- Reference >
- MongoDB Package Components >
mongoldap
mongoldap
¶
On this page
New in version 3.4: MongoDB Enterprise
Synopsis¶
Starting in version 3.4, MongoDB Enterprise provides
mongoldap
for testing MongoDB’s LDAP configuration
options against a running LDAP server or set
of servers.
To validate the LDAP options in the configuration file, set the
mongoldap
--config
option to the configuration file’s
path.
To test the LDAP configuration options, you must specify a --user
and --password
. mongoldap
simulates authentication to a
MongoDB server running with the provided configuration options and credentials.
mongoldap
returns a report that includes the success or failure of
any step in the LDAP authentication or authorization procedure. Error messages
include information on specific errors encountered and potential advice for
resolving the error.
When configuring options related to LDAP authorization, mongoldap
executes an LDAP query
constructed using the provided configuration options and username, and returns
a list of roles on the admin
database which the user is authorized for.
You can use this information when configuring LDAP authorization roles for user access control. For example, use
mongoldap
to ensure your configuration allows privileged users to
gain the necessary roles to perform their expected tasks. Similarly, use
mongoldap
to ensure your configuration disallows non-privileged
users from gaining roles for accessing the MongoDB server, or performing
unauthorized actions.
When configuring options related to LDAP authentication, use mongoldap
to ensure that the authentication
operation works as expected.
Run mongoldap
from the system command line, not the mongo
shell.
This document provides a complete overview of all command line options for
mongoldap
.
Installation¶
The mongoldap
tool is part of the MongoDB Database Tools Extra
package, and can be installed with the MongoDB Server or as a
standalone installation.
Install with Server¶
To install mongoldap
as part of a MongoDB Enterprise Server
installation:
Follow the instructions for your platform: Install MongoDB Enterprise Server
After completing the installation,
mongoldap
and the other included tools are available in the same location as the Server.Note
For the Windows
.msi
installer wizard, the Complete installation option includesmongoldap
.
Install as Standalone¶
To install mongoldap
as a standalone installation:
Follow the download link for MongoDB Enterprise Edition: MongoDB Enterprise Download Center
Select your Platform (operating system) from the dropdown menu, then select the appropriate Package for your platform according to the following chart:
OS Package Linux tgz
packageWindows zip
packagemacOS tgz
packageOnce downloaded, unpack the archive and copy
mongoldap
to a location on your hard drive.Tip
Linux and macOS users may wish to copy
mongoldap
to a filesystem location that is defined in the$PATH
environment variable, such as/usr/bin
. Doing so allows referencingmongoldap
directly on the command line by name, without needing to specify its full path, or first navigating to its parent directory. See the installation guide for your platform for more information.
Usage¶
Note
A full description of LDAP or Active Directory is beyond the scope of this documentation.
Consider the following sample configuration file, designed to support LDAP authentication and authorization via Active Directory:
You can use mongoldap
to validate the configuration file, which
returns a report of the procedure. You must specify a username and password
for mongoldap
.
If the provided credentials are valid, and the LDAP options in the configuration files are valid, the output might be as follows:
Options¶
-
mongoldap
¶
-
--config
=<filename>
,
-f
=<filename>
¶ Specifies a configuration file for runtime configuration options. The options are equivalent to the command-line configuration options. See Configuration File Options for more information.
mongoldap uses any configuration options related to LDAP Proxy Authentication or LDAP Authorization for testing LDAP authentication or authorization.
Requires specifying
--user
. May accept--password
for testing LDAP authentication.Ensure the configuration file uses ASCII encoding. The mongoldap instance does not support configuration files with non-ASCII encoding, including UTF-8.
-
--user
=<string>
¶ Username for mongoldap to use when attempting LDAP authentication or authorization.
-
--password
=<string>
¶ Password of the
--user
for mongoldap to use when attempting LDAP authentication. Not required for LDAP authorization.
-
--ldapServers
=<host1>:<port>,<host2>:<port>,...,<hostN>:<port>
¶ New in version 3.4: Available in MongoDB Enterprise only.
