User administration without you - integrating LDAP

User Administration
(Without You)
Integrating LDAP with MongoDB
v 20181108

JIM BLACKHURST
Principal Solutions Architect
(London)
RONAN BOHAN
Senior Solutions Architect
(Dublin/London)

Agenda
Section
One
Section
Three
LDAP Primer
LDAP general overview, What do all these
things mean?
MongoDB Atlas and LDAPS
Configuring MongoDB Atlas to work with
Secure LDAP
Section
Two
Section
Four
MongoDB LDAP Configuration
How to configure MongoDB to run with
LDAP
Gotcha’s, Wrap up and Q&A
Things to know, What we’ve learned, and
what you wish we’d covered

LDAP Primer - What is LDAP
Lightweight Directory Access Protocol
(LDAP, geddit?)
• It’s a protocol for managing and querying entities in a specific tree structure
• You may know it by its server implementations, Active Directory or OpenLDAP
• Used very heavily in MS Windows network management, but also seen
throughout Linux world too
Section
One

LDAP Primer - Why is it useful?
• Centralised service, good for RBAC with many consuming systems
• Fast!
• Well supported with many good server options (AD, OpenLDAP, OpenDJ,
RHDS)
• Highly structured but extensible
• Vendor neutral and industry standard - based on a subset of the X.500 standard
Section
One

LDAP Primer - What does it look like?
Section
One
dc=mongodb
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap
dc=local

LDAP Primer - Domain Components
Section
One
dc=mongodb
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap
dc=local
Domain: ldap.mongodb.localDomain Components

LDAP Primer - Domain Components
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap,dc=mongodb,dc=local Domain: ldap.mongodb.local

LDAP Primer - Objects
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
Objects
dc=ldap,dc=mongodb,dc=local

LDAP Primer - Organizational Units
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
Organizational
Units

LDAP Primer - Leaf Objects
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
user objects group objects

LDAP Primer - Distinguished Name
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local

LDAP Primer - Demo - Directory Studio
Section
One

LDAP Primer - What does it look like?
• The Directory is a hierarchical tree
• Objects in the tree consist of:
• A Distinguished Name
• Defined by the object's location / path in the directory
• A set of Attributes and associated Values
• One or more '<attribute> = <value>' pairs
• A set of Object Classes
• Defines the role of the object in the directory
Section
One

Terminology
How many of these attributes do I have to remember?
Abbreviation Full Name Description Example
DN Distinguished Name
dc Domain Component
ou Organizational Unit
cn Common Name
uid User ID
Section
One

LDAP Primer – 1. Distinguished Name
• The Distinguished Name (DN) is not related to Aristocracy, Breeding
or Nobility.
• It is a compound of a number of objects that together Distinguish that
entity from all others in the directory
• The DN is defined by the full path from that object to the root of the
tree
• It is by definition, unique.
DN: uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
Section
One

LDAP Primer – 2. Domain Components
• A Domain Component (dc) is a component part of the domain name
at the top level of the tree
DN: dc=ldap,dc=mongodb,dc=local
Section
One

• An Organisational Unit (ou) is a directory object into which you can
place things like groups, users, computers, etc..
• Similar in concept to a folder in a file system.
• Typically found between the DCs and leaf objects in a DN
ou=users
DN: uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
Section
One
LDAP Primer – 3. Organisational Units

LDAP Primer – 4. Common Name
• cn is the Common Name for an object
• A friendly name, used all over the place:
• Not necessarily (and often not) unique
• The attribute is also used for lots of other things like cn=users to
identify a group
cn=jim
Section
One

LDAP Primer – 5. UID
• uid is the User Identifier or User ID
• Just a name, or other identifier for a user
• Typically unique in the tree
• In Active Directory, UPN (User Principal Name) is often used instead
and is defined using an email address format (name@domain)
uid=jim
Section
One
upn=jim@mongodb.com

LDAP Primer – ** Side Note **
• Windows Vs Linux
• Due to the popularity of LDAP with Windows networking, many Windows only
attributes and objects exist within Active Directory (AD), which may not exist in
OpenLDAP or other server implementations
• Examples Include
• UPN (User Principal Name)
• SAM (sAMAccountName)
Section
One

Terminology – Recap
Abbreviation Full Name Description Example
DN Distinguished Name The unique entity description DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local
dc Domain Component The parts of the domain of the DN dc=ldap,dc=mongodb,dc=local
ou Organizational Unit a ‘folder’ that contains entities ou=users
cn Common Name basic name, not guaranteed unique cn=jim
uid User ID
a more formal name, typically unique
in the tree
uid=ronan
Section
One

LDAP Primer – Group Membership
• Group membership in LDAP is kinda difficult...
• Why? Because LDAP only provides unidirectional mappings.
Section
One

