PATCH /api/atlas/v1.0/groups/{groupId}/userSecurity
Service accounts Digest auth

Edits the LDAP configuration for the specified project. To use this resource, the requesting Service Account or API Key must have the Project Owner role.

Updating this configuration triggers a rolling restart of the database.

Path parameters

  • groupId string Required

    Unique 24-hexadecimal digit string that identifies your project. Use the /groups endpoint to retrieve all projects to which the authenticated user has access.

    NOTE: Groups and projects are synonymous terms. Your group id is the same as your project id. For existing groups, your group/project id remains the same. The resource and corresponding endpoints use the term groups.

    Format should match the following pattern: ^([a-f0-9]{24})$.

Query parameters

  • envelope boolean

    Flag that indicates whether Application wraps the response in an envelope JSON object. Some API clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query. Endpoints that return a list of results use the results object as an envelope. Application adds the status parameter to the response body.

    Default value is false.

  • pretty boolean

    Flag that indicates whether the response body should be in the prettyprint format.

    Default value is false.

    Prettyprint
application/json

Body Required

Updates the LDAP configuration for the specified project.

  • customerX509 object

    Settings to configure TLS Certificates for database users.

    Hide customerX509 attribute Show customerX509 attribute object
    • cas string

      Concatenated list of customer certificate authority (CA) certificates needed to authenticate database users. MongoDB Cloud expects this as a PEM-formatted certificate.

  • ldap object

    Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) configuration details that apply to the specified project.

    Hide ldap attributes Show ldap attributes object
    • authenticationEnabled boolean

      Flag that indicates whether users can authenticate using an Lightweight Directory Access Protocol (LDAP) host.

    • authorizationEnabled boolean

      Flag that indicates whether users can authorize access to MongoDB Cloud resources using an Lightweight Directory Access Protocol (LDAP) host.

    • authzQueryTemplate string

      Lightweight Directory Access Protocol (LDAP) query template that MongoDB Cloud runs to obtain the LDAP groups associated with the authenticated user. MongoDB Cloud uses this parameter only for user authorization. Use the {USER} placeholder in the Uniform Resource Locator (URL) to substitute the authenticated username. The query relates to the host specified with the hostname. Format this query according to RFC 4515 and RFC 4516.

      Default value is {USER}?memberOf?base.

    • bindPassword string

      Password that MongoDB Cloud uses to authenticate the bindUsername.

    • bindUsername string

      Full Distinguished Name (DN) of the Lightweight Directory Access Protocol (LDAP) user that MongoDB Cloud uses to connect to the LDAP host. LDAP distinguished names must be formatted according to RFC 2253.

      Format should match the following pattern: ^(?:(?<cn>CN=(?<name>[^,]*)),)?(?:(?<path>(?:(?:CN|OU)=[^,]+,?)+),)?(?<domain>(?:DC=[^,]+,?)+)$.

      RFC 2253
    • caCertificate string

      Certificate Authority (CA) certificate that MongoDB Cloud uses to verify the identity of the Lightweight Directory Access Protocol (LDAP) host. MongoDB Cloud allows self-signed certificates. To delete an assigned value, pass an empty string: "caCertificate": "".

    • hostname string

      Human-readable label that identifies the hostname or Internet Protocol (IP) address of the Lightweight Directory Access Protocol (LDAP) host. This host must have access to the internet or have a Virtual Private Cloud (VPC) peering connection to your cluster.

      Format should match the following pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}|([0-9a-f]{1,4}:){7}([0-9a-f]{1,4})|(([a-z0-9]+\.){1,10}[a-z]+)?$.

    • port integer(int32)

      Port to which the Lightweight Directory Access Protocol (LDAP) host listens for client connections.

      Default value is 636.

    • userToDNMapping array[object]

      User-to-Distinguished Name (DN) map that MongoDB Cloud uses to transform a Lightweight Directory Access Protocol (LDAP) username into an LDAP DN.

      User-to-Distinguished Name (DN) map that MongoDB Cloud uses to transform a Lightweight Directory Access Protocol (LDAP) username into an LDAP DN.

      Hide userToDNMapping attributes Show userToDNMapping attributes object
      • ldapQuery string

        Lightweight Directory Access Protocol (LDAP) query template that inserts the LDAP name that the regular expression matches into an LDAP query Uniform Resource Identifier (URI). The formatting for the query must conform to RFC 4515 and RFC 4516.

