4. We need 30,000 users added to the database
Based on a True Story
Yesterday
5. We need 30,000 users added to the database
Please. No.
Not like this.
-Kip
Based on a True Story
Yesterday
6. We need LDAP for <arbitrary standard>!
Find out more tonight at 11!
Yesterday - 1
7. We need LDAP for <arbitrary standard>!
Actually, I can fix this.
I’ll need 80 minutes and 50’ish people in
a small auditorium.
-Kip
Find out more tonight at 11!
Yesterday - 1
8. LDAP PrimerWhat is LDAP?
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
• Lightweight
• Directory
• Access
• Protocol
• (Relatively) Fast Lookups
• Centralized
• Integrated with Windows
9. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
10. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
11. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
12. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
---- Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
13. LDAP Primer
Domain Component (DC)
Organizational Unit (OU)
Security Group (SG)
Person (DN, UPN, SAM, etc)
Terminology - Structure
Abbrev. Object Description Example
DC Domain Component
Top level of directory tree. Each is a piece
of the full domain.
DC=com
OU Organizational Unit Like a folder for things. A logical structure. OU=PLACE
SG Security Group A type of Group. Logical grouping of users. CN=SecAdmins,OU=PLACE,DC=example,DC=com
Human Person Lots of aliases here! CN=kip
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
14. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
15. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
16. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
17. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
18. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
19. LDAP Primer
Person (DN, UPN, SAM, etc)
Terminology - Objects
Abbrev. Attribute Description Example
DN distinguishedName The full path to your object. CN=kip,CN=Users,DC=example,DC=com
UPN userPrincipalName Username with domain kip@example.com
SAM sAMAccountName Just a Username kip
CN cn Common Name kip
---- memberOf Distinguished Names of groups CN=SecAdmins,OU=PLACE,dc=example,dc=com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
20. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
21. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
22. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
23. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
24. LDAP PrimerQuery Format
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
25. LDAP PrimerQuestions?
Attribute Description Example
Base DN
This is the full path to the object in the
directory where you will start the search
OU=place,DC=example,DC=com
Attributes to
Return
Optional field. Comma separated list of
values.
userPrincipalName,cn,mail
Scope
Depth of the search. Three options.
Default is sub.
● base - Only the base!
● one - One below, no base
● sub - Recursive lookup (Default)
Filter
Return specific objects based on attribute
values.
userPrincipalName=kip@example.com
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
26. LDAP PrimerQuery Format - Examples
Field Example
Base DN
Attributes
Scope
Filter
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
27. LDAP PrimerQuery Format - Examples
Field Example
Base DN
Attributes
Scope
Filter
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
28. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes
Scope
Filter
CN=Users,DC=example,DC=com?<Attributes To Return>?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
29. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope
Filter
CN=Users,DC=example,DC=com?cn,mail,memberOf?<Scope>?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
30. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope sub
Filter
CN=Users,DC=example,DC=com?cn,mail,memberOf?sub?<Filter>
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
31. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope sub
Filter userPrincipalName=kip@example.com
CN=Users,DC=example,DC=com?cn,mail,memberOf?sub?userPrincipalName=kip@example.com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
32. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes cn,mail,memberOf
Scope sub
Filter userPrincipalName=kip@example.com
CN=Users,DC=example,DC=com?cn,mail,memberOf??userPrincipalName=kip@example.com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
33. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes *
Scope sub
Filter userPrincipalName=kip@example.com
CN=Users,DC=example,DC=com??sub?userPrincipalName=kip@example.com
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
34. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes *
Scope sub
Filter *
CN=Users,DC=example,DC=com??sub
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
35. LDAP PrimerQuery Format - Examples
Field Example
Base DN CN=Users,DC=example,DC=com
Attributes *
Scope base
Filter *
CN=Users,DC=example,DC=com??base
DC=net DC=com DC=org
DC=example
CN=UsersOU=PLACE
CN=kipCN=SecAdmins
38. AuthN vs AuthZ
AuthN - Authentication
• Who are you?
AuthZ - Authorization
• What are you allowed to do?
Why you want AuthZ!
Native LDAP AuthorizationIn MongoDB
39. Native LDAP AuthorizationIn MongoDB
security.ldap.userToDNMapping
● Converts login into a distinguishedName for searching
● Array of documents containing 2 fields
○ match
○ ldapQuery || substitution
● [ { match: "(.+)", ldapQuery: "<base>?<attributes>?<scope>?<filter>" } ]
security.ldap.authz.queryTemplate
● Query to run for authorization
● Results compared against MongoDB roles @admin
40. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
41. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. kip
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
42. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. kip
2. [ { match: "(.+)", ldapQuery: "<base>?<attributes>?<scope>?<filter>" } ]
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
43. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. kip
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
44. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
45. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. <base>?<attributes>?<scope>?<filter>
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
46. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
47. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
48. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username
4. db.getSiblingDatabase(‘admin’).getRoles()
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
49. Native LDAP AuthorizationIn MongoDB
5 Easy Steps
1. Client logs in with Username
2. Username is converted via userToDNMapping
3. Run username against authorization query template
4. Check results from authorization query template against MongoDB roles@admin
5. Access! (Or not)
1. CN=kip,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username
4. db.getSiblingDatabase(‘admin’).getRoles()
5. ACCESS!?
dn: CN=kip,CN=Users,DC=example,DC=com
distinguishedName: CN=kip,CN=Users,DC=example,DC=com
userPrincipalName: kip@example.com
sAMAccountName: kip
cn: kip
memberOf: CN=SecAdmins,OU=PLACE,dc=example,dc=com
memberOf: literallyAnyString
50. Native LDAP ACCESSIn Excess
5 ACCESS Steps
1. Client logs in with ACCESS
2. Username is converted via ACCESS
3. Run username against ACCESS query template
4. Check results from authorization query template against MongoDB roles@ACCESS
5. Access!
1. CN=ACCESS,CN=Users,DC=example,DC=com
2. [ { match: "(.+)", ldapQuery: "dc=example,dc=com??sub?userPrincipalName={0}@example.com" } ]
a. {0} is regex capture group 0
3. {USER}?memberOf?base
a. {USER} is a special token for the username
4. db.getSiblingDatabase(‘admin’).getRoles()
5. ACCESS!
dn: CN=ACCESS,CN=Users,DC=example,DC=com
distinguishedName:
CN=ACCESS,CN=Users,DC=example,DC=com
userPrincipalName: ACCESS@example.com
sAMAccountName: ACCESS
cn: ACCESS
memberOf: ACCESS
52. We’ll Do It LiveTake Notes?
❏ 5m - Checking out Active Directory and Tracking Users
❏ Add a user to a group and create a group
❏ 10m - Start a MongoDB Instance!
❏ Create a new config file
❏ Start it up
❏ 5m - Create Role in mongod
❏ 5m - Example Authentication
❏ 5m - Additional Tools
❏ mongoldap
53. Maybe We Should Have Practiced...Take Notes
❏ Users in multiple OUs
❏ Commas, in usernames
❏ Ambiguous Users
❏ Case Sensitivity
❏ “SMART QUOTES”
54. Extra Reference MaterialOpen Notes Testing. Just Sayin’
● Documentation:
○ https://docs.mongodb.com/manual/core/security-ldap/
○ https://docs.mongodb.com/manual/tutorial/authenticate-nativeldap-activedirectory/
○ https://docs.mongodb.com/manual/core/security-ldap-external/
● Coursework:
○ https://university.mongodb.com/courses/M310/about