Navigation
This version of the documentation is archived and no longer supported. It will be removed on EOL_DATE. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported. It will be removed on EOL_DATE.

Configure Automation Agent for LDAP

If your MongoDB deployment enforces access control, the Automation Agent must authenticate to MongoDB as a user with the proper access. If you use Automation, Ops Manager takes care of this for you.

MongoDB Enterprise supports simple and SASL binding to LDAP servers via saslauthd and operating system libraries:

  • MongoDB Enterprise for Linux can bind to an LDAP server either via saslauthd or via operating system libraries.
  • MongoDB Enterprise for Windows can bind to an LDAP server via the operating system libraries.

Automation Agent support authenticating to MongoDB instances using LDAP.

If your MongoDB deployment uses LDAP to authenticate users, to authenticate the Automation Agent, create a user in the $external database with the appropriate roles in MongoDB.

Note

Ops Manager can manage agent authentication for you if you use Automation to manage the agents. With Automation, Ops Manager creates the users for each agent and configures the agent appropriately. To learn more about authentication, see Enable LDAP Authentication for your Ops Manager Project.

Prerequisites

Configure LDAP Authentication per Agent

You must configure LDAP authentication separately for each agent. For configuration instructions for the Backup Agent, see Configure Automation Agent for LDAP.

You can configure LDAP authentication when adding a host or by editing an existing host. See Enable LDAP Authentication for your Ops Manager Project for instructions.

Configure Deployments to Use Authentication

MongoDB agents interact with the MongoDB databases in your deployment as a MongoDB user would. Each agent must be authenticated and then granted privileges according to what their roles are on your deployment. As a result, you must configure your MongoDB deployment and your agents to support authentication.

You can specify the deployment’s authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the authentication mechanism you want the agents to use.

Adding an agent as a MongoDB user requires configuring an authentication mechanism. Agents can use any supported authentication mechanism, but all agents must use the same mechanism.

Create User in MongoDB

To automate MongoDB instances that use LDAP authentication, add a user that possess the required roles to the $external database in MongoDB. The $external database allows mongod to consult an external source, such as an LDAP server, to authenticate.

Use the following commands to create the users from a mongo shell connected to your MongoDB deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
   db.getSiblingDB("$external").createUser(
     {
       user : "<username>",
       roles : [ 
         { role : "clusterAdmin", db : "admin" },
         { role : "readWriteAnyDatabase", db : "admin" },
         { role : "userAdminAnyDatabase", db : "admin" },
         { role : "dbAdminAnyDatabase", db : "admin" },
         { role : "backup", db : "admin" },
         { role : "restore", db : "admin" }
       ]
     }
   )

To learn more about the required access, see Required Access for Automation Agent.