动mongodmongos的用户,或
  • A group to which that user belongs.该用户所属的组。

The mongod or mongos cannot successfully authenticate via saslauthd without the specified permission on the saslauthd directory and its contents.如果没有对saslauthd目录及其内容的指定权限,mongodmongos无法通过saslauthd成功进行身份验证。

libldap and libldap_r

For MongoDB 4.2 (and 4.0.9) Enterprise binaries linked against libldap (such as when running on RHEL), access to the libldap is synchronized, incurring some performance/latency costs.对于针对libldap链接的MongoDB 4.2(和4.0.9)企业二进制文件(例如在RHEL上运行时),对libldap的访问是同步的,这会带来一些性能/延迟成本。

For MongoDB 4.2 (and 4.0.9) Enterprise binaries linked against libldap_r, there is no change in behavior from earlier MongoDB versions.对于针对libldap_r链接的MongoDB 4.2(和4.0.9)企业二进制文件,与早期MongoDB版本相比,行为没有变化。

Managing LDAP Users on the MongoDB server在MongoDB服务器上管理LDAP用户

User management requires managing users both on the LDAP server and the MongoDB server. 用户管理需要管理LDAP服务器和MongoDB服务器上的用户。For each user authenticating via LDAP, MongoDB requires a user on the $external database whose name exactly matches the authentication username. 对于通过LDAP进行身份验证的每个用户,MongoDB要求$external数据库上有一个名称与身份验证用户名完全匹配的用户。Changes to a user on the LDAP server may require changes to the corresponding MongoDB $external user.更改LDAP服务器上的用户可能需要更改相应的MongoDB$外部用户。

To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.要对$external 身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。

Example示例

A user authenticates as sam@dba.example.com. 用户身份验证为sam@dba.example.comThe MongoDB server binds to the LDAP server and authenticates the user, respecting any username transformations. MongoDB服务器绑定到LDAP服务器并对用户进行身份验证,而不考虑任何用户名转换On successful authentication, the MongoDB server then checks the $external database for a user sam@dba.example.com and grants the authenticated user the roles and privileges associated to that user.认证成功后,MongoDB服务器将检查$external数据库中是否有用户sam@dba.example.com并授予认证用户与该用户相关联的角色和权限。

To manage users on the MongoDB server, you must authenticate as an LDAP user whose corresponding MongoDB $external user has user administrative privileges on the $external database, such as those provided by userAdmin.要管理MongoDB服务器上的用户,您必须作为LDAP用户进行身份验证,其对应的MongoDB$external用户在$external数据库上具有用户管理权限,如userAdmin提供的权限。

Important重要

If no $external users have user administrative privileges on $external database, you cannot perform user management for LDAP authentication. 如果没有$external用户对$external数据库具有用户管理权限,则无法对LDAP身份验证执行用户管理。This scenario may occur if you configure users prior to enabling LDAP authentication, but do not create the appropriate user administrators.如果您在启用LDAP身份验证之前配置了用户,但未创建相应的用户管理员,则可能会出现这种情况。

Managing existing non-LDAP users管理现有的非LDAP用户

If there are existing users not on the $external database, you must meet the following requirements for each user to ensure continued access:如果存在不在$external数据库上的现有用户,则必须满足每个用户的以下要求,以确保继续访问:

  • User has a corresponding user object on the LDAP server用户在LDAP服务器上具有相应的用户对象
  • User exists on the $external database with equivalent roles and privileges用户存在于$external数据库中,具有同等的角色和权限

If you want to continue allowing access by users not on the $external database, you must configure setParameterauthenticationMechanisms to include SCRAM-SHA-1 and/or SCRAM-SHA-256 as appropriate. 如果要继续允许不在$external数据库上的用户访问,则必须将setParameter authenticationMechanisms配置为包括SCRAM-SHA-1和/或SCRAM-SHA-256(视情况而定)。Users must then specify --authenticationMechanism SCRAM-SHA-1 or SCRAM-SHA-256 when authenticating.然后,用户必须在认证时指定--authenticationMechanism SCRAM-SHA-1SCRAM-CHA-256

Deploying LDAP authentication on a replica set在复制集上部署LDAP身份验证

For replica sets, configure LDAP authentication on secondary and arbiter members first before configuring the primary. 对于副本集,在配置主成员之前,先在辅助成员仲裁器成员上配置LDAP身份验证。This also applies to shard replica sets, or config server replica sets. 这也适用于分片副本集配置服务器副本集Configure one replica set member at a time to maintain a majority of members for write availability.一次配置一个副本集成员,以保持大多数成员的写可用性。

Deploying LDAP authentication on a sharded cluster在分片集群上部署LDAP身份验证

In sharded clusters, you must configure LDAP authentication on the config servers and each mongos for cluster-level users. 分片集群中,必须为集群级用户在配置服务器和每个mongos上配置LDAP身份验证。You can optionally configure LDAP authorization on each shard for shard-local users.您可以选择为分片本地用户在每个分片上配置LDAP授权。

