How to Configure LDAP Authentication for MongoDB

MongoDB
July 5, 2017 | Updated: April 30, 2019
#Customer Stories

This is a guest post from Tom Spitzer, Vice President, Engineering of EC Wise, Inc. To expand on the MongoDB LDAP documentation, the objective of this post is to elaborate on configuring LDAP authentication for MongoDB. We will use the Mini-Clinic application presented at MongoDB World ‘17 as the illustrative example.

Mini-Clinic Windows Active Directory (AD) Users and Groups

We start by creating AD users and groups for Mini-Clinic.

The SYSInternals ADExplorer tool is a useful utility enabling one to view these objects in AD. This seems to work from Windows accounts that should not have privileges on the AD database, so be careful in how you use it!

User objects

dn: CN=scott,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Scheduler,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=page,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Practitioner,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=parker,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Pharmacist,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=Adam,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo Auditor,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
dn: CN=Duke,CN=Users,DC=ecwise,DC=local
memberof: CN=Mongo DBA,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local

Group objects

dc: CN=Mongo Scheduler,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=scott,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo Practitioner,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=page,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo Pharmacist,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=parker,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo Auditor,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=Adam,CN=Users,DC=ecwise,DC=local
dc: CN=Mongo DBA,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local
member: CN=Duke,CN=Users,DC=ecwise,DC=local

Procedure

Configure TLS/SSL for the server running MongoDB

By default, the mongod process connects to AD via TLS/SSL. You can configure ldap.transportSecurity in the MongoDB configuration file to none to disable TLS/SSL.

ldap:
transportSecurity: none

This is not recommended for production, but it can be useful for debugging when running into configuration issues.

Ensure AD server is enabled with TLS/SSL

Use ldp.exe (part of the Windows Server Remote Server Admin toolkit) to verify if AD server is actively listening for SSL. Refer to this article on LDAP over SSL verification for in-depth guidance. For example:

server: cdcorpwindc01.ecwise.local
port: 636
SSL: true

If the response includes "Host supports SSL......Established connection", then the AD server is responding to requests coming in over SSL.

Configure LDAPS (LDAP over SSL)

Export the Root CA certificates from the AD server.

  1. Click Start, Administrative Tools, Certification Authority
  2. Right-click on your CA, and select Properties
  3. In the CA Properties window, click on View Certificate
  4. In the Certificate window, click the Details tab and click Copy to File
  5. In the Certificate Export Wizard window, click Next
  6. Select Base-64 encoded X.509 (.CER), and click Next
  7. Enter the export name (e.g., c:\corpRootCa.cer), and click Next 8 Click Finish
  8. Copy certificate to the Linux server (assuming that MongoDB is running on a Linux server), for example, to /etc/openldap/certs

Note: step 6 is very important. If the certificate is not encoded with Base-64, it won't work for LDAPS. Edit /etc/openldap/ldap.conf, add a line.

TLS_CACERT /etc/openldap/certs/ecwise-root.cer

ecwise-root.cer is stored in /resource of the repo.

Specifying the TLS_CACERTDIR line is not essential here; TLS_CACERT takes the priority.

Use ldapsearch from the Linux MongoDB server to verify that LDAPS is working

ldapsearch -x -H ldaps://cdcorpwindc01.ecwise.local -b "DC=ecwise,DC=local" -D "CN=TM-EM, OU=Accounts,OU=Chengdu,OU=EC Wise Users,DC=ecwise,DC=local" -W

-b starting point to search
-D specifies the DC with which to authenticate to the server

Create User Administrative Role

MongoDB grants privileges to AD groups instead of AD users! We create MongoDB roles corresponding to AD groups, and add AD users into the AD groups. When the AD user logs into MongoDB they will be granted the role to which their AD group is assigned. Disable LDAP authentication, and execute the scripts below, which are in /init-script/create-user-administrative-role.js on the MongoDB server.

mongo create-user-administrative-role.js

var admin = db.getSiblingDB("admin")
admin.createRole(
    {
        role: "CN=Mongo DBA,OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local",
        privileges: [],
        roles: [ "userAdminAnyDatabase" ]
    }
)

Edit the MongoDB configuration file

The configuration should look like

security:
  authorization: "enabled"
  ldap:
  servers: "cdcorpwindc01.ecwise.local"
  userToDNMapping:
  '[
    {
     match: "(.+)",
     ldapQuery: "CN=Users,dc=ecwise,dc=local??sub?(sAMAccountName={0})"
     }
   ]'
  authz:
    queryTemplate: "OU=Groups,OU=EC Wise Users,DC=ecwise,DC=local??sub?(&(objectClass=group)(member={user_DN}))"
    bind:
      queryUser: "duke"
      queryPassword: "ecwise@123"
      setParameter:
      authenticationMechanisms: 'PLAIN'
DN=Distinguished name, see the <a href="https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx" target="_blank">Active Directory reference</a> for an explanation. (Of course, you will substitute your OU and DC designators for our EC Wise designators.)

