LDAP Authorization批准
On this page本页内容
MongoDB EnterpriseMongoDB Enterprise
supports querying an LDAP server for the LDAP groups to which the authenticated user belongs. 支持在LDAP服务器上查询经过身份验证的用户所属的LDAP组。MongoDB maps the distinguished names (DN) of each returned group to roles on the MongoDB将每个返回组的可分辨名称(DN)映射到admin database. admin数据库上的角色。MongoDB authorizes the user based on the mapped roles and their associated privileges. See LDAP Authorization for more information.MongoDB根据映射的角色及其相关权限对用户进行授权。有关详细信息,请参阅LDAP授权。
The LDAP Authorization process is summarized below:LDAP授权过程概述如下:
A client connects to MongoDB and performs authentication with any authentication mechanism that supports external authentication.客户端连接到MongoDB,并使用任何支持外部身份验证的身份验证机制执行身份验证。To use Client Sessions and Causal Consistency Guarantees with要对$externalauthentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。MongoDB binds to the LDAP server specified withMongoDB使用security.ldap.serversusing the credentials specified withsecurity.ldap.bind.queryUserandsecurity.ldap.bind.queryPassword.security.ldap.bind.queryUser和security.ldap.bind.queryPassword指定的凭据绑定到security.ldap.servers指定的LDAP服务器。MongoDB uses simple binding by default, but can useMongoDB默认使用简单绑定,但如果在saslbinding instead if configured insecurity.ldap.bind.methodandsecurity.ldap.bind.saslMechanisms.security.ldap.bind.method和security.ldap.bind.saslMechanisms中进行配置,则可以使用sasl绑定。MongoDB constructs an LDAP query using theMongoDB使用security.ldap.authz.queryTemplateand queries the LDAP server for the authenticated user's group membership.security.ldap.authz.queryTemplate构建LDAP查询,并向LDAP服务器查询经过身份验证的用户的组成员身份。MongoDB can use theMongoDB可以使用security.ldap.userToDNMappingoption to transform the username for supporting the query template.security.ldap.userToDNMapping选项来转换用户名以支持查询模板。The LDAP server evaluates the query and returns the list of groups to which the authenticated user belongs.LDAP服务器评估查询并返回经过身份验证的用户所属的组列表。MongoDB authorizes the user to perform actions on the server by mapping each returned group's Distinguished Name (DN) into a role on theMongoDB通过将每个返回的组的可分辨名称(DN)映射到admindatabase.admin数据库上的一个角色,授权用户在服务器上执行操作。If a returned group DN exactly matches the name of an existing role on the如果返回的组DN与admindatabase, MongoDB grants the user the roles and privileges assigned to that role.admin数据库中现有角色的名称完全匹配,MongoDB将向用户授予分配给该角色的角色和权限。See MongoDB Roles for LDAP Authorization for more information.有关更多信息,请参阅用于LDAP授权的MongoDB角色。The client can perform actions on the MongoDB server which require the roles or privileges granted to the authenticated user.客户端可以在MongoDB服务器上执行需要授予已验证用户的角色或权限的操作。At an interval defined byMongoDB按照ldapUserCacheInvalidationInterval, MongoDB flushes the$externalcache.ldapUserCacheInvalidationInterval定义的时间间隔刷新$external缓存。Prior to executing subsequent operations performed by externally authorized users, MongoDB re-acquires their group membership from the LDAP server.在执行外部授权用户执行的后续操作之前,MongoDB从LDAP服务器重新获取其组成员资格。
Considerations注意事项
A full description of LDAP is beyond the scope of this documentation. This page assumes prior knowledge of LDAP.LDAP的完整描述超出了本文档的范围。本页假定您事先了解LDAP。
This documentation only describes MongoDB LDAP authorization, and does not replace other resources on LDAP. 本文档仅描述MongoDB LDAP授权,不替换LDAP上的其他资源。We encourage you to thoroughly familiarize yourself with LDAP and its related subject matter before configuring LDAP authentication.我们鼓励您在配置LDAP身份验证之前彻底熟悉LDAP及其相关主题。
MongoDB can provide professional servicesMongoDB可以为您的MongoDB部署提供专业的LDAP授权优化配置服务 for optimal configuration of LDAP authorization for your MongoDB deployment.。
Compatible Authentication Mechanism兼容的身份验证机制
MongoDB supports LDAP authorization with the following authentication methods:MongoDB通过以下身份验证方法支持LDAP授权:
With this configuration, MongoDB uses LDAP, X.509, or Kerberos authorization to authenticate client connections.使用此配置,MongoDB使用LDAP、X.509或Kerberos授权来验证客户端连接。
Connection Pool连接池
Starting in version 4.2.0, when connecting to the LDAP server for authentication/authorization, MongoDB, by default:从4.2.0版本开始,当连接到LDAP服务器进行身份验证/授权时,默认情况下为MongoDB:
Uses connection pooling if run:如果运行,则使用连接池:- on Windows or
on Linux where MongoDB Enterprise binaries are linked against libldap_r.在Linux上,MongoDB Enterprise二进制文件链接到libldap_r。
