Starting in MongoDB 8.0, LDAP authentication and authorization is deprecated. LDAP is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.从MongoDB 8.0开始,LDAP身份验证和授权被弃用。LDAP是可用的,并将在MongoDB 8的整个生命周期内继续运行而不做任何更改。LDAP将在未来的主要版本中删除。
You should plan to migrate from LDAP to an alternative authentication method.您应该计划从LDAP迁移到另一种身份验证方法。
Full LDAP migration information will be available in the future.未来将提供完整的LDAP迁移信息。
Details详情
The following sections introduce alternative authentication methods for self-managed MongoDB Enterprise Advanced, MongoDB Atlas, and MongoDB Atlas for Government.以下部分介绍了自我管理的MongoDB企业高级版、MongoDB Atlas和政府版MongoDB Atlas的替代身份验证方法。
Self-Managed MongoDB Enterprise Advanced自主管理MongoDB企业级高级
For human user access, MongoDB recommends migrating from LDAP to Workforce Identity Federation (OIDC authentication). Workforce Identity Federation allows single sign-on (SSO) access to your self-managed MongoDB databases using any identity provider that supports OIDC, such as Microsoft Active Directory Federation Services (ADFS), Microsoft Entra ID, Okta, and Ping Identity.对于人类用户访问,MongoDB建议从LDAP迁移到劳动力身份联合(OIDC身份验证)。工作负载身份联合允许使用任何支持OIDC的身份提供程序(如Microsoft 活动目录 Federation Services(ADFS)、Microsoft Entra ID、Okta和Ping Identity)对自主管理MongoDB数据库进行单点登录(SSO)访问。
For programmatic users, MongoDB recommends migrating from LDAP to Workload Identity Federation. With Workload Identity Federation, your applications can use databases with OAuth 2.0 access tokens provided by your authorization service.对于编程用户,MongoDB建议从LDAP迁移到工作负载身份联合。使用工作负载身份联合,应用程序可以使用具有授权服务提供的OAuth 2.0访问令牌的数据库。
You can also use cloud provider principals such as Microsoft Azure Managed Identities and Google Cloud Platform (GCP) service accounts. If you cannot use Workload Identity Federation, MongoDB recommends you use X.509 certificate authentication.您还可以使用云提供商主体,如Microsoft Azure托管身份和Google云平台(GCP)服务帐户。如果您无法使用工作负载身份联合,MongoDB建议您使用X.509证书身份验证。
To configure Workforce Identity Federation (OIDC authentication) with the MongoDB server, see Configure MongoDB with Workforce Identity Federation.要使用MongoDB服务器配置劳动力身份联合(OIDC身份验证),请参阅使用劳动力身份联合配置MongoDB。To configure Workload Identity Federation (OAuth2.0) with the MongoDB server, see Configure MongoDB with Workload Identity Federation.要使用MongoDB服务器配置工作负载身份联合(OAuth2.0),请参阅使用工作负载身份联邦配置MongoDB。To configure Workforce and Workload Identity Federation with MongoDB Cloud Manager, see Enable Authentication and Authorization with Cloud Manager.要使用MongoDB云管理器配置劳动力和工作负载身份联合,请参阅使用云管理器启用身份验证和授权。To configure Workforce and Workload Identity Federation with MongoDB Ops Manager, see Enable Authentication and Authorization with Ops Manager.要使用MongoDB Ops Manager配置劳动力和工作负载身份联合,请参阅使用Ops Manager启用身份验证和授权。
Some of the advantages of Workforce and Workload Identity Federation compared to LDAP for a self-managed MongoDB deployment are:对于自我管理的MongoDB部署,与LDAP相比,劳动力和工作负载身份联合的一些优势是:
No credentials stored in MongoDB:MongoDB中没有存储凭据:The LDAP bind user credentials are stored in MongoDB. With Workforce or Workload Identity Federation, MongoDB doesn't store credentials or secrets that grant access to user directories.LDAP绑定用户凭据存储在MongoDB中。使用劳动力或工作负载身份联合,MongoDB不会存储授予用户目录访问权限的凭据或机密。Reduced cross-application risk:降低跨应用程序风险:In an LDAP connection, the user's LDAP credentials are sent to MongoDB within the connection string, which is a risk for cross-application access. However, with Workforce and Workload Identity Federation, MongoDB never receives a secret. OIDC and OAuth 2.0 grant access tokens for specific resources using audience claims. If a token is compromised, the token cannot be used to access other applications.在LDAP连接中,用户的LDAP凭据会在连接字符串中发送到MongoDB,这存在跨应用程序访问的风险。然而,有了劳动力和工作负载身份联合会,MongoDB永远不会收到秘密。OIDC和OAuth 2.0使用受众声明为特定资源授予访问令牌。如果令牌被泄露,则该令牌不能用于访问其他应用程序。Improved security with access tokens:使用访问令牌提高了安全性:Identity Federation grants access through short term access tokens, which improves security when compared to LDAP. Access tokens are typically valid for one hour. The time period can usually be customized based on the identity provider.身份联合通过短期访问令牌授予访问权限,与LDAP相比,这提高了安全性。访问令牌的有效期通常为一小时。时间段通常可以根据身份提供者进行定制。Authentication without passwords for application users:应用程序用户的无密码身份验证:If your applications are running in the cloud, Workload Identity Federation supports authentication without passwords for applications running on specific cloud resources. This eliminates periodically renewing credentials.如果应用程序在云中运行,则工作负载身份联合支持对在特定云资源上运行的应用程序进行无密码身份验证。这消除了定期更新凭据的情况。
