Setting up LDAP authentication and authorization using NativeLDAP¶
This document describes an example configuration of LDAP authentication and authorization using direct binding to an LDAP server (Native LDAP). We recommend testing this setup in a non-production environment first, before applying it in production.
Assumptions¶
The setup of an LDAP server is out of scope of this document. We assume that you are familiar with the LDAP server schema.
You have the LDAP server up and running and it is accessible to the servers with Percona Server for MongoDB installed.
This document primarily focuses on OpenLDAP used as the LDAP server and the examples are given based on the OpenLDAP format. If you are using Active Directory, refer to the Active Directory configuration section.
You must place both Percona Server for MongoDB and the LDAP servers behind the firewall as the communications between them will be in plain text.
You have the
sudo
privilege to the server with the Percona Server for MongoDB installed.
Prerequisites¶
In this setup we use anonymous binds to the LDAP server. If your LDAP server disallows anonymous binds, create the user that Percona Server for MongoDB will use to connect to and query the LDAP server. Define this user’s credentials for the
security.ldap.bind.queryUser
andsecurity.ldap.bind.queryPassword
parameters in themongod.conf
configuration file.In this setup, we use the following OpenLDAP groups:
dn: cn=testusers,dc=percona,dc=com objectClass: groupOfNames cn: testusers member: cn=alice,dc=percona,dc=com dn: cn=otherusers,dc=percona,dc=com objectClass: groupOfNames cn: otherusers member: cn=bob,dc=percona,dc=com
Setup procedure¶
Configure TLS/SSL connection for Percona Server for MongoDB¶
By default, Percona Server for MongoDB establishes the TLS connection when binding to the LDAP server and thus, it requires access to the LDAP CA certificates. To make Percona Server for MongoDB aware of the certificates, do the following:
Place the certificate in the
certs
directory. The path to thecerts
directory is:On Debian / Ubuntu:
/etc/ssl/certs/
On RHEL / CentOS:
/etc/openldap/certs/
Specify the path to the certificates in the
ldap.conf
file:tee -a /etc/openldap/ldap.conf <<EOF TLS_CACERT /etc/ssl/certs/my_CA.crt EOF
tee -a /etc/openldap/ldap.conf <<EOF TLS_CACERT /etc/openldap/certs/my_CA.crt EOF
Create roles for LDAP groups in Percona Server for MongoDB¶
Percona Server for MongoDB authorizes users based on LDAP group membership. For every group, you must create the role in the admin
database with the name that exactly matches the DN of the LDAP group.
Percona Server for MongoDB maps the user’s LDAP group to the roles and determines what role is assigned to the user. Percona Server for MongoDB then grants privileges defined by this role.
To create the roles, use the following command:
var admin = db.getSiblingDB("admin")
db.createRole(
{
role: "cn=testusers,dc=percona,dc=com",
privileges: [],
roles: [ "readWrite"]
}
)
db.createRole(
{
role: "cn=otherusers,dc=percona,dc=com",
privileges: [],
roles: [ "read"]
}
)
Percona Server for MongoDB configuration¶
Access without username transformation¶
This section assumes that users connect to Percona Server for MongoDB by providing their LDAP DN as the username.
Edit the Percona Server for MongoDB configuration file (by default,
/etc/mongod.conf
) and specify the following configuration:security: authorization: "enabled" ldap: servers: "ldap.example.com" transportSecurity: tls authz: queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={PROVIDED_USER}))" setParameter: authenticationMechanisms: "PLAIN"
The {PROVIDED_USER} variable substitutes the provided username before authentication or username transformation takes place.
Replace
ldap.example.com
with the hostname of your LDAP server. In the LDAP query template, replace the domain controllerspercona
andcom
with those relevant to your organization.Restart the
mongod
service:$ sudo systemctl restart mongod
Test the access to Percona Server for MongoDB:
mongo -u "cn=alice,dc=percona,dc=com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
Access with username transformation¶
If users connect to Percona Server for MongoDB with usernames that are not LDAP DN, you need to transform these usernames to be accepted by the LDAP server.
Using the --ldapUserToDNMapping
configuration parameter allows you to do this. You specify the match pattern as a regexp to capture a username. Next, specify how to transform it - either to use a substitution value or to query the LDAP server for a username.
If you don’t know what the substitution or LDAP query string should be, please consult with the LDAP administrators to figure this out.