Does not use connection pooling if run:如果运行,则不使用连接池:
To change the connection pooling behavior, update the 要更改连接池行为,请更新ldapUseConnectionPool parameter.ldapUseConnectionPool参数。
libldap and 和libldap_r
For MongoDB 4.2 Enterprise binaries linked against 对于链接到libldap (such as when running on RHEL), access to the libldap is synchronized, incurring some performance/latency costs.libldap的MongoDB 4.2 Enterprise二进制文件(例如在RHEL上运行时),对libldap的访问是同步的,这会导致一些性能/延迟成本。
For MongoDB 4.2 Enterprise binaries linked against 对于链接到libldap_r, there is no change in behavior from earlier MongoDB versions.libldap_r的MongoDB 4.2 Enterprise二进制文件,与早期的MongoDB版本相比,行为没有变化。
User Management用户管理
With LDAP authorization, user creation and management occurs on the LDAP server. 使用LDAP授权,用户的创建和管理在LDAP服务器上进行。MongoDB requires creation of roles on the MongoDB需要在admin database, with the name of each role exactly matching a LDAP group Distinguished Name (DN). admin数据库上创建角色,每个角色的名称与LDAP组的可分辨名称(DN)完全匹配。This is in contrast to MongoDB managed authorization, which requires creating users on the 这与MongoDB托管授权形成对比,后者需要在$external database.$external数据库上创建用户。
To manage roles on the MongoDB server, authenticate as a user whose group membership corresponds to a 要管理MongoDB服务器上的角色,请以具有角色管理权限(如admin database role with role administration privileges, such as those provided by userAdmin. userAdmin提供的权限)的admin数据库角色的组成员身份进行身份验证。Create or update roles corresponding to LDAP group DNs such that users with membership in that group receive the appropriate roles and privileges.创建或更新与LDAP组DN相对应的角色,以便在该组中具有成员资格的用户可以获得适当的角色和权限。
For example, an LDAP group for database administrators might have a role with administrative roles and privileges. An LDAP group for marketing or analytics users may have a role with only have read privileges on certain databases.例如,数据库管理员的LDAP组可能具有具有管理角色和权限的角色。市场营销或分析用户的LDAP组可能具有仅对某些数据库具有读取权限的角色。
When configuring a role for a corresponding LDAP Group, remember that all users with membership in that group can receive the configured roles and privileges. 为相应的LDAP组配置角色时,请记住,该组中具有成员资格的所有用户都可以获得配置的角色和权限。Consider applying the principle of least privilege when configuring MongoDB roles, LDAP groups, or group membership.在配置MongoDB角色、LDAP组或组成员身份时,请考虑应用最小权限原则。
If no role with role administration privileges exists AND no non-如果不存在具有角色管理权限的角色,也不存在具有这些权限的非$external user with these privileges exists, you effectively cannot perform user management, as no new or existing roles can be altered to reflect additions or changes to groups or group membership on the LDAP server.$external用户,则实际上无法执行用户管理,因为无法更改新角色或现有角色以反映对LDAP服务器上的组或组成员身份的添加或更改。
To remedy a scenario where you cannot manage roles on the MongoDB server, perform the following procedure:要补救无法在MongoDB服务器上管理角色的情况,请执行以下过程:
Restart the MongoDB server without authentication and LDAP authorization在没有身份验证和LDAP授权的情况下重新启动MongoDB服务器Create a role on the在admindatabase whose name corresponds to the appropriate LDAP group Distinguished Name. When choosing a group DN, consider which group is most appropriate for database administration.admin数据库上创建一个角色,其名称与相应的LDAP组“可分辨名称”相对应。选择组DN时,请考虑哪个组最适合数据库管理。Restart the MongoDB server with authentication and LDAP authorization使用身份验证和LDAP授权重新启动MongoDB服务器Authenticate as a user with membership in the group corresponding to the created administrative role.以在与创建的管理角色对应的组中具有成员身份的用户身份进行身份验证。
Existing Users现有用户
A MongoDB server using LDAP for authorization makes any existing users on the 使用LDAP进行授权的MongoDB服务器会使$external database inaccessible. $external数据库上的任何现有用户都无法访问。If there are existing users in 如果$external database, you must meet the following requirements for each user on the $external database to ensure continued access:$external数据库中有现有用户,则必须满足$externaal数据库上每个用户的以下要求,以确保继续访问:
User has a corresponding user object on the LDAP server用户在LDAP服务器上具有相应的用户对象User object has membership in the appropriate LDAP groups用户对象在相应的LDAP组中具有成员身份MongoDB has roles on theMongoDB在以用户LDAP组命名的admindatabase named for the user's LDAP groups, such that the granted roles and privileges are identical to those granted to the non-$externaluser.admin数据库中具有角色,因此授予的角色和权限与授予非$external用户的角色和权限相同。