LDAP Primer – Unidirectional What?
• You can provide a DN (e.g. for the user 'ronan') as the value for an
attribute (e.g. the 'member' attribute) in another object (say the group
'admins')
• But that user object doesn't know it's "in" that group.
• In OpenLDAP you can use the MemberOf overlay to achieve this
reverse lookup (AD on Windows does this automatically)
• The overlay provides a (set of) calculated 'memberOf' attribute(s), the values of
which are the DN's of the group(s) to which the object belongs
Section
One

LDAP Primer – Queries
There are four parts to any LDAP query, delimited by ?'s
Section
One
<Base DN>?<Attributes To Return>?<Scope>?<Filter>

1. The Base Distinguished Name you want to target (perhaps a top level DC, a
user or an OU)
• ou=users,dc=ldap,dc=mongodb,dc=local
Section
One

2. The Attributes you want to return, specified as a comma separated list
• cn,sn,uid,...
Section
One

3. The Scope which is one of three options
• base (only the base) | one (one below, not base) | sub (recursive lookup - Default)
Section
One

4. A Filter which limits the search to specific objects
• uid=jim
Section
One

LDAP Primer – Queries By Example
Sub-tree example:
1. Begin the search at dc=ldap,dc=mongodb,dc=local
2. Return just the cn attribute
3. Perform a sub-tree search (default)
4. Only return results for objects which match uid=jim
Section
One
dc=ldap,dc=mongodb,dc=local?cn??uid=jim

A more efficient example:
1. Begin at ou=users,dc=ldap,dc=mongodb,dc=local
2. Return just the cn attribute
3. Perform a search one level below the base dn
4. Only return results for objects which match uid=jim
Section
One
ou=users,dc=ldap,dc=mongodb,dc=local?cn?one?uid=jim

Base search example:
1. Begin at
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
2. Return all the attributes
3. Perform a single-node base search (fast!)
4. Do not filter results
Section
One
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local??base?

Membership example:
1. Begin at
2. Return the (derived) memberOf attribute(s)
3. Perform a single-node base search
4. Do not filter results
Section
One
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local?memberOf?base?

• ldapsearch : command line tool to query an LDAP server
• Unfortunately it doesn't natively support LDAP URI format
• But we can use it to express an equivalent query
Section
One

The following query:
Can be expressed as follows:
Section
One
ldapsearch -b <Base DN> -s <Scope> <Filter> <Attributes>
1 23 4
1 2 3 4

MongoDB
Configuration
Section
Two

MongoDB LDAP Support
• LDAP support is a MongoDB Enterprise feature
• MongoDB 2.6 introduced LDAP Authentication (via saslauthd)
• Linux only
• MongoDB 3.4 introduced:
• Authentication via System/OS libraries on both Linux & Windows
• LDAP Authorization
• Enabled through the operational tooling or through config options.
Section
two

5 Easy Steps
1. Client logs in with Username
2. Username is (optionally) converted into a DN via userToDNMapping
3. The DN is run against the authorization queryTemplate
4. Check results of this authorization query against the roles defined in
MongoDB (roles@admin)
5. Access! (Or not)
Section
two

Section
two
user: jim
pass: ???
User DN:
userToDNMapping

Section
two
user: jim
pass: ???
User DN:
Group DN:
cn=users,ou=groups,dc=ldap,dc=mongodb,dc=local
userToDNMapping
queryTemplate

Section
two
user: jim
pass: ???
User DN:
Group DN:
cn=users,ou=groups,dc=ldap,dc=mongodb,dc=local
userToDNMapping
queryTemplate
Role:
readAnyDatabase@admin
roles@admin

LDAP Authentication
security.ldap.userToDNMapping
● Optional
● Converts the supplied user credentials into a DN
● Array of JSON documents containing 2 fields:
○ match
○ substitution || ldapQuery
Section
two

LDAP Authentication
LDAP Substitution example:
userToDNMapping: [
{
match: "(.+)",
substitution: "uid={0},ou=users,dc=ldap,dc=mongodb,dc=local"
}
]
Section
two

LDAP Authentication
LDAP Substitution example:
userToDNMapping: [
{
match: "(.+)",
substitution: "uid={0},ou=users,dc=ldap,dc=mongodb,dc=local"
}
]
e.g. ronan => DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local
Section
two

LDAP Authentication
LDAP Query example:
userToDNMapping: [
{
match: "(.+)",
ldapQuery: "dc=ldap,dc=mongodb,dc=local??sub?(uid={0})"
}
]
Section
two

LDAP Authentication
LDAP Query example:
userToDNMapping: [
{
match: "(.+)",
}
]
e.g. ronan => LDAP Query: dc=ldap,dc=mongodb,dc=local??sub?(uid=ronan)
Section
two