The LDAP server against which the mongoldap authenticates users or determines what actions a user is authorized to perform on a given database. If the LDAP server specified has any replicated instances, you may specify the host and port of each replicated server in a comma-delimited list.
If your LDAP infrastructure partitions the LDAP directory over multiple LDAP servers, specify one LDAP server or any of its replicated instances to
--ldapServers
. MongoDB supports following LDAP referrals as defined in RFC 4511 4.1.10. Do not use--ldapServers
for listing every LDAP server in your infrastructure.This setting can be configured on a running mongoldap using
setParameter
.If unset, mongoldap cannot use LDAP authentication or authorization.
-
--ldapQueryUser
=<string>
¶ New in version 3.4: Available in MongoDB Enterprise only.
The identity with which mongoldap binds as, when connecting to or performing queries on an LDAP server.
Only required if any of the following are true:
- Using LDAP authorization.
- Using an LDAP query for
username transformation
. - The LDAP server disallows anonymous binds
You must use
--ldapQueryUser
with--ldapQueryPassword
.If unset, mongoldap will not attempt to bind to the LDAP server.
This setting can be configured on a running mongoldap using
setParameter
.Note
Windows MongoDB deployments can use
--ldapBindWithOSDefaults
instead of--ldapQueryUser
and--ldapQueryPassword
. You cannot specify both--ldapQueryUser
and--ldapBindWithOSDefaults
at the same time.
-
--ldapQueryPassword
=<string>
¶ New in version 3.4: Available in MongoDB Enterprise only.
The password used to bind to an LDAP server when using
--ldapQueryUser
. You must use--ldapQueryPassword
with--ldapQueryUser
.If unset, mongoldap will not attempt to bind to the LDAP server.
This setting can be configured on a running mongoldap using
setParameter
.Note
Windows MongoDB deployments can use
--ldapBindWithOSDefaults
instead of--ldapQueryPassword
and--ldapQueryPassword
. You cannot specify both--ldapQueryPassword
and--ldapBindWithOSDefaults
at the same time.
-
--ldapBindWithOSDefaults
=<bool>
¶ Default: false
New in version 3.4: Available in MongoDB Enterprise for the Windows platform only.
Allows mongoldap to authenticate, or bind, using your Windows login credentials when connecting to the LDAP server.
Only required if:
- Using LDAP authorization.
- Using an LDAP query for
username transformation
. - The LDAP server disallows anonymous binds
Use
--ldapBindWithOSDefaults
to replace--ldapQueryUser
and--ldapQueryPassword
.
-
--ldapBindMethod
=<string>
¶ Default: simple
New in version 3.4: Available in MongoDB Enterprise only.
The method mongoldap uses to authenticate to an LDAP server. Use with
--ldapQueryUser
and--ldapQueryPassword
to connect to the LDAP server.--ldapBindMethod
supports the following values:Value Description simple
mongoldap uses simple authentication. sasl
mongoldap uses SASL protocol for authentication. If you specify
sasl
, you can configure the available SASL mechanisms using--ldapBindSaslMechanisms
. mongoldap defaults to usingDIGEST-MD5
mechanism.
-
--ldapBindSaslMechanisms
=<string>
¶ Default: DIGEST-MD5
New in version 3.4: Available in MongoDB Enterprise only.
A comma-separated list of SASL mechanisms mongoldap can use when authenticating to the LDAP server. The mongoldap and the LDAP server must agree on at least one mechanism. The mongoldap dynamically loads any SASL mechanism libraries installed on the host machine at runtime.
Install and configure the appropriate libraries for the selected SASL mechanism(s) on both the mongoldap host and the remote LDAP server host. Your operating system may include certain SASL libraries by default. Defer to the documentation associated with each SASL mechanism for guidance on installation and configuration.
