*Configure MongoDB and MongoDB Atlas with LDAP authorization
*Test your user's access with mongoldap and other native tools
*Craft LDAP queries to optimize your LDAP accesses
*Adjust query templates and user-to-distinguished-name mappings to account for disparate LDAP trees
*Avoid common configuration mistakes
3. Agenda
Section
One
Section
Three
LDAP Primer
LDAP general overview, What do all these
things mean?
MongoDB Atlas and LDAPS
Configuring MongoDB Atlas to work with
Secure LDAP
Section
Two
Section
Four
MongoDB LDAP Configuration
How to configure MongoDB to run with
LDAP
Gotcha’s, Wrap up and Q&A
Things to know, What we’ve learned, and
what you wish we’d covered
5. LDAP Primer - What is LDAP
Lightweight Directory Access Protocol
(LDAP, geddit?)
• It’s a protocol for managing and querying entities in a specific tree structure
• You may know it by its server implementations, Active Directory or OpenLDAP
• Used very heavily in MS Windows network management, but also seen
throughout Linux world too
Section
One
6. LDAP Primer - Why is it useful?
• Centralised service, good for RBAC with many consuming systems
• Fast!
• Well supported with many good server options (AD, OpenLDAP, OpenDJ,
RHDS)
• Highly structured but extensible
• Vendor neutral and industry standard - based on a subset of the X.500 standard
Section
One
7. LDAP Primer - What does it look like?
Section
One
dc=mongodb
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap
dc=local
8. LDAP Primer - What does it look like?
Section
One
dc=mongodb
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap
dc=local
9. LDAP Primer - Domain Components
Section
One
dc=mongodb
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap
dc=local
Domain: ldap.mongodb.localDomain Components
10. LDAP Primer - Domain Components
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap,dc=mongodb,dc=local Domain: ldap.mongodb.local
11. LDAP Primer - Objects
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
Objects
dc=ldap,dc=mongodb,dc=local
12. LDAP Primer - Organizational Units
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
Organizational
Units
dc=ldap,dc=mongodb,dc=local
13. LDAP Primer - Leaf Objects
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap,dc=mongodb,dc=local
user objects group objects
14. LDAP Primer - Distinguished Name
Section
One
ou=groups
cn=admins cn=users
ou=users
uid=jim uid=ronan
dc=ldap,dc=mongodb,dc=local
DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local
16. LDAP Primer - What does it look like?
• The Directory is a hierarchical tree
• Objects in the tree consist of:
• A Distinguished Name
• Defined by the object's location / path in the directory
• A set of Attributes and associated Values
• One or more '<attribute> = <value>' pairs
• A set of Object Classes
• Defines the role of the object in the directory
Section
One
17. Terminology
How many of these attributes do I have to remember?
Abbreviation Full Name Description Example
DN Distinguished Name
dc Domain Component
ou Organizational Unit
cn Common Name
uid User ID
Section
One
18. LDAP Primer – 1. Distinguished Name
• The Distinguished Name (DN) is not related to Aristocracy, Breeding
or Nobility.
• It is a compound of a number of objects that together Distinguish that
entity from all others in the directory
• The DN is defined by the full path from that object to the root of the
tree
• It is by definition, unique.
DN: uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
Section
One
19. LDAP Primer – 2. Domain Components
• A Domain Component (dc) is a component part of the domain name
at the top level of the tree
DN: dc=ldap,dc=mongodb,dc=local
Section
One
20. • An Organisational Unit (ou) is a directory object into which you can
place things like groups, users, computers, etc..
• Similar in concept to a folder in a file system.
• Typically found between the DCs and leaf objects in a DN
ou=users
DN: uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
Section
One
LDAP Primer – 3. Organisational Units
21. LDAP Primer – 4. Common Name
• cn is the Common Name for an object
• A friendly name, used all over the place:
• Not necessarily (and often not) unique
• The attribute is also used for lots of other things like cn=users to
identify a group
cn=jim
Section
One
22. LDAP Primer – 5. UID
• uid is the User Identifier or User ID
• Just a name, or other identifier for a user
• Typically unique in the tree
• In Active Directory, UPN (User Principal Name) is often used instead
and is defined using an email address format (name@domain)
uid=jim
Section
One
upn=jim@mongodb.com
23. LDAP Primer – ** Side Note **
• Windows Vs Linux
• Due to the popularity of LDAP with Windows networking, many Windows only
attributes and objects exist within Active Directory (AD), which may not exist in
OpenLDAP or other server implementations
• Examples Include
• UPN (User Principal Name)
• SAM (sAMAccountName)
Section
One
24. Terminology – Recap
Abbreviation Full Name Description Example
DN Distinguished Name The unique entity description DN: uid=ronan,ou=users,dc=ldap,dc=mongodb,dc=local
dc Domain Component The parts of the domain of the DN dc=ldap,dc=mongodb,dc=local
ou Organizational Unit a ‘folder’ that contains entities ou=users
cn Common Name basic name, not guaranteed unique cn=jim
uid User ID
a more formal name, typically unique
in the tree
uid=ronan
Section
One
25. LDAP Primer – Group Membership
• Group membership in LDAP is kinda difficult...