      • match string Required

        Regular expression that MongoDB Cloud uses to match against the provided Lightweight Directory Access Protocol (LDAP) username. Each parenthesis-enclosed section represents a regular expression capture group that the substitution or ldapQuery template uses.

      • substitution string

        Lightweight Directory Access Protocol (LDAP) Distinguished Name (DN) template that converts the LDAP username that matches regular expression in the match parameter into an LDAP Distinguished Name (DN).

Responses

  • 202 application/json

    Accepted

    Hide response attributes Show response attributes object
    • customerX509 object

      Settings to configure TLS Certificates for database users.

      Hide customerX509 attributes Show customerX509 attributes object
      • cas string

        Concatenated list of customer certificate authority (CA) certificates needed to authenticate database users. MongoDB Cloud expects this as a PEM-formatted certificate.

      • links array[object]

        List of one or more Uniform Resource Locators (URLs) that point to API sub-resources, related API resources, or both. RFC 5988 outlines these relationships.

        Web Linking Specification (RFC...
        Hide links attributes Show links attributes object
        • href string

          Uniform Resource Locator (URL) that points another API resource to which this response has some relationship. This URL often begins with https://cloud.mongodb.com/api/atlas.

        • rel string

          Uniform Resource Locator (URL) that defines the semantic relationship between this resource and another API resource. This URL often begins with https://cloud.mongodb.com/api/atlas.

    • ldap object

      Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) configuration details that apply to the specified project.

      Hide ldap attributes Show ldap attributes object
      • authenticationEnabled boolean

        Flag that indicates whether users can authenticate using an Lightweight Directory Access Protocol (LDAP) host.

      • authorizationEnabled boolean

        Flag that indicates whether users can authorize access to MongoDB Cloud resources using an Lightweight Directory Access Protocol (LDAP) host.

      • authzQueryTemplate string

        Lightweight Directory Access Protocol (LDAP) query template that MongoDB Cloud runs to obtain the LDAP groups associated with the authenticated user. MongoDB Cloud uses this parameter only for user authorization. Use the {USER} placeholder in the Uniform Resource Locator (URL) to substitute the authenticated username. The query relates to the host specified with the hostname. Format this query according to RFC 4515 and RFC 4516.

        Default value is {USER}?memberOf?base.

      • bindUsername string

        Full Distinguished Name (DN) of the Lightweight Directory Access Protocol (LDAP) user that MongoDB Cloud uses to connect to the LDAP host. LDAP distinguished names must be formatted according to RFC 2253.

        Format should match the following pattern: ^(?:(?<cn>CN=(?<name>[^,]*)),)?(?:(?<path>(?:(?:CN|OU)=[^,]+,?)+),)?(?<domain>(?:DC=[^,]+,?)+)$.

        RFC 2253
      • caCertificate string

        Certificate Authority (CA) certificate that MongoDB Cloud uses to verify the identity of the Lightweight Directory Access Protocol (LDAP) host. MongoDB Cloud allows self-signed certificates. To delete an assigned value, pass an empty string: "caCertificate": "".

      • hostname string

        Human-readable label that identifies the hostname or Internet Protocol (IP) address of the Lightweight Directory Access Protocol (LDAP) host. This host must have access to the internet or have a Virtual Private Cloud (VPC) peering connection to your cluster.

        Format should match the following pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}|([0-9a-f]{1,4}:){7}([0-9a-f]{1,4})|(([a-z0-9]+\.){1,10}[a-z]+)?$.

      • links array[object]

        List of one or more Uniform Resource Locators (URLs) that point to API sub-resources, related API resources, or both. RFC 5988 outlines these relationships.

        Web Linking Specification (RFC...
        Hide links attributes Show links attributes object
        • href string

          Uniform Resource Locator (URL) that points another API resource to which this response has some relationship. This URL often begins with https://cloud.mongodb.com/api/atlas.

        • rel string

          Uniform Resource Locator (URL) that defines the semantic relationship between this resource and another API resource. This URL often begins with https://cloud.mongodb.com/api/atlas.

      • port integer(int32)

        Port to which the Lightweight Directory Access Protocol (LDAP) host listens for client connections.

        Default value is 636.

      • userToDNMapping array[object]

        User-to-Distinguished Name (DN) map that MongoDB Cloud uses to transform a Lightweight Directory Access Protocol (LDAP) username into an LDAP DN.