LDAP Authentication via the Operating System LDAP libraries通过操作系统LDAP库进行LDAP身份验证

The LDAP authentication via OS libraries process is summarized below:通过操作系统库进行LDAP身份验证的过程总结如下:

  1. A client authenticates to MongoDB, providing a user's credentials.客户端向MongoDB进行身份验证,提供用户的凭据。
  2. If the username requires mapping to an LDAP DN prior to binding against the LDAP server, MongoDB can apply transformations based on the configured security.ldap.userToDNMapping setting.如果用户名在绑定到LDAP服务器之前需要映射到LDAP DN,MongoDB可以基于配置的security.ldap.userToDNMapping设置应用转换。

  3. MongoDB binds to an LDAP server specified in security.ldap.servers using the provided username or, if a transformation was applied, the transformed username.MongoDB使用提供的用户名或转换后的用户名绑定到security.ldap.servers中指定的LDAP服务器。

    MongoDB uses simple binding by default, but can also use sasl binding if configured in security.ldap.bind.method and security.ldap.bind.saslMechanisms.MongoDB默认使用简单绑定,但如果在security.ldap.bind.methodsecurity.ldap.bind.saslMechanisms中配置,也可以使用sasl绑定。

    If a transformation requires querying the LDAP server, or if the LDAP server disallows anonymous binds, MongoDB uses the username and password specified to security.ldap.bind.queryUser and security.ldap.bind.queryPassword to bind to the LDAP server before attempting to authenticate the provided user credentials.如果转换需要查询LDAP服务器,或者LDAP服务器不允许匿名绑定,MongoDB将使用指定给security.ldap.bind.queryUsersecurity.ldap.bind.queryPassword密码的用户名和密码绑定到LDAP服务器,然后尝试验证提供的用户凭据。

  4. The LDAP server returns the result of the bind attempt to MongoDB. LDAP服务器将绑定尝试的结果返回给MongoDB。On success, MongoDB attempts to authorize the user.成功后,MongoDB尝试授权用户。
  5. The MongoDB server attempts to map the username to a user on the $external database, assigning the user any roles or privileges associated to a matching user. MongoDB服务器尝试将用户名映射到$external数据库上的用户,并为该用户分配与匹配用户关联的任何角色或权限。If MongoDB cannot find a matching user, authentication fails.如果MongoDB找不到匹配的用户,则身份验证失败。
  6. The client can perform those actions for which MongoDB granted the authenticated user roles or privileges.客户端可以执行MongoDB授予已验证用户角色或权限的操作。

To use LDAP for authentication via operating system libraries, specify the following settings as a part of your mongod or mongos configuration file:要通过操作系统库使用LDAP进行身份验证,请在mongodmongos配置文件中指定以下设置:

Option选项Description描述Required必需
security.ldap.serversQuote-enclosed comma-separated list of LDAP servers in host[:port] format.引号中以逗号分隔的LDAP服务器列表,采用host[:port]格式。YES
security.ldap.bind.method

Used to specify the method the mongod or mongos uses to authenticate, or bind, to the LDAP server. 用于指定mongodmongos用于验证或绑定到LDAP服务器的方法。Specify sasl to use one of the SASL protocols defined in security.ldap.bind.saslMechanisms.指定sasl以使用security.ldap.bind.saslMechanisms中定义的sasl协议之一。

Defaults to simple.默认为simple

NO, unless using sasl for binding to the LDAP server.,除非使用sasl绑定到LDAP服务器。
security.ldap.bind.saslMechanisms

Used to specify the SASL mechanisms mongod or mongos can use when authenticating or binding to the LDAP server. 用于指定mongodmongos在验证或绑定到LDAP服务器时可以使用的SASL机制。MongoDB and the LDAP server must agree on at least one SASL mechanism.MongoDB和LDAP服务器必须至少就一种SASL机制达成一致。

Defaults to DIGEST-MD5.默认为DIGEST-MD5

NO, unless setting method to sasl and you need different or additional SASL mechanisms.,除非将method设置为sasl,并且您需要不同或附加的sasl机制。
security.ldap.bind.queryUser

The LDAP entity, identified by its distinguished name (DN) or SASL name, with which the MongoDB server authenticates, or binds, when connecting to an LDAP server.LDAP实体,由其可分辨名称(DN)或SASL名称标识,当连接到LDAP服务器时,MongoDB服务器使用该实体进行身份验证或绑定。

Use with queryPassword.queryPassword一起使用。

The user specified must have the appropriate privileges to execute queries on the LDAP server.指定的用户必须具有在LDAP服务器上执行查询的适当权限。