• Why? Because LDAP only provides unidirectional mappings.
Section
One
26. LDAP Primer – Unidirectional What?
• You can provide a DN (e.g. for the user 'ronan') as the value for an
attribute (e.g. the 'member' attribute) in another object (say the group
'admins')
• But that user object doesn't know it's "in" that group.
• In OpenLDAP you can use the MemberOf overlay to achieve this
reverse lookup (AD on Windows does this automatically)
• The overlay provides a (set of) calculated 'memberOf' attribute(s), the values of
which are the DN's of the group(s) to which the object belongs
Section
One
27. LDAP Primer – Queries
There are four parts to any LDAP query, delimited by ?'s
Section
One
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
28. LDAP Primer – Queries
There are four parts to any LDAP query, delimited by ?'s
1. The Base Distinguished Name you want to target (perhaps a top level DC, a
user or an OU)
• ou=users,dc=ldap,dc=mongodb,dc=local
Section
One
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
29. LDAP Primer – Queries
There are four parts to any LDAP query, delimited by ?'s
2. The Attributes you want to return, specified as a comma separated list
• cn,sn,uid,...
Section
One
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
30. LDAP Primer – Queries
There are four parts to any LDAP query, delimited by ?'s
3. The Scope which is one of three options
• base (only the base) | one (one below, not base) | sub (recursive lookup - Default)
Section
One
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
31. LDAP Primer – Queries
There are four parts to any LDAP query, delimited by ?'s
4. A Filter which limits the search to specific objects
• uid=jim
Section
One
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
32. LDAP Primer – Queries By Example
Sub-tree example:
1. Begin the search at dc=ldap,dc=mongodb,dc=local
2. Return just the cn attribute
3. Perform a sub-tree search (default)
4. Only return results for objects which match uid=jim
Section
One
dc=ldap,dc=mongodb,dc=local?cn??uid=jim
33. LDAP Primer – Queries By Example
A more efficient example:
1. Begin at ou=users,dc=ldap,dc=mongodb,dc=local
2. Return just the cn attribute
3. Perform a search one level below the base dn
4. Only return results for objects which match uid=jim
Section
One
ou=users,dc=ldap,dc=mongodb,dc=local?cn?one?uid=jim
34. LDAP Primer – Queries By Example
Base search example:
1. Begin at
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
2. Return all the attributes
3. Perform a single-node base search (fast!)
4. Do not filter results
Section
One
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local??base?
35. LDAP Primer – Queries By Example
Membership example:
1. Begin at
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
2. Return the (derived) memberOf attribute(s)
3. Perform a single-node base search
4. Do not filter results
Section
One
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local?memberOf?base?
36. LDAP Primer – Queries
• ldapsearch : command line tool to query an LDAP server
• Unfortunately it doesn't natively support LDAP URI format
• But we can use it to express an equivalent query
Section
One
37. LDAP Primer – Queries
The following query:
Can be expressed as follows:
Section
One
<Base DN>?<Attributes To Return>?<Scope>?<Filter>
ldapsearch -b <Base DN> -s <Scope> <Filter> <Attributes>
1 23 4
1 2 3 4
39. MongoDB LDAP Support
• LDAP support is a MongoDB Enterprise feature
• MongoDB 2.6 introduced LDAP Authentication (via saslauthd)
• Linux only
• MongoDB 3.4 introduced:
• Authentication via System/OS libraries on both Linux & Windows
• LDAP Authorization
• Enabled through the operational tooling or through config options.
Section
two
40. MongoDB LDAP Support
5 Easy Steps
1. Client logs in with Username
2. Username is (optionally) converted into a DN via userToDNMapping
3. The DN is run against the authorization queryTemplate
4. Check results of this authorization query against the roles defined in
MongoDB (roles@admin)
5. Access! (Or not)
Section
two
43. MongoDB LDAP Support
Section
two
user: jim
pass: ???