If using the
GSSAPI
SASL mechanism for use with Kerberos Authentication, verify the following for the mongoldap host machine:Linux
- The
KRB5_CLIENT_KTNAME
environment variable resolves to the name of the client Linux Keytab Files for the host machine. For more on Kerberos environment variables, please defer to the Kerberos documentation. - The client keytab includes a User Principal for the mongoldap to use when connecting to the LDAP server and execute LDAP queries.
- The
Windows
- If connecting to an Active Directory server, the Windows
Kerberos configuration automatically generates a
Ticket-Granting-Ticket
when the user logs onto the system. Set
--ldapBindWithOSDefaults
totrue
to allow mongoldap to use the generated credentials when connecting to the Active Directory server and execute queries.
Set
--ldapBindMethod
tosasl
to use this option.Note
For a complete list of SASL mechanisms see the IANA listing. Defer to the documentation for your LDAP or Active Directory service for identifying the SASL mechanisms compatible with the service.
MongoDB is not a source of SASL mechanism libraries, nor is the MongoDB documentation a definitive source for installing or configuring any given SASL mechanism. For documentation and support, defer to the SASL mechanism library vendor or owner.
For more information on SASL, defer to the following resources:
- For Linux, please see the Cyrus SASL documentation.
- For Windows, please see the Windows SASL documentation.
-
--ldapTransportSecurity
=<string>
¶ Default: tls
New in version 3.4: Available in MongoDB Enterprise only.
By default, mongoldap creates a TLS/SSL secured connection to the LDAP server.
For Linux deployments, you must configure the appropriate TLS Options in
/etc/openldap/ldap.conf
file. Your operating system’s package manager creates this file as part of the MongoDB Enterprise installation, via thelibldap
dependency. See the documentation forTLS Options
in the ldap.conf OpenLDAP documentation for more complete instructions.For Windows deployment, you must add the LDAP server CA certificates to the Windows certificate management tool. The exact name and functionality of the tool may vary depending on operating system version. Please see the documentation for your version of Windows for more information on certificate management.
Set
--ldapTransportSecurity
tonone
to disable TLS/SSL between mongoldap and the LDAP server.Warning
Setting
--ldapTransportSecurity
tonone
transmits plaintext information and possibly credentials between mongoldap and the LDAP server.
-
--ldapTimeoutMS
=<long>
¶ Default: 10000
New in version 3.4: Available in MongoDB Enterprise only.
The amount of time in milliseconds mongoldap should wait for an LDAP server to respond to a request.
Increasing the value of
--ldapTimeoutMS
may prevent connection failure between the MongoDB server and the LDAP server, if the source of the failure is a connection timeout. Decreasing the value of--ldapTimeoutMS
reduces the time MongoDB waits for a response from the LDAP server.This setting can be configured on a running mongoldap using
setParameter
.
-
--ldapUserToDNMapping
=<string>
¶ New in version 3.4: Available in MongoDB Enterprise only.
Maps the username provided to mongoldap for authentication to a LDAP Distinguished Name (DN). You may need to use
--ldapUserToDNMapping
to transform a username into an LDAP DN in the following scenarios:- Performing LDAP authentication with simple LDAP binding, where users authenticate to MongoDB with usernames that are not full LDAP DNs.
- Using an
LDAP authorization query template
that requires a DN. - Transforming the usernames of clients authenticating to Mongo DB using different authentication mechanisms (e.g. x.509, kerberos) to a full LDAP DN for authorization.
--ldapUserToDNMapping
expects a quote-enclosed JSON-string representing an ordered array of documents. Each document contains a regular expressionmatch
and either asubstitution
orldapQuery
template used for transforming the incoming username.Each document in the array has the following form:
Field Description Example match
An ECMAScript-formatted regular expression (regex) to match against a provided username. Each parenthesis-enclosed section represents a regex capture group used by substitution
orldapQuery
."(.+)ENGINEERING"
"(.+)DBA"
substitution
An LDAP distinguished name (DN) formatting template that converts the authentication name matched by the
match
regex into a LDAP DN. Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username via thematch
regex.The result of the substitution must be an RFC4514 escaped string.