Configure LDAP query template for authorization

Use queryTemplate to identify which groups the user belongs to. The queryTemplate pattern is:

(AD groups DN to search)??sub?(query condition)

So in our configuration, it means search all DNs under "OU=EC Wise Users,dc=ecwise,dc=local" and its property objectClass equals “group” and member equals the user’s DN.

** Transform incoming usernames for authentication via AD**

Usually, the user DN is not something a user enters directly. So userToDNMapping helps transform the username to a full LDAP DN, which the system will use as the user’s logical identifier.

The ldapQuery pattern is:

(AD users DN to search)??sub?(match condition)

So in our configuration, we are trying to find the user where property sAMAccountName equals user name under "CN=User,dc=ecwise,dc=local".

Configure query credentials

MongoDB requires credentials for performing a query on your Windows AD server. We’ll set up a single use account with this permission. To do so, we configure queryUser and queryPassword in the bind section to specify the user who has permission to perform query.

Create roles and users for Mini-clinic

Execute the script(init_script/init_ldap_role_user.js) in the repo with DBA user to create roles and users for Mini-clinic. 'mongo -u duke -p --authenticationMechanism PLAIN --authenticationDatabase $external init_ldap_role_user.js'

Hopefully this article has helped you to better understand how Windows Directory and LDAP can be configured with MongoDB

Download the MongoDB Security Architecture to learn more about the security capabilities of MongoDB

About the Author: Tom is a software industry and IT services veteran, having been the lead technologist at both consulting and software development companies for over twenty-five years. As part of the EC Wise senior team, he leads the company’s secure development and secure database implementation practices, which have built products and services for leading business services providers, casinos and other security sensitive industries. Over the years, Tom has made presentations at many technical conferences and written for a variety of industry publications. Prior to joining EC Wise in 1999, Tom was CTO at a venture backed Silicon Valley e-commerce startup.

← Previous

Looking at MongoDB for Content Management

We went to see our good friends Nuxeo and ask them what’s the best way to manage content at enterprise scale. They told us about how customers use MongoDB and their content services platform to deliver business applications with high scalability. Let’s hear about Thierry Delprat, Nuxeo CTO. Please tell us a bit about Nuxeo. What does your company offer its customers? Nuxeo provides purpose built digital content applications focused on business outcomes. Created on the industries most modern content services platform, leveraging the latest innovation in Machine Learning and Artificial Intelligence to deliver unparalleled insight across the content spread throughout the enterprise. How would you describe your specific use case for MongoDB? Nuxeo uses MongoDB because it is the best storage option for scalability and speed and it allows developers to build content intensive applications that have: Complex data structures A requirement for massive scalability The need for rapid retrieval for content A requirement for heavy write access Nuxeo provides the infrastructure and the tools for efficiently addressing these requirements. Did you start with MongoDB or migrate from a different database? Initially Nuxeo only provided a SQL binding. However, we started seeing the limitations of the SQL model: Difficulty to scale to very large volume Performance issues when having a lot of Write operations Complex architecture to be able to leverage Read replicas These were the main reasons for us to start the work on a MongoDB Connector and indeed leveraging MongoDB allows us to: Improve the performance and scalability of the application Simplify the deployment architecture since we no longer need complex SQL replicas and distributed caching More details can be found here: http://slides.com/thierrydelprat/mongodb-impact Can you describe your application architecture and design approach? Nuxeo is a software platform that was designed to be very modular and pluggable. This architecture allows us to choose what storage backend can be used. We use this pluggable mechanism to leverage MongoDB for scalable meta-data storage, Search or Blob storage. How has MongoDB Atlas allowed you to scale your app as well as the business? When deploying our application on AWS, MongoDB Atlas allows us to use MongoDB as a service. Nuxeo can then focus on delivering the Content Services Platform and let MongoDB provide the data safety and SLA required. What programming languages are you using to build your app? The server side is mainly built using Java but some extensions can be contributed using JavaScript. The client side use HTML5 / JS (Web Components & Polymer) What are your thoughts about the current database trend of moving to the cloud? Looks like all our customers are indeed moving to the Cloud, both private and public. In making this move, it is essential for the database also to be hosted in the Cloud. This is one of the reasons why we use MongoDB Atlas to delivery content applications at scale. Using MongoDB allowed us to simplify our deployment architecture, and to offer to our customer a big improvement in terms of scalability. We’re now exploring MongoDB Atlas for new ways for our customers to deliver their ECM applications.

