This version of the documentation is archived and no longer supported.

LDAP Proxy Authority Authentication

MongoDB Enterprise supports proxy authentication through a Lightweight Directory Access Protocol (LDAP) service.


MongoDB Enterprise for Windows does not include LDAP support for authentication. However, MongoDB Enterprise for Linux supports using LDAP authentication with an ActiveDirectory server.

MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version 2.4 and version 2.6 shards. See Upgrade MongoDB to 2.6 for upgrade instructions.

Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the LDAP server. The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. You should use only a trusted channel such as a VPN, a connection encrypted with TLS/SSL, or a trusted wired network.

MongoDB Configuration

To configure the MongoDB server to use LDAP authentication mechanism, use the following command line options:

  • --auth to enable access control,
  • --authenticationMechanisms set to PLAIN, and
  • --saslauthdPath parameter set to the path to the Unix-domain Socket of the saslauthd instance.

Or, if using the YAML configuration file, use the following settings:


In order to authenticate a user with the LDAP authentication mechanism, add a corresponding user to the $external database. You do not need to save the user’s password in MongoDB.

The $external database is the authentication database for the LDAP user. To authenticate the LDAP user, you must authenticate against the $external database. When authenticating, specify PLAIN for the authentication mechanism .

LDAP authentication requires that MongoDB forward the user’s password in plain text. As such, you must specify digestPassword set to false during authentication.