"cn={0},ou=engineering, dc=example,dc=com"
ldapQuery
A LDAP query formatting template that inserts the authentication name matched by the match
regex into an LDAP query URI encoded respecting RFC4515 and RFC4516. Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username via thematch
expression. mongoldap executes the query against the LDAP server to retrieve the LDAP DN for the authenticated user. mongoldap requires exactly one returned result for the transformation to be successful, or mongoldap skips this transformation."ou=engineering,dc=example, dc=com??one?(user={0})"
Note
An explanation of RFC4514, RFC4515, RFC4516, or LDAP queries is out of scope for the MongoDB Documentation. Please review the RFC directly or use your preferred LDAP resource.
For each document in the array, you must use either
substitution
orldapQuery
. You cannot specify both in the same document.When performing authentication or authorization, mongoldap steps through each document in the array in the given order, checking the authentication username against the
match
filter. If a match is found, mongoldap applies the transformation and uses the output for authenticating the user. mongoldap does not check the remaining documents in the array.If the given document does not match the provided authentication name, mongoldap continues through the list of documents to find additional matches. If no matches are found in any document, or the transformation the document describes fails, mongoldap returns an error.
Starting in MongoDB 4.4, mongoldap also returns an error if one of the transformations cannot be evaluated due to networking or authentication failures to the LDAP server. mongoldap rejects the connection request and does not check the remaining documents in the array.
Example
The following shows two transformation documents. The first document matches against any string ending in
@ENGINEERING
, placing anything preceeding the suffix into a regex capture group. The second document matches against any string ending in@DBA
, placing anything preceeding the suffix into a regex capture group.Important
You must pass the array to
--ldapUserToDNMapping
as a string.A user with username
alice@ENGINEERING.EXAMPLE.COM
matches the first document. The regex capture group{0}
corresponds to the stringalice
. The resulting output is the DN"cn=alice,ou=engineering,dc=example,dc=com"
.A user with username
bob@DBA.EXAMPLE.COM
matches the second document. The regex capture group{0}
corresponds to the stringbob
. The resulting output is the LDAP query"ou=dba,dc=example,dc=com??one?(user=bob)"
. mongoldap executes this query against the LDAP server, returning the result"cn=bob,ou=dba,dc=example,dc=com"
.If
--ldapUserToDNMapping
is unset, mongoldap applies no transformations to the username when attempting to authenticate or authorize a user against the LDAP server.This setting can be configured on a running mongoldap using the
setParameter
database command.
-
--ldapAuthzQueryTemplate
=<string>
¶ New in version 3.4: Available in MongoDB Enterprise only.
A relative LDAP query URL formatted conforming to RFC4515 and RFC4516 that mongoldap executes to obtain the LDAP groups to which the authenticated user belongs to. The query is relative to the host or hosts specified in
--ldapServers
.In the URL, you can use the following substituion tokens:
Substitution Token Description {USER}
Substitutes the authenticated username, or the transformed
username if ausername mapping
is specified.{PROVIDED_USER}
Substitutes the supplied username, i.e. before either authentication or
LDAP transformation
.New in version 4.2.
When constructing the query URL, ensure that the order of LDAP parameters respects RFC4516:
If your query includes an attribute, mongoldap assumes that the query retrieves a the DNs which this entity is member of.
If your query does not include an attribute, mongoldap assumes the query retrieves all entities which the user is member of.
For each LDAP DN returned by the query, mongoldap assigns the authorized user a corresponding role on the
admin
database. If a role on the on theadmin
database exactly matches the DN, mongoldap grants the user the roles and privileges assigned to that role. See thedb.createRole()
method for more information on creating roles.Example
This LDAP query returns any groups listed in the LDAP user object’s
memberOf
attribute.Your LDAP configuration may not include the
memberOf
attribute as part of the user schema, may possess a different attribute for reporting group membership, or may not track group membership through attributes. Configure your query with respect to your own unique LDAP configuration.If unset, mongoldap cannot authorize users using LDAP.
This setting can be configured on a running mongoldap using the
setParameter
database command.