Skip to content

Setting up LDAP authentication and authorization using NativeLDAP

This document describes an example configuration of LDAP authentication and authorization using direct binding to an LDAP server (Native LDAP). We recommend testing this setup in a non-production environment first, before applying it in production.

Assumptions

  1. The setup of an LDAP server is out of scope of this document. We assume that you are familiar with the LDAP server schema.

  2. You have the LDAP server up and running and it is accessible to the servers with Percona Server for MongoDB installed.

  3. This document primarily focuses on OpenLDAP used as the LDAP server and the examples are given based on the OpenLDAP format. If you are using Active Directory, refer to the Active Directory configuration section.

  4. You must place both Percona Server for MongoDB and the LDAP servers behind the firewall as the communications between them will be in plain text.

  5. You have the sudo privilege to the server with the Percona Server for MongoDB installed.

Prerequisites

  • In this setup we use anonymous binds to the LDAP server. If your LDAP server disallows anonymous binds, create the user that Percona Server for MongoDB will use to connect to and query the LDAP server. Define this user’s credentials for the security.ldap.bind.queryUser and security.ldap.bind.queryPassword parameters in the mongod.conf configuration file.

  • In this setup, we use the following OpenLDAP groups:

    dn: cn=testusers,dc=percona,dc=com
    objectClass: groupOfNames
    cn: testusers
    member: cn=alice,dc=percona,dc=com
    
    dn: cn=otherusers,dc=percona,dc=com
    objectClass: groupOfNames
    cn: otherusers
    member: cn=bob,dc=percona,dc=com
    

Setup procedure

Configure TLS/SSL connection for Percona Server for MongoDB

By default, Percona Server for MongoDB establishes the TLS connection when binding to the LDAP server and thus, it requires access to the LDAP CA certificates. To make Percona Server for MongoDB aware of the certificates, do the following:

  1. Place the certificate in the certs directory. The path to the certs directory is:

    • On Debian / Ubuntu: /etc/ssl/certs/

    • On RHEL / CentOS: /etc/openldap/certs/

  2. Specify the path to the certificates in the ldap.conf file:

    tee -a /etc/openldap/ldap.conf <<EOF
    TLS_CACERT /etc/ssl/certs/my_CA.crt
    EOF
    

Create roles for LDAP groups in Percona Server for MongoDB

Percona Server for MongoDB authorizes users based on LDAP group membership. For every group, you must create the role in the admin database with the name that exactly matches the DN of the LDAP group.

Percona Server for MongoDB maps the user’s LDAP group to the roles and determines what role is assigned to the user. Percona Server for MongoDB then grants privileges defined by this role.

To create the roles, use the following command:

var admin = db.getSiblingDB("admin")
db.createRole(
   {
     role: "cn=testusers,dc=percona,dc=com",
     privileges: [],
     roles: [ "readWrite"]
   }
)

db.createRole(
   {
     role: "cn=otherusers,dc=percona,dc=com",
     privileges: [],
     roles: [ "read"]
   }
)

Percona Server for MongoDB configuration

Access without username transformation

This section assumes that users connect to Percona Server for MongoDB by providing their LDAP DN as the username.

  1. Edit the Percona Server for MongoDB configuration file (by default, /etc/mongod.conf) and specify the following configuration:

    security:
      authorization: "enabled"
      ldap:
        servers: "ldap.example.com"
        transportSecurity: tls
        authz:
           queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={PROVIDED_USER}))"
    
    setParameter:
      authenticationMechanisms: "PLAIN"
    

    The {PROVIDED_USER} variable substitutes the provided username before authentication or username transformation takes place.

    Replace ldap.example.com with the hostname of your LDAP server. In the LDAP query template, replace the domain controllers percona and com with those relevant to your organization.

  2. Restart the mongod service:

    $ sudo systemctl restart mongod
    
  3. Test the access to Percona Server for MongoDB:

    mongo -u "cn=alice,dc=percona,dc=com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
    

Access with username transformation

If users connect to Percona Server for MongoDB with usernames that are not LDAP DN, you need to transform these usernames to be accepted by the LDAP server.

Using the --ldapUserToDNMapping configuration parameter allows you to do this. You specify the match pattern as a regexp to capture a username. Next, specify how to transform it - either to use a substitution value or to query the LDAP server for a username.

If you don’t know what the substitution or LDAP query string should be, please consult with the LDAP administrators to figure this out.

Note that you can use only the query or the substitution stage, the combination of two is not allowed.

  1. Edit the Percona Server for MongoDB configuration file (by default, /etc/mongod.conf) and specify the userToDNMapping parameter:

    security:
      authorization: "enabled"
      ldap:
        servers: "ldap.example.com"
        transportSecurity: tls
        authz:
           queryTemplate: "dc=percona,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"
        userToDNMapping:
              [
                {
                  match: "([^@]+)@percona\\.com",
                  substitution: "CN={0},DC=percona,DC=com"
                }
              ]
    
    setParameter:
      authenticationMechanisms: "PLAIN"
    

    The {USER} variable substitutes the username transformed during the userToDNMapping stage.

    Modify the given example configuration to match your deployment.

  2. Restart the mongod service:

    $ sudo systemctl restart mongod
    
  3. Test the access to Percona Server for MongoDB:

    mongo -u "alice@percona.com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
    

Active Directory configuration

Microsoft Active Directory uses a different schema for user and group definition. To illustrate Percona Server for MongoDB configuration, we will use the following AD users:

dn:CN=alice,CN=Users,DC=testusers,DC=percona,DC=com
userPrincipalName: alice@testusers.percona.com
memberOf: CN=testusers,CN=Users,DC=percona,DC=com

dn:CN=bob,CN=Users,DC=otherusers,DC=percona,DC=com
userPrincipalName: bob@otherusers.percona.com
memberOf: CN=otherusers,CN=Users,DC=percona,DC=com

The following are respective AD groups:

dn:CN=testusers,CN=Users,DC=percona,DC=com
member:CN=alice,CN=Users,DC=testusers,DC=example,DC=com

dn:CN=otherusers,CN=Users,DC=percona,DC=com
member:CN=bob,CN=Users,DC=otherusers,DC=example,DC=com

Use one of the given Percona Server for MongoDB configurations for user authentication and authorization in Active Directory:

  1. Edit the mongod configuration file:

    ldap:
      servers: "ldap.example.com"
      authz:
        queryTemplate: "DC=percona,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={PROVIDED_USER}))"
    
      setParameter:
        authenticationMechanisms: "PLAIN"
    
  2. Restart the mongod service:

    $ sudo systemctl restart mongod
    
  3. Test the access to Percona Server for MongoDB:

    mongo -u "CN=alice,CN=Users,DC=testusers,DC=percona,DC=com" -p "secretpwd" --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
    

Modify one of this example configuration to match your deployment.

Based on the material from Percona Database Performance Blog

This document is based on the following blog posts: