Ops Manager enables you to configure the Authentication Mechanisms that all clients, including the Ops Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your projects, but you must choose only one mechanism for the Agents.
MongoDB Enterprise supports proxying authentication requests to a Lightweight Directory Access Protocol (LDAP) service.
LDAP is only available on MongoDB Enterprise builds. If
you have existing deployments running on a MongoDB Community
build, you must upgrade them to MongoDB Enterprise before you can enable
LDAP for your Ops Manager project.
MongoDB Enterprise supports simple and SASL binding to Lightweight
Directory Access Protocol (LDAP) servers via
saslauthd and operating system
MongoDB Enterprise for Linux can bind to an LDAP server either via
saslauthdor, starting in MongoDB 3.4, through the operating system libraries.
Starting in MongoDB version 3.4, MongoDB Enterprise for Windows can bind to an LDAP server through the operating system libraries.
This procedure describes how to configure and enable LDAP authentication when using Automation. If Ops Manager doesn't manage Monitoring or Backup, you must manually configure them to use LDAP. To configure LDAP, see Configure MongoDB Agent for LDAP
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
If it is not already displayed, click Deployment in the sidebar.
Click the Security tab.
Click the Settings tab.
Perform one of the following actions:
If this is your first time configuring TLS, authentication, or authorization settings for this project, click Get Started.
If you have already configured TLS authentication, or authorization settings for this project, click Edit.
MongoDB Deployment Transport Layer Security (TLS)
Toggle this slider to ON.
TLS CA File Path
The TLS Certificate Authority file is a
Type the file path to the TLS Certificate Authority file on every host running a MongoDB process:
This enables the
Click Validate to test that each host in your deployment has a TLS Certificate Authority at the paths you specified.
Client Certificate Mode
Select if client applications or MongoDB Agents must present a TLS certificate when connecting to a TLS-enabled MongoDB deployments. Each MongoDB deployment checks for certificates from these client hosts when they try to connect. If you choose to require the client TLS certificates, make sure they are valid.
Accepted values are:
Recommend Using TLS (Transport Layer Security)/SSL (Secure Sockets Layer) with LDAP (Lightweight Directory Access Protocol)
By default, LDAP traffic is sent as plain text. This means that credentials (username and password) are exposed to basic network threats like sniffers and replay. Use LDAPS (LDAP over TLS/SSL) to encrypt authentication. Many modern directory services, such as Active Directory, require encrypted connections.
In the MongoDB Agent Connections to Deployment section, select LDAP.
Select the appropriate type of LDAP authentication.
If you are using LDAP authorization, you must select Native LDAP Authentication.
If you are not using LDAP authorization, you must add users to the
$externaldatabase in your MongoDB deployment. For an example, see LDAP Authentication.
Starting with MongoDB 3.4, you can
authenticate users using LDAP, Kerberos, or X.509 certificates
without requiring local user documents in the
database as long as you enable LDAP authorization first. When such a user successfully
authenticates, MongoDB performs a query against the LDAP server to
retrieve all groups which that LDAP user possesses and transforms those
groups into their equivalent MongoDB roles.
Skip this step if you selected Saslauthd in the previous step.
If you selected Native LDAP Authentication, complete the following steps:
Provide the following values:SettingValueServer URLSpecify the
hostname:portcombination of one or more LDAP servers.Transport SecuritySelect
TLSto encrypt your LDAP queries. If you do not need to encrypt the LDAP queries, select
None.Timeout (ms)Specify how long an authentication request should wait before timing out.Bind Method
If you choose the
Simplebind method, select
TLSfrom the Transport Security because the
Simplebind method passes the password in plain text.SASL MechanismsSpecify which SASL authentication service MongoDB uses with the LDAP server.Query User (LDAP Bind DN)Specify the LDAP Distinguished Name to which MongoDB binds when connecting to the LDAP server.Query Password (LDAP Bind DN)Specify the password with which MongoDB binds when connecting to an LDAP server.LDAP User Cache Invalidation Interval (s)Specify how long MongoDB waits to flush the LDAP user cache. Defaults to
30seconds.User to Distinguished Name MappingSpecify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.Validate LDAP Server Config
ONto validate the LDAP server configuration or
OFFto skip validation.
ONand the configuration is invalid, the MongoDB deployment will not start.
In the LDAP Authorization section, enter values for the following fields:SettingValueLDAP AuthorizationToggle to ON to enable LDAP authorization.Authorization Query TemplateSpecify a template for an LDAP query URL to retrieve a list of LDAP groups for an LDAP user.User to Distinguished Name MappingSpecify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.
Ops Manager limits Agents to using one mechanism per deployment.
Select the LDAP option from the Agent Auth Mechanism section.
Provide credentials for the MongoDB Agent:SettingValueMongoDB Agent UsernameEnter the LDAP username.MongoDB Agent PasswordEnter the password for Agent's LDAP Username.MongoDB Agent LDAP Group DNIf you enabled LDAP Authorization, enter the DN of the group of which the MongoDB Agent user is a member.
After enabling LDAP Authorization, you need to create custom MongoDB roles for each LDAP Group you specified for LDAP Authorization.