Navigation

Verify an LDAP Configuration

Requests a verification of an LDAP configuration over TLS for an Atlas project. Pass the requestId in the response object to the Verify LDAP Configuration endpoint to get the status of a verification request. Atlas retains only the most recent request for each project.

Info With Circle IconCreated with Sketch.Note
  • Explaining RFC 4515 and RFC 4516 falls out of scope of the Atlas documentation. Review these RFCs or refer to your preferred LDAP documentation.
  • Groups and projects are synonymous. {GROUP-ID} and {PROJECT-ID} have the same meaning. The unique identifier for your existing projects/groups remains the same. This endpoint and corresponding endpoints use the terms groups and groupId.
  • This endpoint does not verify the ldap.userToDNMapping document array. To verify that users can authenticate with this parameter, use the mongoldap package component bundled with MongoDB Enterprise 3.6 or later with a config file that includes the same LDAP parameters that you specify for Atlas.

https://cloud.mongodb.com/api/atlas/v1.0

POST /groups/{GROUP-ID}/userSecurity/ldap/verify
ParameterTypeNecessityDescription
GROUP-IDstringRequiredUnique identifier for the Atlas project associated with the LDAP over TLS configuration.

The following query parameters are optional:

Query ParameterTypeDescriptionDefault
prettybooleanDisplays response in a prettyprint format.false
envelopebooleanSpecifies whether or not to wrap the response in an envelope.false
NameTypeDescription
hostnamestringThe hostname or IP address of the LDAP server. The server must be visible to the internet or connected to your Atlas cluster with VPC Peering. Required.
portintegerThe port to which the LDAP server listens for client connections. Required. Default: 636.
bindUsernamestringThe user DN that Atlas uses to connect to the LDAP server. Must be the full DN, such as CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com. Required.
bindPasswordstringThe password used to authenticate the bindUsername. Required.
caCertificateobjectCA certificate used to verify the identify of the LDAP server. Self-signed certificates are allowed. Optional.
authzQueryTemplatestringAn LDAP query template that Atlas executes to obtain the LDAP groups to which the authenticated user belongs. Used only for user authorization. Use the {USER} placeholder in the URL to substitute the authenticated username. The query is relative to the host specified with hostname. The formatting for the query must conform to RFC4515 and RFC 4516. If you do not provide a query template, Atlas attempts to use the default value: {USER}?memberOf?base. Optional.
NameTypeDescription
groupIdstringIdentifier for the Atlas project associated with the request to verify an LDAP over TLS/SSL configuration.
linksdocument arrayOne or more links to sub-resources. The relations in the URLs are explained in the Web Linking Specification.
requestdocumentContains the details of the request to verify an LDAP over TLS/SSL configuration. The bindPassword is not returned in the response.
request.bindUsernamestringThe user DN that Atlas uses to connect to the LDAP server.
request.hostnamestringThe hostname or IP address of the LDAP server.
request.portintegerThe port to which the LDAP server listens for client connections from Atlas.
requestIdstringThe unique identifer for the request to verify the LDAP over TLS/SSL configuration.
statusstringThe current status of the LDAP over TLS/SSL configuration. One of the following values: PENDING, SUCCESS, and FAIL.
validationsarray

Array of validation messages related to the verification of the provided LDAP over TLS/SSL configuration details. The array contains a document for each test that Atlas runs. Atlas stops running tests after the first failure. The following return values are possible:

{
status: "OK" || "FAIL",
validationType: "SERVER_SPECIFIED"
}
{
status: "OK" || "FAIL",
validationType: "CONNECT"
}
{
status: "OK" || "FAIL",
validationType: "AUTHENTICATE"
}
{
status: "OK" || "FAIL",
validationType: "AUTHORIZATION_ENABLED"
}
{
status: "OK" || "FAIL",
validationType: "PARSE_AUTHZ_QUERY_TEMPLATE"
}
{
status: "OK" || "FAIL",
validationType: "QUERY_SERVER"
}

The following example requests verification of an LDAP configuration.

1curl --include --user "{PUBLIC-KEY}:{PRIVATE-KEY}" \
2 --header "Accept: application/json" \
3 --header "Content-Type: application/json" \
4 --digest \
5 --request POST "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT-ID}/userSecurity/ldap/verify?pretty=true" \
6 --data '
7 {
8 "hostname":"atlas-ldaps-01.ldap.myteam.com",
9 "port": 636,
10 "bindUsername":"N=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com",
11 "bindPassword":"MyldapPassWord",
12 "authzQueryTemplate": "{USER}?memberOfGroup?base"
13 }'

The following response indicates that the request for verification for the LDAP configuration is pending.

1{
2 "groupId" : "{PROJECT-ID}",
3 "links" : [ {
4 "href" : "https://cloud.mongodb.com/api/atlas/v1.0/groups/{PROJECT-ID}/userSecurity/ldap/verify/{REQUEST-ID}",
5 "rel" : "self"
6 } ],
7 "request" : {
8 "bindUsername" : "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com",
9 "hostname" : "atlas-ldaps-01.ldap.myteam.com",
10 "port" : 636
11 },
12 "requestId" : "{REQUEST-ID}",
13 "status" : "PENDING",
14 "validations" : [ ],
15}
Give Feedback