MongoDB Atlas and Atlas for GovernmentMongoDB Atlas和政府Atlas
For human user access, MongoDB recommends migrating from LDAP to Workforce Identity Federation (OIDC authentication). Workforce Identity Federation allows single sign-on (SSO) access to your Atlas clusters with any identity provider that supports OIDC, such as Microsoft Entra ID, Okta, and Ping Identity.对于人类用户访问,MongoDB建议从LDAP迁移到劳动力身份联合(OIDC身份验证)。工作负载身份联合允许使用任何支持OIDC的身份提供者(如Microsoft Entra ID、Okta和Ping Identity)对Atlas集群进行单点登录(SSO)访问。
For programmatic users, MongoDB recommends migrating from LDAP to Amazon AWS-IAM authentication or Workload Identity Federation. If your applications are running on AWS resources, you can use AWS-IAM authentication to access your MongoDB Atlas clusters with AWS-IAM roles.对于编程用户,MongoDB建议从LDAP迁移到Amazon AWS-IAM身份验证或工作负载身份联合。如果应用程序在AWS资源上运行,您可以使用AWS-IAM身份验证来访问具有AWS-IAM角色的MongoDB Atlas集群。
If your applications are running on Microsoft Azure or Google Cloud Platform systems, you can use Workload Identity Federation to access Atlas clusters with Microsoft Azure Managed Identities or Google Cloud Platform Service Accounts. If you cannot use AWS-IAM or Workload Identity Federation, MongoDB recommends using X.509 certificate authentication.如果应用程序在Microsoft Azure或Google云平台系统上运行,您可以使用工作负载身份联合来访问具有Microsoft Azure托管身份或Google Cloud平台服务帐户的Atlas集群。如果您无法使用AWS-IAM或工作负载身份联合,MongoDB建议使用X.509证书身份验证。
To get started with Workforce and Workload Identity Federation, see Authentication and Authorization with OIDC/OAuth 2.0 in Atlas.要开始使用劳动力和工作负载身份联合,请参阅Atlas中的OIDC/OAuth 2.0身份验证和授权。To get started with AWS-IAM authentication, see Set Up Authentication with AWS-IAM.要开始AWS-IAM身份验证,请参阅使用AWS-IAM设置身份验证。
Some of the advantages of Workforce and Workload Identity Federation compared to LDAP in Atlas are:与Atlas中的LDAP相比,劳动力和工作负载身份联合的一些优势是:
Improved network security:提高网络安全性:LDAP requires a public Fully Qualified Domain Name (FQDN), which creates a potential firewall vulnerability. With Workforce Identity Federation, you can use an Internet connected Identity Provider (IdP) and synchronize part of the user directory to your IdP to improve security with Workforce Identity Federation.LDAP需要一个公共的完全限定域名(FQDN),这会造成潜在的防火墙漏洞。使用工作负载身份联合,您可以使用互联网连接的身份提供程序(IdP)并将部分用户目录同步到IdP,以提高劳动力身份联盟的安全性。Improved credentials handling:改进了凭据处理:Unlike LDAP, user credentials aren't sent to or stored in MongoDB when using Workforce or Workload Identity Federation.与LDAP不同,在使用劳动力或工作负载身份联合时,用户凭据不会发送到或存储在MongoDB中。Modern authentication policies for human users:人类用户的现代身份验证策略:Workforce Identity Federation allows authentication through IdP, which enables the use of modern authentication policies.劳动力身份联合会允许通过IdP进行身份验证,从而可以使用现代身份验证策略。Simple configuration:配置简单:LDAP users require a complex network configuration for Atlas. Identity Federation has a simpler configuration.LDAP用户需要Atlas的复杂网络配置。身份联合具有更简单的配置。Improved security with access tokens:使用访问令牌提高了安全性:Workforce and Workload Identity Federation and AWS-IAM authentication grant access through short term access tokens, which improves security when compared to LDAP. Access tokens are typically valid for one hour. The time period can usually be customized based on the identity provider.劳动力和工作负载身份联合会以及AWS-IAM身份验证通过短期访问令牌授予访问权限,与LDAP相比,这提高了安全性。访问令牌的有效期通常为一小时。时间段通常可以根据身份提供者进行定制。Authentication without passwords for application users:应用程序用户的无密码身份验证:Workload Identity Federation supports authentication without passwords for applications running on specific cloud resources. This eliminates periodically renewing credentials.工作负载身份联合支持在特定云资源上运行的应用程序的无密码身份验证。这消除了定期更新凭据的情况。Cost efficiency:成本效益:For Atlas Developer and Pro support, LDAP has a fee as part of the Advanced Security package. Workforce and Workload Identity Federation don't have an additional fee. For pricing, see:对于Atlas Developer和Pro支持,LDAP作为高级安全包的一部分需要付费。劳动力和工作负载身份联合会不收取额外费用。有关定价,请参阅: