Skip to content
logo
Percona Server for MongoDB 4.2
Set up LDAP authentication and authorization using NativeLDAP
Initializing search
    percona/psmdb-docs
    percona/psmdb-docs
    • Home
    • Percona Server for MongoDB feature comparison
      • Overview
      • Install Percona Server for MongoDB on Debian and Ubuntu
      • Install Percona Server for MongoDB on Red Hat Enterprise Linux and derivatives
      • Install Percona Server for MongoDB from binary tarball
      • Run Percona Server for MongoDB in a Docker container
        • Percona Memory Engine
        • Hot Backup
        • $backupCursor and $backupCursorExtend aggregation stages
        • Authentication
        • Enable authentication
        • Set up LDAP authentication with SASL
        • Set up x.509 authentication and LDAP authorization
        • Setting up Kerberos authentication
        • LDAP authorization
        • Set up LDAP authentication and authorization using NativeLDAP
          • Assumptions
          • Prerequisites
          • Setup procedure
            • Configure TLS/SSL connection for Percona Server for MongoDB
            • Create roles for LDAP groups in Percona Server for MongoDB
            • Percona Server for MongoDB configuration
            • Active Directory configuration
        • Data at rest encryption
        • HashiCorp Vault integration
        • Using the Key Management Interoperability Protocol (KMIP)
        • Local key management using a keyfile
        • Migrate from key file encryption to HashiCorp Vault encryption
      • Auditing
      • Profiling rate limit
      • Log redaction
      • Additional text search algorithm - ngram
      • Tune parameters
        • Upgrade from 4.0 to 4.2
        • Upgrade Percona Server for MongoDB
      • Uninstall Percona Server for MongoDB
      • Release notes index
      • Percona Server for MongoDB 4.2.24-24 (2023-03-09)
      • Percona Server for MongoDB 4.2.23-23 (2022-11-08)
      • Percona Server for MongoDB 4.2.22-22 (2022-09-06)
      • Percona Server for MongoDB 4.2.21-21 (2022-06-29)
      • Percona Server for MongoDB 4.2.20-20 (2022-05-23)
      • Percona Server for MongoDB 4.2.19-19 (2022-03-29)
      • Percona Server for MongoDB 4.2.18-18 (2022-01-19)
      • Percona Server for MongoDB 4.2.17-17 (2021-10-11)
      • Percona Server for MongoDB 4.2.15-16 (2021-07-26)
      • Percona Server for MongoDB 4.2.14-15 (2021-05-13)
      • Percona Server for MongoDB 4.2.13-14 (2021-04-01)
      • Percona Server for MongoDB 4.2.12-13 (2021-02-03)
      • Percona Server for MongoDB 4.2.11-12 (2020-12-07)
      • Percona Server for MongoDB 4.2.10-11 (2020-11-02)
      • Percona Server for MongoDB 4.2.9-10 (2020-10-09)
      • Percona Server for MongoDB 4.2.9-9 (2020-09-03)
      • Percona Server for MongoDB 4.2.8-8 (2020-07-07)
      • Percona Server for MongoDB 4.2.7-7 (2020-06-04)
      • Percona Server for MongoDB 4.2.6-6 (2020-05-07)
      • Percona Server for MongoDB 4.2.5-5 (2020-04-02)
      • Percona Server for MongoDB 4.2.3-4 (2020-02-20)
      • Percona Server for MongoDB 4.2.2-3 (2019-12-24)
      • Percona Server for MongoDB 4.2.1-1 (2019-11-13)
      • Percona Server for MongoDB 4.2.0-1 (2019-09-09)
    • Glossary
      • Copyright and Licensing Information
      • Trademark Policy

    • Assumptions
    • Prerequisites
    • Setup procedure
      • Configure TLS/SSL connection for Percona Server for MongoDB
      • Create roles for LDAP groups in Percona Server for MongoDB
      • Percona Server for MongoDB configuration
      • Active Directory configuration

    Set up LDAP authentication and authorization using NativeLDAP¶

    This document describes an example configuration of LDAP authentication and authorization using direct binding to an LDAP server (Native LDAP). We recommend testing this setup in a non-production environment first, before applying it in production.

    Assumptions¶

    1. The setup of an LDAP server is out of scope of this document. We assume that you are familiar with the LDAP server schema.

    2. You have the LDAP server up and running and it is accessible to the servers with Percona Server for MongoDB installed.

    3. This document primarily focuses on OpenLDAP used as the LDAP server and the examples are given based on the OpenLDAP format. If you are using Active Directory, refer to the Active Directory configuration section.

    4. You have the sudo privilege to the server with the Percona Server for MongoDB installed.

    Prerequisites¶

    • In this setup we use anonymous binds to the LDAP server. If your LDAP server disallows anonymous binds, create the user that Percona Server for MongoDB will use to connect to and query the LDAP server. Define this user’s credentials for the security.ldap.bind.queryUser and security.ldap.bind.queryPassword parameters in the mongod.conf configuration file.

    • In this setup, we use the following OpenLDAP groups:

    dn: cn=testusers,dc=percona,dc=com
    objectClass: groupOfNames
    cn: testusers
    member: cn=alice,dc=percona,dc=com
    
    dn: cn=otherusers,dc=percona,dc=com
    objectClass: groupOfNames
    cn: otherusers
    member: cn=bob,dc=percona,dc=com
    

    Setup procedure¶

    Configure TLS/SSL connection for Percona Server for MongoDB¶

    By default, Percona Server for MongoDB establishes the TLS connection when binding to the LDAP server and thus, it requires access to the LDAP certificates. To make Percona Server for MongoDB aware of the certificates, do the following:

    1. Place the certificate in the certs directory. The path to the certs directory is:

      • On Debian / Ubuntu: /etc/ssl/certs/

      • On RHEL / CentOS: /etc/openldap/certs/

    2. Specify the path to the certificates in the ldap.conf file:

      tee -a /etc/openldap/ldap.conf <<EOF
      TLS_CACERT /etc/ssl/certs/my_CA.crt
      EOF
      
      tee -a /etc/openldap/ldap.conf <<EOF
      TLS_CACERT /etc/openldap/certs/my_CA.crt
      EOF
      

    Create roles for LDAP groups in Percona Server for MongoDB¶

    Percona Server for MongoDB authorizes users based on LDAP group membership. For every group, you must create the role in the admin database with the name that exactly matches the DN of the LDAP group.

    Percona Server for MongoDB maps the user’s LDAP group to the roles and determines what role is assigned to the user. Percona Server for MongoDB then grants privileges defined by this role.

    To create the roles, use the following command:

    var admin = db.getSiblingDB("admin")
    db.createRole(
       {
         role: "cn=testusers,dc=percona,dc=com",
         privileges: [],
         roles: [ "readWrite"]
       }
    )
    
    db.createRole(
       {
         role: "cn=otherusers,dc=percona,dc=com",
         privileges: [],
         roles: [ "read"]
       }
    )
    

    Percona Server for MongoDB configuration¶

    Access without username transformation¶

    This section assumes that users connect to Percona Server for MongoDB by providing their LDAP DN as the username.

    1. Edit the Percona Server for MongoDB configuration file (by default, /etc/mongod.conf) and specify the following configuration:

      security:
        authorization: "enabled"
        ldap:
          servers: "ldap.example.com"
          transportSecurity: tls
          authz:
             queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={PROVIDED_USER}))"
      
      setParameter:
        authenticationMechanisms: "PLAIN"
      

      The {PROVIDED_USER} variable substitutes the provided username before authentication or username transformation takes place.

      Replace ldap.example.com with the hostname of your LDAP server. In the LDAP query template, replace the domain controllers percona and com with those relevant to your organization.

    2. Restart the mongod service:

      $ sudo systemctl restart mongod
      
    3. Test the access to Percona Server for MongoDB:

      $ mongo -u "cn=alice,dc=percona,dc=com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
      

    Access with username transformation¶

    If users connect to Percona Server for MongoDB with usernames that are not LDAP DN, you need to transform these usernames to be accepted by the LDAP server.

    Using the --ldapUserToDNMapping configuration parameter allows you to do this. You specify the match pattern as a regexp to capture a username. Next, specify how to transform it - either to use a substitution value or to query the LDAP server for a username.

    If you don’t know what the substitution or LDAP query string should be, please consult with the LDAP administrators to figure this out.

    Note that you can use only the query or the substitution stage, the combination of two is not allowed.

    1. Edit the Percona Server for MongoDB configuration file (by default, /etc/mongod.conf) and specify the userToDNMapping parameter:

      security:
        authorization: "enabled"
        ldap:
          servers: "ldap.example.com"
          transportSecurity: tls
          authz:
             queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"
          userToDNMapping: >-
                [
                  {
                    match: "([^@]+)@percona\\.com",
                    substitution: "CN={0},DC=percona,DC=com"
                  }
                ]
      
      setParameter:
        authenticationMechanisms: "PLAIN"
      

      The {USER} variable substitutes the username transformed during the userToDNMapping stage.

      Modify the given example configuration to match your deployment.