If you want to continue allowing access by users not on the 如果要继续允许不在$external database, ensure the authenticationMechanisms parameter includes SCRAM-SHA-1 and/or SCRAM-SHA-256 as appropriate. $external数据库上的用户访问,请确保authenticationMechanisms参数包括SCRAM-SHA-1和/或SCRAM-SHA-256(视情况而定)。Alternatively, apply the requirements listed above for transitioning those users to LDAP authorization.或者,应用上面列出的将这些用户转换为LDAP授权的要求。
Replica Sets复制集
For replica sets, configure LDAP authorization on the secondary and arbiter members first before configuring the primary. 对于副本集,在配置主成员之前,请先在secondary和仲裁器成员上配置LDAP授权。This also applies to shard replica sets, or config server replica sets. Configure one replica set member at a time to maintain a majority of members for write availability.这也适用于分片副本集或配置服务器副本集。一次配置一个复制副本集成员,以维护大多数成员的写入可用性。
Sharded Clusters分片集群
In sharded clusters, you must configure LDAP authorization on the config servers for cluster-level users. 在分片集群中,必须在config服务器上为集群级用户配置LDAP授权。You can optionally configure LDAP authorization on each shard for shard-local users.您可以选择为分片本地用户在每个分片上配置LDAP授权。
Configuration配置
You must configure the following settings to use LDAP Authorization:必须配置以下设置才能使用LDAP授权:
To use LDAP for authorization via operating system libraries, specify the following settings as a part of your 要通过操作系统库使用LDAP进行授权,请将以下设置指定为mongod or mongos configuration file:mongod或mongos配置文件的一部分:
security.ldap.servers | host[:port] format.host[:port]格式引用LDAP服务器的逗号分隔列表。 | YES |
security.ldap.authz.queryTemplate | An RFC4515 and RFC4516 LDAP formatted query URL template executed by MongoDB to obtain the LDAP groups to which the user belongs to. The query is relative to the host or hosts specified in servers.
mongod supports this parameter. mongod支持此参数。mongos defers to this setting as configured on its config servers mongos按照其config服务器上的配置来推迟此设置 | YES |
security.ldap.bind.queryUser | queryPassword.queryPassword一起使用。queryTemplate. queryTemplate生成的LDAP查询。 | YES |
security.ldap.bind.queryPassword | The password used to bind to an LDAP server when using queryUser. | YES |
security.ldap.bind.method | Used to specify the method the mongod or mongos uses to authenticate, or bind, to the LDAP server. Specify sasl to use one of the SASL protocols defined in security.ldap.bind.saslMechanisms.simple. simple。 | NO, unless using sasl for binding to the LDAP server. |
security.ldap.bind.saslMechanisms | Used to specify the SASL mechanisms mongod or mongos can use when authenticating or binding to the LDAP server. MongoDB and the LDAP server must agree on at least one SASL mechanism.Defaults to DIGEST-MD5. | NO, unless setting method to sasl, and you need different or additional SASL mechanisms. |
security.ldap.bind.useOSDefaults | Windows MongoDB deployments can use the operating system credentials in place of queryUser and queryPassword for authenticating or binding as when connecting to the LDAP server. | NO, unless replacing queryUser and queryPassword. |
security.ldap.userToDNMapping | Depending on your queryTemplate, the authenticated client username may require transformation to support the LDAP query URL. userToDNMapping allows MongoDB to transform incoming usernames. | NO, unless client usernames require transformation into LDAP DNs. |
When you have configured LDAP authorization, restart mongod or mongos. The server now uses LDAP authorization with X.509, Kerberos, or LDAP to authenticate client connections.
LDAP Query Template
MongoDB uses the security.ldap.authz.queryTemplate to create an RFC4516 formatted LDAP query URL. In the template, you can use either:
{USER}placeholder to substitute the authenticated username into the LDAP query URL. If MongoDB transformed the username usinguserToDNMapping, MongoDB replaces the{USER}token with the transformed username when constructing the LDAP query URL.{PROVIDED_USER}placeholder to substitute the supplied username, i.e. before either authentication or LDAP transformation, into the LDAP query.
Design the query template to retrieve the user's groups.
The following query template returns any groups listed in the LDAP user object's memberOf attribute. This query assumes the memberOf attribute exists - your specific LDAP deployment may use a different attribute or methodology for tracking group membership. This query also assumes the user authenticates using their full LDAP DN as their username.