NO, unless specifying a query as part of a userToDNMapping transformation, or if the LDAP server's security settings disallow anonymous binds.,除非将查询指定为userToDNMapping转换的一部分,或者LDAP服务器的安全设置不允许匿名绑定。
security.ldap.bind.queryPasswordThe password used to authenticate to an LDAP server when using queryUser.使用queryUser时用于验证LDAP服务器的密码。NO, unless specifying queryUser.,除非指定queryUser
security.ldap.bind.useOSDefaultsWindows MongoDB deployments can use the operating system credentials in place of queryUser and queryPassword for authenticating or binding as when connecting to the LDAP server.Windows MongoDB部署可以使用操作系统凭据代替queryUserqueryPassword进行身份验证或绑定,就像连接到LDAP服务器一样。NO, unless replacing queryUser and queryPassword.,除非替换queryUserqueryPassword
security.ldap.userToDNMapping

Clients may authenticate using a username whose format is incompatible with the format expected by the configured bind method. 客户端可以使用其格式与配置的绑定方法所期望的格式不兼容的用户名进行身份验证。For example, simple binding may require a full LDAP DN while the username used to authenticate to MongoDB might be an e-mail address.例如,simple绑定可能需要完整的LDAP DN,而用于向MongoDB进行身份验证的用户名可能是电子邮件地址。

userToDNMapping allows MongoDB to transform incoming usernames into a format compatible with your LDAP schema. 允许MongoDB将传入用户名转换为与LDAP模式兼容的格式。MongoDB supports transformations using either a substitution template or an LDAP query template.MongoDB支持使用替换模板或LDAP查询模板进行转换。

If you specify a userToDNMapping transformation that uses LDAP queries as part of the transformation, you must also specify a queryUser with the appropriate level of permissions for the LDAP server如果指定将LDAP查询作为转换的一部分的userToDNMapping转换,则还必须为LDAP服务器指定具有适当权限级别的queryUser

NO, unless client authenticate using usernames that require transformation.,除非客户端使用需要转换的用户名进行身份验证。

LDAP Authentication via saslauthd通过saslauthd进行LDAP身份验证

Warning警告

MongoDB Enterprise for Windows does not support binding via saslauthd.MongoDB Enterprise for Windows不支持通过saslauthd绑定。

Considerations考虑

  • Linux MongoDB servers support binding to an LDAP server via the saslauthd daemon.Linux MongoDB服务器支持通过saslauthd守护进程绑定到LDAP服务器。
  • Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the LDAP server. 在客户端和服务器之间以及在saslauthd和LDAP服务器之间使用安全加密或可信连接。The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. LDAP服务器使用“SASL明文”机制,以明文发送和接收数据。You should use only a trusted channel such as a VPN, a connection encrypted with TLS/SSL, or a trusted wired network.您应该只使用受信任的通道,如VPN、使用TLS/SSL加密的连接或受信任的有线网络。

Configuration配置

To configure the MongoDB server to bind to the LDAP server using via saslauthd, start the mongod using either the following command line options or the following configuration file settings:要将MongoDB服务器配置为使用via saslauthd绑定到LDAP服务器,请使用以下命令行选项或以下配置文件设置启动mongod

Include any other command line options required for your deployment. For complete documentation on mongod command line options, see mongod.

Include any other configuration file settings required for your deployment. For complete documentation on configuration files, see YAML configuration file.

You need to create or update the saslauthd.conf file with the parameters appropriate for your LDAP server. 您需要使用适合LDAP服务器的参数创建或更新saslauthd.conf文件。Documenting saslauthd.conf is out of scope for this documentation.记录saslauthd.conf超出了本文档的范围。

Important重要

The parent directory of the saslauthd Unix domain socket file specified to security.sasl.saslauthdSocketPath or --setParameter saslauthdPath must grant read and execute (r-x) permissions for either:指定为security.sasl.saslauthdSocketPath--setParameter saslauthdPathsaslauthd Unix域套接字文件的父目录必须为以下任一项授予读取和执行(r-x)权限:

  • The user starting the mongod or mongos, or用户启动mongodmongos或者
  • A group to which that user belongs.该用户所属的组。

The mongod or mongos cannot successfully authenticate via saslauthd without the specified permission on the saslauthd directory and its contents.如果没有对saslauthd目录及其内容的指定权限,mongodmongos无法通过saslauth成功进行身份验证。

The following tutorials provide basic information on configuring saslauthd.conf to work with two popular LDAP services:以下教程提供了有关配置saslauthd.conf以使用两种流行的LDAP服务的基本信息:

Please see the documentation for saslauthd as well as your specific LDAP service for guidance.请参阅saslauthd的文档以及您的特定LDAP服务以获取指导。

Connect to a MongoDB server via LDAP authentication通过LDAP身份验证连接到MongoDB服务器

To authenticate to a MongoDB server via LDAP authentication, use db.auth() on the $external database with the following parameters:要通过LDAP身份验证对MongoDB服务器进行身份验证,请在$external数据库上使用db.auth(),参数如下:

Option选项Description描述
usernameThe username to authenticate as.要作为身份验证的用户名。
passwordThe password to authenticate with.用于身份验证的密码。
mechanismSet to PLAIN.设置为PLAIN
←  Configure MongoDB with Kerberos Authentication and Active Directory AuthorizationAuthenticate Using SASL and LDAP with ActiveDirectory →