        User-to-Distinguished Name (DN) map that MongoDB Cloud uses to transform a Lightweight Directory Access Protocol (LDAP) username into an LDAP DN.

        Hide userToDNMapping attributes Show userToDNMapping attributes object
        • ldapQuery string

          Lightweight Directory Access Protocol (LDAP) query template that inserts the LDAP name that the regular expression matches into an LDAP query Uniform Resource Identifier (URI). The formatting for the query must conform to RFC 4515 and RFC 4516.

        • match string Required

          Regular expression that MongoDB Cloud uses to match against the provided Lightweight Directory Access Protocol (LDAP) username. Each parenthesis-enclosed section represents a regular expression capture group that the substitution or ldapQuery template uses.

        • substitution string

          Lightweight Directory Access Protocol (LDAP) Distinguished Name (DN) template that converts the LDAP username that matches regular expression in the match parameter into an LDAP Distinguished Name (DN).

    • links array[object]

      List of one or more Uniform Resource Locators (URLs) that point to API sub-resources, related API resources, or both. RFC 5988 outlines these relationships.

      Web Linking Specification (RFC...
      Hide links attributes Show links attributes object
      • href string

        Uniform Resource Locator (URL) that points another API resource to which this response has some relationship. This URL often begins with https://cloud.mongodb.com/api/atlas.

      • rel string

        Uniform Resource Locator (URL) that defines the semantic relationship between this resource and another API resource. This URL often begins with https://cloud.mongodb.com/api/atlas.
  • 400 application/json

    Bad Request.

    Hide response attributes Show response attributes object
    • badRequestDetail object

      Bad request detail.

      Hide badRequestDetail attribute Show badRequestDetail attribute object
      • fields array[object]

        Describes all violations in a client request.

        Hide fields attributes Show fields attributes object
        • description string Required

          A description of why the request element is bad.

        • field string Required

          A path that leads to a field in the request body.

    • detail string

      Describes the specific conditions or reasons that cause each type of error.

    • error integer(int32) Required

      HTTP status code returned with this error.

      External documentation
    • errorCode string Required

      Application error code returned with this error.

    • parameters array[object]

      Parameters used to give more information about the error.

    • reason string

      Application error message returned with this error.
  • 401 application/json

    Unauthorized.

    Hide response attributes Show response attributes object
    • badRequestDetail object

      Bad request detail.

      Hide badRequestDetail attribute Show badRequestDetail attribute object
      • fields array[object]

        Describes all violations in a client request.

        Hide fields attributes Show fields attributes object
        • description string Required

          A description of why the request element is bad.

        • field string Required

          A path that leads to a field in the request body.

    • detail string

      Describes the specific conditions or reasons that cause each type of error.

    • error integer(int32) Required

      HTTP status code returned with this error.

      External documentation
    • errorCode string Required

      Application error code returned with this error.

    • parameters array[object]

      Parameters used to give more information about the error.

    • reason string

      Application error message returned with this error.
  • 403 application/json

    Forbidden.

    Hide response attributes Show response attributes object
    • badRequestDetail object

      Bad request detail.

      Hide badRequestDetail attribute Show badRequestDetail attribute object
      • fields array[object]

        Describes all violations in a client request.

        Hide fields attributes Show fields attributes object
        • description string Required

          A description of why the request element is bad.

        • field string Required

          A path that leads to a field in the request body.

    • detail string

      Describes the specific conditions or reasons that cause each type of error.

    • error integer(int32) Required

      HTTP status code returned with this error.

      External documentation
    • errorCode string Required

      Application error code returned with this error.

    • parameters array[object]

      Parameters used to give more information about the error.

    • reason string

      Application error message returned with this error.
  • 404 application/json

    Not Found.

    Hide response attributes Show response attributes object
    • badRequestDetail object

      Bad request detail.

      Hide badRequestDetail attribute Show badRequestDetail attribute object
      • fields array[object]

        Describes all violations in a client request.

        Hide fields attributes Show fields attributes object
        • description string Required

          A description of why the request element is bad.

        • field string Required

          A path that leads to a field in the request body.

    • detail string

      Describes the specific conditions or reasons that cause each type of error.

    • error integer(int32) Required

      HTTP status code returned with this error.

      External documentation
    • errorCode string Required

      Application error code returned with this error.

    • parameters array[object]

      Parameters used to give more information about the error.

    • reason string

      Application error message returned with this error.
  • 500 application/json

    Internal Server Error.

    Hide response attributes Show response attributes object
    • badRequestDetail object

      Bad request detail.

      Hide badRequestDetail attribute Show badRequestDetail attribute object
      • fields array[object]

        Describes all violations in a client request.

        Hide fields attributes Show fields attributes object
        • description string Required

          A description of why the request element is bad.

        • field string Required

          A path that leads to a field in the request body.

    • detail string

      Describes the specific conditions or reasons that cause each type of error.

    • error integer(int32) Required

      HTTP status code returned with this error.

      External documentation
    • errorCode string Required

      Application error code returned with this error.

    • parameters array[object]

      Parameters used to give more information about the error.

    • reason string

      Application error message returned with this error.
PATCH /api/atlas/v1.0/groups/{groupId}/userSecurity 
curl \
 --request PATCH 'https://cloud.mongodb.com/api/atlas/v1.0/groups/32b6e34b3d91647abb20e7b8/userSecurity' \
 --header "Authorization: Bearer $ACCESS_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"customerX509":{"cas":"string"},"ldap":{"authenticationEnabled":true,"authorizationEnabled":true,"authzQueryTemplate":"{USER}?memberOf?base","bindPassword":"string","bindUsername":"CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com","caCertificate":"string","hostname":"string","port":636,"userToDNMapping":[{"ldapQuery":"string","match":"(.*)","substitution":"CN={0},CN=Users,DC=my-atlas-ldap-server,DC=example,DC=com"}]}}'
Request examples 
{
  "customerX509": {
    "cas": "string"
  },
  "ldap": {
    "authenticationEnabled": true,
    "authorizationEnabled": true,
    "authzQueryTemplate": "{USER}?memberOf?base",
    "bindPassword": "string",
    "bindUsername": "CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com",
    "caCertificate": "string",
    "hostname": "string",
    "port": 636,
    "userToDNMapping": [
      {
        "ldapQuery": "string",
        "match": "(.*)",
        "substitution": "CN={0},CN=Users,DC=my-atlas-ldap-server,DC=example,DC=com"
      }
    ]
  }
}
Response examples (202) 
{
  "customerX509": {
    "cas": "string",
    "links": [
      {
        "href": "https://cloud.mongodb.com/api/atlas",
        "rel": "self"
      }
    ]
  },
  "ldap": {
    "authenticationEnabled": true,
    "authorizationEnabled": true,
    "authzQueryTemplate": "{USER}?memberOf?base",
    "bindUsername": "CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com",
    "caCertificate": "string",
    "hostname": "string",
    "links": [
      {
        "href": "https://cloud.mongodb.com/api/atlas",
        "rel": "self"
      }
    ],
    "port": 636,
    "userToDNMapping": [
      {
        "ldapQuery": "string",
        "match": "(.*)",
        "substitution": "CN={0},CN=Users,DC=my-atlas-ldap-server,DC=example,DC=com"
      }
    ]
  },
  "links": [
    {
      "href": "https://cloud.mongodb.com/api/atlas",
      "rel": "self"
    }
  ]
}
Response examples (400) 
{
  "error": 400,
  "detail": "(This is just an example, the exception may not be related to this endpoint) No provider AWS exists.",
  "reason": "Bad Request",
  "errorCode": "VALIDATION_ERROR"
}
Response examples (401) 
{
  "error": 401,
  "detail": "(This is just an example, the exception may not be related to this endpoint)",
  "reason": "Unauthorized",
  "errorCode": "NOT_ORG_GROUP_CREATOR"
}
Response examples (403) 
{
  "error": 403,
  "detail": "(This is just an example, the exception may not be related to this endpoint)",
  "reason": "Forbidden",
  "errorCode": "CANNOT_CHANGE_GROUP_NAME"
}
Response examples (404) 
{
  "error": 404,
  "detail": "(This is just an example, the exception may not be related to this endpoint) Cannot find resource AWS",
  "reason": "Not Found",
  "errorCode": "RESOURCE_NOT_FOUND"
}
Response examples (500) 
{
  "error": 500,
  "detail": "(This is just an example, the exception may not be related to this endpoint)",
  "reason": "Internal Server Error",
  "errorCode": "UNEXPECTED_ERROR"
}