"{USER}?memberOf?base"
The LDAP query URL must conform to the format defined in RFC4516:
[ dn [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ]
Consider the definition of each component, as quoted from RFC4516:
The
dnis an LDAP Distinguished Name using the string format described in RFC4514The
attributesconstruct is used to indicate which attributes should be returned from the entry or entries.The
scopeconstruct is used to specify the scope of the search to perform in the given LDAP server. The allowable scopes are "base" for a base object search, "one" for a one-level search, or "sub" for a subtree search.The
filteris used to specify the search filter to apply to entries within the specified scope during the search. It has the format specified in [RFC4515].The
extensionsconstruct provides the LDAP URL with an extensibility mechanism, allowing the capabilities of the URL to be extended in the future.
If the query includes an attribute, MongoDB assumes the query retrieves a the DNs which this entity is member of.
If the query does not include an attribute, MongoDB assumes the query retrieves all entities for which the user is member of.
MongoDB currently ignores any extensions specified in the LDAP query.
A full description of RFC4516 or LDAP query URL construction is out of scope for this documentation.
Tutorials教程
The following tutorials contain procedures for connecting to an LDAP server via the Operating System LDAP libraries:
Connecting to a MongoDB server using LDAP Authorization
When using LDAP for authorization, users connecting via mongosh must:
- set
--authenticationDatabaseto$external. - set
--authenticationMechanismto the appropriate authentication mechanism.If using LDAP authentication, set this to
PLAIN.If using Kerberos authentication, set this to
GSSAPI.If using x.509, set this to
MONGODB-X.509. - set
--usernameto a username that respects thesecurity.ldap.authz.queryTemplate, or any configuredsecurity.ldap.userToDNMappingtemplate. - set
--passwordto the appropriate password.
Include the --host and --port of the MongoDB server, along with any other options relevant to your deployment.
For example, the following operation authenticates to a MongoDB server running with LDAP authentication and authorization:
mongosh --username alice@dba.example.com --password --authenticationDatabase '$external' --authenticationMechanism "PLAIN" --host "mongodb.example.com" --port 27017
If you do not specify the password to the --password command-line option, mongosh prompts for the password.
The $external argument must be placed in single quotes, not double quotes, to prevent the shell from interpreting $external as a variable.
MongoDB Roles for LDAP Authorization
MongoDB maps each returned group distinguished name (DN) returned by the LDAP query to a role on the admin database.
If MongoDB acquires a group whose DN exactly matches the name of an existing role, MongoDB grants the authenticated user roles and privileges associated with that role. If MongoDB cannot map any of the returned groups to a role, MongoDB grants no privileges to the user.
LDAP and kerberos authentication normally require creating users in the $external database. If you also use LDAP for authorization, you do not need to create users in the $external database. You only need to create the appropriate roles in the admin database. Users still authenticate against the $external database.
If you are using LDAP for authorization and your LDAP group DNs contain RFC4514 escaped sequences, the roles you create in the admin database must also be escaped following RFC4514.
A database has the following roles configured on the admin database:
{
role: "CN=dba,CN=Users,DC=example,DC=com",
privileges: [],
roles: [ "dbAdminAnyDatabase", "clusterAdmin" ]
}
{
role: "CN=analytics,CN=Users,DC=example,DC=com"
privileges: [],
roles: [
{ role : "read", db : "web_statistics" },
{ role : "read", db : "user_statistics" }
]
}
After authenticating a user alice@dba.example.com against the $external database, the MongoDB server performs a query derived from the configured query template to retrieve the groups which include the authenticated user as a member. In this example, the MongoDB server retrieves the following group DNs for the user:
dn:CN=dba,CN=Users,dc=example,dc=com
dn:CN=admin,CN=Users,dc=example,dc=com
MongoDB maps these group DNs to roles on the admin database. The first group DN matches the first role, and MongoDB grants the authenticated user its roles and privileges. The second group DN does not match to any role on the server, so MongoDB grants no additional permissions.
A new user bob@analytics.example.com authenticates against the $external database. The MongoDB server repeats the query process, using the provided username in the query template. In this example, the MongoDB server retrieves the following group DNs for the user:
dn:cn=analytics,CN=Users,dc=example,dc=com
MongoDB maps these group DNs to roles on the admin database and grants the authenticated user the roles and privileges of the second role.
A new user workstation@guest.example.com authenticates against the $external database. The MongoDB server repeats the query process, using the provided username in the query template. In this example, the MongoDB server retrieves the following group DNs for the user:
dn:cn=guest,CN=Users,dc=example,dc=com
MongoDB maps the group to a role on the admin database and, because no matching roles exist, grants the user no additional permissions.