User DN:
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
Group DN:
cn=users,ou=groups,dc=ldap,dc=mongodb,dc=local
userToDNMapping
queryTemplate
44. MongoDB LDAP Support
Section
two
user: jim
pass: ???
User DN:
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
Group DN:
cn=users,ou=groups,dc=ldap,dc=mongodb,dc=local
userToDNMapping
queryTemplate
Role:
readAnyDatabase@admin
roles@admin
45. MongoDB LDAP Support
Section
two
user: jim
pass: ???
User DN:
uid=jim,ou=users,dc=ldap,dc=mongodb,dc=local
Group DN:
cn=users,ou=groups,dc=ldap,dc=mongodb,dc=local
userToDNMapping
queryTemplate
Role:
readAnyDatabase@admin
roles@admin
55. Let's Do It Live
Take Notes?
❏ Start a MongoDB Instance!
❏ Create a new config file
❏ Start it up
❏ Create Role in mongod
❏ Example Authentication
Section
two
56. Verifying MongoDB LDAP Configuration
• You can verify the MongoDB LDAP configuration using mongoldap
• <cfg file>: MongoDB configuration file
• <username>: user to authenticate and/or acquire roles for
• Can also use the --debug command line option to help resolve
problems
Section
two
mongoldap -f <cfg file> --user <username>
58. MongoDB Atlas
• Although MongoDB Atlas takes a lot of pressure off operations, you
still get the control you need to manage users effectively and
securely
• MongoDB Atlas supports LDAP Authentication & Authorization
• Supports only Secure LDAP (LDAPS) connection protocol
Section
three
59. What is LDAPS?
• LDAPS is the Secure LDAP protocol, aka LDAP over TLS/SSL
• Distinct from StartTLS over LDAP
• Default LDAPS port: 636
Section
three
60. MongoDB Atlas
• Assuming we have an LDAPS server available…
• What does this look like in practice?
Section
three
61. Here's one I prepared
earlier...
MongoDB Atlas
Section
three
62. MongoDB Atlas - Authentication
LDAPS port
LDAPS server
Section
three
64. MongoDB Atlas
• Now we have connected to our LDAPS server…
• How do we define roles in MongoDB based on the groups in our
LDAPS server?
Section
three
65. MongoDB Atlas - User Management
Select LDAP GROUP
Provide DN for the
group in question
Define Privileges
Section
three
66. MongoDB Atlas - User Management
Correctly configured LDAP Groups in
MongoDB Atlas
Section
three
68. Gotcha's
Users in multiple OUs / Ambiguous Users
Case Sensitivity
Commas in usernames
Punctuation: Smart Quotes (“ and ”), hyphens vs dashes, etc
Section
four
69. Advanced Topics
• ldapUserCacheInvalidationInterval: Interval by which the $external
cache is flushed; 30 seconds default
• If you want to continue allowing access by users not on the $external database,
ensure the authenticationMechanisms parameter includes SCRAM-SHA-1
and/or SCRAM-SHA-256 as appropriate.
• The following authentication mechanisms are compatible with MongoDB LDAP
authorization: LDAP Proxy Authentication, Kerberos Authentication, x.509
Section
four
70. Advanced Topics
• For replica sets, configure LDAP authorization on the secondary members first
before configuring the primary.
• In sharded clusters, you must configure LDAP authorization on the config servers
for cluster-level users. You can optionally configure LDAP authorization on each
shard for shard-local users.
Section
four
71. Advanced Topics
• security.ldap.bind.method: set to SASL to enable SASL authentication
(default simple)
• security.ldap.bind.saslMechanisms: Defines SASL mechanisms
(default DIGEST-MD5)
• security.ldap.bind.useOSDefaults: Use Windows OS credentials in
place of queryUser & queryPassword
Section
four
72. Reference Material
MongoDB Documentation:
• https://docs.mongodb.com/manual/core/security-ldap/
• https://docs.mongodb.com/manual/tutorial/authenticate-nativeldap-activedirectory/
• https://docs.mongodb.com/manual/core/security-ldap-external/
Atlas Documentation:
• https://docs.atlas.mongodb.com/security-ldaps/
MongoDB University:
• https://university.mongodb.com/courses/M310/about
Worked Example on Github:
• https://github.com/rbohan/MongoLDAP
Section
four