LDAP Proxy Authentication

Connection Pool

Starting in version 4.2.0, when connecting to the LDAP server for authentication/authorization, MongoDB, by default:

• Uses connection pooling if run:
  • on Windows or
  • on Linux where MongoDB Enterprise binaries are linked against libldap_r.
• Does not use connection pooling if run:
  • on Linux where MongoDB Enterprise binaries are linked against libldap.

To change the connection pooling behavior, update the ldapUseConnectionPool parameter.

saslauthd and Directory Permissions

libldap and libldap_r

For MongoDB 4.2 Enterprise binaries linked against libldap (such as when running on RHEL), access to the libldap is synchronized, incurring some performance/latency costs.

For MongoDB 4.2 Enterprise binaries linked against libldap_r, there is no change in behavior from earlier MongoDB versions.

Managing LDAP Users on the MongoDB server

User management requires managing users both on the LDAP server and the MongoDB server. For each user authenticating via LDAP, MongoDB requires a user on the $external database whose name exactly matches the authentication username. Changes to a user on the LDAP server may require changes to the corresponding MongoDB $external user.

To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.

To manage users on the MongoDB server, you must authenticate as an LDAP user whose corresponding MongoDB $external user has user administrative privileges on the $external database, such as those provided by userAdmin.

Managing existing non-LDAP users

If there are existing users not on the $external database, you must meet the following requirements for each user to ensure continued access:

• User has a corresponding user object on the LDAP server
• User exists on the $external database with equivalent roles and privileges

If you want to continue allowing access by users not on the $external database, you must configure setParameter authenticationMechanisms to include SCRAM-SHA-1 and/or SCRAM-SHA-256 as appropriate. Users must then specify --authenticationMechanism SCRAM-SHA-1 or SCRAM-SHA-256 when authenticating.

Deploying LDAP authentication on a replica set

For replica sets, configure LDAP authentication on secondary and arbiter members first before configuring the primary. This also applies to shard replica sets, or config server replica sets. Configure one replica set member at a time to maintain a majority of members for write availability.

Deploying LDAP authentication on a sharded cluster

In sharded clusters, you must configure LDAP authentication on the config servers and each mongos for cluster-level users. You can optionally configure LDAP authorization on each shard for shard-local users.

Considerations

• Linux MongoDB servers support binding to an LDAP server via the saslauthd daemon.
• Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the LDAP server. The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. You should use only a trusted channel such as a VPN, a connection encrypted with TLS/SSL, or a trusted wired network.

Configuration

To configure the MongoDB server to bind to the LDAP server using via saslauthd, start the mongod using either the following command line options or the following configuration file settings:

You need to create or update the saslauthd.conf file with the parameters appropriate for your LDAP server. Documenting saslauthd.conf is out of scope for this documentation.

The following tutorials provide basic information on configuring saslauthd.conf to work with two popular LDAP services:

• Authenticate Using SASL and LDAP with OpenLDAP
• Authenticate Using SASL and LDAP with ActiveDirectory

Please see the documentation for saslauthd as well as your specific LDAP service for guidance.