Speaker: Kip Iwakiri, Technical Services Engineer, MongoDB

1. User Authorization
Without You
Integrating MongoDB and LDAP

2. Kip Iwakiri
Technical Services Engineer, MongoDB
Table Tennis Matches on Demand

3. Agenda
Disclaimer: Subject to change

4. We need 30,000 users added to the database
Based on a True Story
Yesterday

5. We need 30,000 users added to the database
Please. No.
Not like this.
-Kip
Based on a True Story
Yesterday

6. We need LDAP for <arbitrary standard>!
Find out more tonight at 11!
Yesterday - 1

7. We need LDAP for <arbitrary standard>!
Actually, I can fix this.
I’ll need 80 minutes and 50’ish people in
a small auditorium.
-Kip
Find out more tonight at 11!
Yesterday - 1

8. LDAP PrimerWhat is LDAP?
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
• Lightweight
• Directory
• Access
• Protocol
• (Relatively) Fast Lookups
• Centralized
• Integrated with Windows

9. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

10. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

11. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

12. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

13. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
Human Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

14. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

15. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

16. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

17. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

18. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

19. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

20. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

21. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

22. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

23. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

24. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

25. LDAP PrimerQuestions?
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

26. LDAP PrimerQuery Format - Examples
Field Example
Base DN
Attributes
Scope
Filter
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

27. LDAP PrimerQuery Format - Examples
Field Example
Base DN
Attributes
Scope
Filter
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

28. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes
Scope
Filter
CN=Users,DC=example,DC=com?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

29. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope
Filter
CN=Users,DC=example,DC=com?cn,mail,memberOf?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

30. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope sub
Filter
CN=Users,DC=example,DC=com?cn,mail,memberOf?sub?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

31. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope sub
Filter userPrincipalName=kip@example.com
CN=Users,DC=example,DC=com?cn,mail,memberOf?sub?userPrincipalName=kip@example.com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

32. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope sub
Filter userPrincipalName=kip@example.com
CN=Users,DC=example,DC=com?cn,mail,memberOf??userPrincipalName=kip@example.com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

33. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes *
Scope sub
Filter userPrincipalName=kip@example.com
CN=Users,DC=example,DC=com??sub?userPrincipalName=kip@example.com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

34. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes *
Scope sub
Filter *
CN=Users,DC=example,DC=com??sub
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

35. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes *
Scope base
Filter *
CN=Users,DC=example,DC=com??base
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

36. LDAP PrimerQuestions?
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins

37. LDAP PrimerQuestions?

38. AuthN vs AuthZ
AuthN - Authentication
• Who are you?
AuthZ - Authorization
• What are you allowed to do?
Why you want AuthZ!
Native LDAP AuthorizationIn MongoDB

39. Native LDAP AuthorizationIn MongoDB
security.ldap.userToDNMapping
● Converts login into a distinguishedName for searching
● Array of documents containing 2 fields
○ match
○ ldapQuery || substitution
● [ { match: "(.+)", ldapQuery: "<base>?<attributes>?<scope>?<filter>" } ]
security.ldap.authz.queryTemplate
● Query to run for authorization
● Results compared against MongoDB roles @admin

40. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

41. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. kip
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

42. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. kip
2. [ { match: "(.+)", ldapQuery: "<base>?<attributes>?<scope>?<filter>" } ]
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

43. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. kip
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

44. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

45. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. <base>?<attributes>?<scope>?<filter>
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

46. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

47. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

48. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username
4. db.getSiblingDatabase(‘admin’).getRoles()
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

49. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username
4. db.getSiblingDatabase(‘admin’).getRoles()
5. ACCESS!?
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString

50. Native LDAP ACCESSIn Excess
5 ACCESS Steps
1. Client logs in with ACCESS
2. Username is converted via ACCESS
3. Run username against ACCESS query template
4. Check results from authorization query template against MongoDB roles@ACCESS
5. Access!
1. CN=ACCESS,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username
4. db.getSiblingDatabase(‘admin’).getRoles()
5. ACCESS!
dn: CN=ACCESS,CN=Users,DC=example,DC=com
distinguishedName:
CN=ACCESS,CN=Users,DC=example,DC=com
userPrincipalName: ACCESS@example.com
sAMAccountName: ACCESS
cn: ACCESS
memberOf: ACCESS

51. Quick Questions!Or not

52. We’ll Do It LiveTake Notes?
❏ 5m - Checking out Active Directory and Tracking Users
❏ Add a user to a group and create a group
❏ 10m - Start a MongoDB Instance!
❏ Create a new config file
❏ Start it up
❏ 5m - Create Role in mongod
❏ 5m - Example Authentication
❏ 5m - Additional Tools
❏ mongoldap

53. Maybe We Should Have Practiced...Take Notes
❏ Users in multiple OUs
❏ Commas, in usernames
❏ Ambiguous Users
❏ Case Sensitivity
❏ “SMART QUOTES”

54. Extra Reference MaterialOpen Notes Testing. Just Sayin’
● Documentation:
○ https://docs.mongodb.com/manual/core/security-ldap/
○ https://docs.mongodb.com/manual/tutorial/authenticate-nativeldap-activedirectory/
○ https://docs.mongodb.com/manual/core/security-ldap-external/
● Coursework:
○ https://university.mongodb.com/courses/M310/about

55. Q/AQuestions? Answers? Challenges?

56. Q/A
Please. No.
Not like this.
-Kip
Bring your A-game
Questions? Answers? Challenges?