LDAP Authentication
LDAP Query example:
userToDNMapping: [
{
match: "(.+)",
}
]
e.g. ronan => LDAP Query: dc=ldap,dc=mongodb,dc=local??sub?(uid=ronan)
=> DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local
Section
two

LDAP Authorization
security.ldap.authz.queryTemplate
● LDAP query to run for authorization
● Results compared against MongoDB roles @admin
Section
two

LDAP Authorization
LDAP AuthZ query example:
queryTemplate: "{USER}?memberOf?base"
e.g. DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local
=> LDAP Query: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local?memberOf?base?
Section
two

LDAP Authorization
LDAP AuthZ query example:
queryTemplate: "{USER}?memberOf?base"
e.g. DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local
=> LDAP Query: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local?memberOf?base?
=> memberOf: cn=admins,ou=groups,dc=ldap,dc=mongodb,dc=local
memberOf: cn=users,ou=groups,dc=ldap,dc=mongodb,dc=local
Section
two

Let's Do It Live
Take Notes?
❏ Start a MongoDB Instance!
❏ Create a new config file
❏ Start it up
❏ Create Role in mongod
❏ Example Authentication
Section
two

Verifying MongoDB LDAP Configuration
• You can verify the MongoDB LDAP configuration using mongoldap
• <cfg file>: MongoDB configuration file
• <username>: user to authenticate and/or acquire roles for
• Can also use the --debug command line option to help resolve
problems
Section
two
mongoldap -f <cfg file> --user <username>

MongoDB Atlas
• Although MongoDB Atlas takes a lot of pressure off operations, you
still get the control you need to manage users effectively and
securely
• MongoDB Atlas supports LDAP Authentication & Authorization
• Supports only Secure LDAP (LDAPS) connection protocol
Section
three

What is LDAPS?
• LDAPS is the Secure LDAP protocol, aka LDAP over TLS/SSL
• Distinct from StartTLS over LDAP
• Default LDAPS port: 636
Section
three

MongoDB Atlas
• Assuming we have an LDAPS server available…
• What does this look like in practice?
Section
three

Here's one I prepared
earlier...
MongoDB Atlas
Section
three

MongoDB Atlas - Authentication
LDAPS port
LDAPS server
Section
three

MongoDB Atlas - Authorization
Section
three

MongoDB Atlas
• Now we have connected to our LDAPS server…
• How do we define roles in MongoDB based on the groups in our
LDAPS server?
Section
three

MongoDB Atlas - User Management
Select LDAP GROUP
Provide DN for the
group in question
Define Privileges
Section
three

MongoDB Atlas - User Management
Correctly configured LDAP Groups in
MongoDB Atlas
Section
three

Gotcha's
Users in multiple OUs / Ambiguous Users
Case Sensitivity
Commas in usernames
Punctuation: Smart Quotes (“ and ”), hyphens vs dashes, etc
Section
four

Advanced Topics
• ldapUserCacheInvalidationInterval: Interval by which the $external
cache is flushed; 30 seconds default
• If you want to continue allowing access by users not on the $external database,
ensure the authenticationMechanisms parameter includes SCRAM-SHA-1
and/or SCRAM-SHA-256 as appropriate.
• The following authentication mechanisms are compatible with MongoDB LDAP
authorization: LDAP Proxy Authentication, Kerberos Authentication, x.509
Section
four

Advanced Topics
• For replica sets, configure LDAP authorization on the secondary members first
before configuring the primary.
• In sharded clusters, you must configure LDAP authorization on the config servers
for cluster-level users. You can optionally configure LDAP authorization on each
shard for shard-local users.
Section
four

Advanced Topics
• security.ldap.bind.method: set to SASL to enable SASL authentication
(default simple)
• security.ldap.bind.saslMechanisms: Defines SASL mechanisms
(default DIGEST-MD5)
• security.ldap.bind.useOSDefaults: Use Windows OS credentials in
place of queryUser & queryPassword
Section
four

Reference Material
MongoDB Documentation:
• https://docs.mongodb.com/manual/core/security-ldap/
• https://docs.mongodb.com/manual/tutorial/authenticate-nativeldap-activedirectory/
• https://docs.mongodb.com/manual/core/security-ldap-external/
Atlas Documentation:
• https://docs.atlas.mongodb.com/security-ldaps/
MongoDB University:
• https://university.mongodb.com/courses/M310/about
Worked Example on Github:
• https://github.com/rbohan/MongoLDAP
Section
four

User administration without you - integrating LDAP

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to User administration without you - integrating LDAP

Similar to User administration without you - integrating LDAP (20)

More from MongoDB

More from MongoDB (20)

Recently uploaded

Recently uploaded (20)

User administration without you - integrating LDAP