    2. Restart the mongod service:

      $ sudo systemctl restart mongod
      
    3. Test the access to Percona Server for MongoDB:

      $ mongo -u "alice@percona.com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
      
    1. Edit the Percona Server for MongoDB configuration file (by default, /etc/mongod.conf) and specify the userToDNMapping parameter:

      security:
        authorization: "enabled"
        ldap:
          servers: "ldap.example.com"
          transportSecurity: tls
          authz:
             queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"
          userToDNMapping: >-
                [
                  {
                    match: "([^@]+)@percona\\.com",
                    ldapQuery: "dc=percona,dc=com??sub?(&(objectClass=organizationalPerson)(cn={0}))"
                  }
                ]
      
      setParameter:
        authenticationMechanisms: "PLAIN"
      

      The {USER} variable substitutes the username transformed during the userToDNMapping stage.

      Modify the given example configuration to match your deployment, For example, replace ldap.example.com with the hostname of your LDAP server. Replace the domain controllers (DC) percona and com with those relevant to your organization. Depending on your LDAP schema, further modifications of the LDAP query may be required.

    2. Restart the mongod service:

      $ sudo systemctl restart mongod
      
    3. Test the access to Percona Server for MongoDB:

      mongo -u "alice" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
      

    Active Directory configuration¶

    Microsoft Active Directory uses a different schema for user and group definition. To illustrate Percona Server for MongoDB configuration, we will use the following AD users:

    dn:CN=alice,CN=Users,DC=testusers,DC=percona,DC=com
    userPrincipalName: alice@testusers.percona.com
    memberOf: CN=testusers,CN=Users,DC=percona,DC=com
    
    dn:CN=bob,CN=Users,DC=otherusers,DC=percona,DC=com
    userPrincipalName: bob@otherusers.percona.com
    memberOf: CN=otherusers,CN=Users,DC=percona,DC=com
    

    The following are respective AD groups:

    dn:CN=testusers,CN=Users,DC=percona,DC=com
    member:CN=alice,CN=Users,DC=testusers,DC=example,DC=com
    
    dn:CN=otherusers,CN=Users,DC=percona,DC=com
    member:CN=bob,CN=Users,DC=otherusers,DC=example,DC=com
    

    Use one of the given Percona Server for MongoDB configurations for user authentication and authorization in Active Directory:

    1. Edit the /etc/mongod.conf configuration file:

      ldap:
        servers: "ldap.example.com"
        authz:
          queryTemplate: "DC=percona,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={PROVIDED_USER}))"
      
        setParameter:
          authenticationMechanisms: "PLAIN"
      
    2. Restart the mongod service:

      $ sudo systemctl restart mongod
      
    3. Test the access to Percona Server for MongoDB:

      $ mongo -u "CN=alice,CN=Users,DC=testusers,DC=percona,DC=com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
      
    1. Edit the /etc/mongod.conf configuration file:

      ldap:
        servers: "ldap.example.com"
        authz:
          queryTemplate: "DC=percona,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))"
        userToDNMapping: >-
              [
                {
                  match: "([^@]+)@([^\\.]+)\\.percona\\.com",
                  substitution: "CN={0},CN=Users,DC={1},DC=percona,DC=com"
                }
              ]
      
        setParameter:
          authenticationMechanisms: "PLAIN"
      
    2. Restart the mongod service:

      $ sudo systemctl restart mongod
      
    3. Test the access to Percona Server for MongoDB:

      $ mongo -u "alice@percona.com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
      
    1. Edit the /etc/mongod.conf configuration file:

      ldap:
        servers: "ldap.example.com"
        authz:
          queryTemplate: "DC=percona,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))"
        userToDNMapping: >-
              [
                {
                  match: "(.+)",
                  ldapQuery: "dc=example,dc=com??sub?(&(objectClass=organizationalPerson)(userPrincipalName={0}))"
                }
              ]
      
        setParameter:
          authenticationMechanisms: "PLAIN"
      
    2. Restart the mongod service:

      $ sudo systemctl restart mongod
      
    3. Test the access to Percona Server for MongoDB:

      $ mongo -u "alice" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
      

    Modify one of this example configuration to match your deployment.

    This document is based on the following posts from Percona Database Performance Blog:

    • Percona Server for MongoDB LDAP Enhancements: User-to-DN Mapping by Igor Solodovnikov
    • Authenticate Percona Server for MongoDB Users via Native LDAP by Ivan Groenewold

    Contact Us

    For free technical help, visit the Percona Community Forum.

    To report bugs or submit feature requests, open a JIRA ticket.

    For paid support and managed or consulting services , contact Percona Sales.


    Last update: December 8, 2022
    Created: December 8, 2022
    Percona LLC and/or its affiliates, © 2023
    Made with Material for MkDocs

    Cookie consent

    We use cookies to recognize your repeated visits and preferences, as well as to measure the effectiveness of our documentation and whether users find what they're searching for. With your consent, you're helping us to make our documentation better.