July 5, 2017
Next →

Retrieval Augmented Generation for Claim Processing: Combining MongoDB Atlas Vector Search and Large Language Models

Following up on our previous blog, AI, Vectors, and the Future of Claims Processing: Why Insurance Needs to Understand The Power of Vector Databases , we’ll pick up the conversation right where we left it. We discussed extensively how Atlas Vector Search can benefit the claim process in insurance and briefly covered Retrieval Augmented Generation (RAG) and Large Language Models (LLMs). MongoDB.local NYC Join us in person on May 2, 2024 for our keynote address, announcements, and technical sessions to help you build and deploy mission-critical applications at scale. Use Code Web50 for 50% off your ticket! Learn More One of the biggest challenges for claim adjusters is pulling and aggregating information from disparate systems and diverse data formats. PDFs of policy guidelines might be stored in a content-sharing platform, customer information locked in a legacy CRM, and claim-related pictures and voice reports in yet another tool. All of this data is not just fragmented across siloed sources and hard to find but also in formats that have been historically nearly impossible to index with traditional methods. Over the years, insurance companies have accumulated terabytes of unstructured data in their data stores but have failed to capitalize on the possibility of accessing and leveraging it to uncover business insights, deliver better customer experiences, and streamline operations. Some of our customers even admit they’re not fully aware of all the data in their archives. There’s a tremendous opportunity to leverage this unstructured data to benefit the insurer and its customers. Our image search post covered part of the solution to these challenges, opening the door to working more easily with unstructured data. RAG takes it a step further, integrating Atlas Vector Search and LLMs, thus allowing insurers to go beyond the limitations of baseline foundational models, making them context-aware by feeding them proprietary data. Figure 1 shows how the interaction works in practice: through a chat prompt, we can ask questions to the system, and the LLM returns answers to the user and shows what references it used to retrieve the information contained in the response. Great! We’ve got a nice UI, but how can we build an RAG application? Let’s open the hood and see what’s in it! Figure 1: UI of the claim adjuster RAG-powered chatbot Architecture and flow Before we start building our application, we need to ensure that our data is easily accessible and in one secure place. Operational Data Layers (ODLs) are the recommended pattern for wrangling data to create single views. This post walks the reader through the process of modernizing insurance data models with Relational Migrator, helping insurers migrate off legacy systems to create ODLs. Once the data is organized in our MongoDB collections and ready to be consumed, we can start architecting our solution. Building upon the schema developed in the image search post , we augment our documents by adding a few fields that will allow adjusters to ask more complex questions about the data and solve harder business challenges, such as resolving a claim in a fraction of the time with increased accuracy. Figure 2 shows the resulting document with two highlighted fields, “claimDescription” and its vector representation, “claimDescriptionEmbedding” . We can now create a Vector Search index on this array, a key step to facilitate retrieving the information fed to the LLM. Figure 2: document schema of the claim collection, the highlighted fields are used to retrieve the data that will be passed as context to the LLM Having prepared our data, building the RAG interaction is straightforward; refer to this GitHub repository for the implementation details. Here, we’ll just discuss the high-level architecture and the data flow, as shown in Figure 3 below: The user enters the prompt, a question in natural language. The prompt is vectorized and sent to Atlas Vector Search; similar documents are retrieved. The prompt and the retrieved documents are passed to the LLM as context. The LLM produces an answer to the user (in natural language), considering the context and the prompt. Figure 3: RAG architecture and interaction flow It is important to note how the semantics of the question are preserved throughout the different steps. The reference to “adverse weather” related accidents in the prompt is captured and passed to Atlas Vector Search, which surfaces claim documents whose claim description relates to similar concepts (e.g., rain) without needing to mention them explicitly. Finally, the LLM consumes the relevant documents to produce a context-aware question referencing rain, hail, and fire, as we’d expect based on the user's initial question. So what? To sum it all up, what’s the benefit of combining Atlas Vector Search and LLMs in a Claim Processing RAG application? Speed and accuracy: Having the data centrally organized and ready to be consumed by LLMs, adjusters can find all the necessary information in a fraction of the time. Flexibility: LLMs can answer a wide spectrum of questions, meaning applications require less upfront system design. There is no need to build custom APIs for each piece of information you’re trying to retrieve; just ask the LLM to do it for you. Natural interaction: Applications can be interrogated in plain English without programming skills or system training. Data accessibility: Insurers can finally leverage and explore unstructured data that was previously hard to access. Not just claim processing The same data model and architecture can serve additional personas and use cases within the organization: Customer Service: Operators can quickly pull customer data and answer complex questions without navigating different systems. For example, “Summarize this customer's past interactions,” “What coverages does this customer have?” or “What coverages can I recommend to this customer?” Customer self-service: Simplify your members’ experience by enabling them to ask questions themselves. For example, “My apartment is flooded. Am I covered?” or “How long do windshield repairs take on average?” Underwriting: Underwriters can quickly aggregate and summarize information, providing quotes in a fraction of the time. For example, “Summarize this customer claim history.” “I Am renewing a customer policy. What are the customer's current coverages? Pull everything related to the policy entity/customer. I need to get baseline info. Find relevant underwriting guidelines.” If you would like to discover more about Converged AI and Application Data Stores with MongoDB, take a look at the following resources: RAG for claim processing GitHub repository From Relational Databases to AI: An Insurance Data Modernization Journey Modernize your insurance data models with MongoDB and Relational Migrator

April 18, 2024