Note that you can use only the query
or the substitution
stage, the combination of two is not allowed.
Edit the Percona Server for MongoDB configuration file (by default,
/etc/mongod.conf
) and specify theuserToDNMapping
parameter:security: authorization: "enabled" ldap: servers: "ldap.example.com" transportSecurity: tls authz: queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))" userToDNMapping: [ { match: "([^@]+)@percona\\.com", substitution: "CN={0},DC=percona,DC=com" } ] setParameter: authenticationMechanisms: "PLAIN"
The {USER} variable substitutes the username transformed during the userToDNMapping stage.
Modify the given example configuration to match your deployment.
Restart the
mongod
service:$ sudo systemctl restart mongod
Test the access to Percona Server for MongoDB:
mongo -u "alice@percona.com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
Edit the Percona Server for MongoDB configuration file (by default,
/etc/mongod.conf
) and specifyuserToDNMapping
parameter:security: authorization: "enabled" ldap: servers: "ldap.example.com" transportSecurity: tls authz: queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))" userToDNMapping: [ { match: "([^@]+)@percona\\.com", ldapQuery: "dc=percona,dc=com??sub?(&(objectClass=organizationalPerson)(cn={0}))" } ] setParameter: authenticationMechanisms: "PLAIN"
The {USER} variable substitutes the username transformed during the userToDNMapping stage.
Modify the given example configuration to match your deployment, For example, replace
ldap.example.com
with the hostname of your LDAP server. Replace the domain controllers (DC)percona
andcom
with those relevant to your organization. Depending on your LDAP schema, further modifications of the LDAP query may be required.Restart the
mongod
service:$ sudo systemctl restart mongod
Test the access to Percona Server for MongoDB:
mongo -u "alice" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
Active Directory configuration¶
Microsoft Active Directory uses a different schema for user and group definition. To illustrate Percona Server for MongoDB configuration, we will use the following AD users:
dn:CN=alice,CN=Users,DC=testusers,DC=percona,DC=com
userPrincipalName: alice@testusers.percona.com
memberOf: CN=testusers,CN=Users,DC=percona,DC=com
dn:CN=bob,CN=Users,DC=otherusers,DC=percona,DC=com
userPrincipalName: bob@otherusers.percona.com
memberOf: CN=otherusers,CN=Users,DC=percona,DC=com
The following are respective AD groups:
dn:CN=testusers,CN=Users,DC=percona,DC=com
member:CN=alice,CN=Users,DC=testusers,DC=example,DC=com
dn:CN=otherusers,CN=Users,DC=percona,DC=com
member:CN=bob,CN=Users,DC=otherusers,DC=example,DC=com
Use one of the given Percona Server for MongoDB configurations for user authentication and authorization in Active Directory:
Edit the
mongod
configuration file:ldap: servers: "ldap.example.com" authz: queryTemplate: "DC=percona,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={PROVIDED_USER}))" setParameter: authenticationMechanisms: "PLAIN"
Restart the
mongod
service:$ sudo systemctl restart mongod
Test the access to Percona Server for MongoDB:
mongo -u "CN=alice,CN=Users,DC=testusers,DC=percona,DC=com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
Edit the
mongod
configuration file:ldap: servers: "ldap.example.com" authz: queryTemplate: "DC=percona,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))" userToDNMapping: [ { match: "([^@]+)@([^\\.]+)\\.percona\\.com", substitution: "CN={0},CN=Users,DC={1},DC=percona,DC=com" } ] setParameter: authenticationMechanisms: "PLAIN"
Restart the
mongod
service:$ sudo systemctl restart mongod
Test the access to Percona Server for MongoDB:
mongo -u "alice@percona.com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
Edit the
mongod
configuration file:ldap: servers: "ldap.example.com" authz: queryTemplate: "DC=percona,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))" userToDNMapping: [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?(&(objectClass=organizationalPerson)(userPrincipalName={0}))" } ] setParameter: authenticationMechanisms: "PLAIN"
Restart the
mongod
service:$ sudo systemctl restart mongod
Test the access to Percona Server for MongoDB:
mongo -u "alice" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
Modify one of this example configuration to match your deployment.
Based on the material from Percona Database Performance Blog
This document is based on the following blog posts:
Percona Server for MongoDB LDAP Enhancements: User-to-DN Mapping by Igor Solodovnikov
Authenticate Percona Server for MongoDB Users via Native LDAP by Ivan Groenewold