Navigation

Save an LDAP Configuration

Saves an LDAP configuration for an Atlas group. This endpoint does not verify connectivity using the provided LDAP over SSL configuration details. To verify a configuration before saving it, use the /api/atlas/v1.0/groups/{GROUP-ID}/userSecurity/ldap/verify endpoint.

Note

An explanation of RFC4515 and RFC 4516 is out of scope for the MongoDB documentation. Please review the RFCs or refer to your preferred LDAP documentation.

Note

Groups and projects are synonymous terms. Your {GROUP-ID} is the same as your project id. For existing groups, your group/project id remains the same. This page uses the more familiar term group. The endpoints are as stated on the page.

Base URL: https://cloud.mongodb.com/api/atlas/v1.0

Syntax

PATCH /groups/{GROUP-ID}/userSecurity

Request Path Parameters

Parameter Required/Optional Description
GROUP-ID Required Identifier for the Atlas group associated with the LDAP over SSL configuration.

Request Query Parameters

This endpoint may use any of the HTTP request query parameters available to all Atlas API resources. These are all optional.

Name Type Description Default
pageNum integer Page number (1-based). 1
itemsPerPage integer Maximum number of items to return, up to a maximum of 100. 100
pretty boolean Display response in a prettyprint format. false

Request Body Parameters

Name Type Description
ldap document Specifies an LDAP configuration for a Atlas group. Required.
ldap.authenticationEnabled boolean Specifies whether user authentication with LDAP is enabled. Required.
ldap.authorizationEnabled boolean Specifies whether user authorization with LDAP is enabled. You cannot enable user authorization with LDAP without first enabling user authentication with LDAP. Optional.
ldap.hostname string The hostname or IP address of the LDAP server. The server must be visible to the internet or connected to your Atlas cluster with VPC Peering. Required.
ldap.port integer The port to which the LDAP server listens for client connections. Required. Default: 636.
ldap.bindUsername string The user DN that Atlas uses to connect to the LDAP server. Must be the full DN, such as CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com. Required.
ldap.userToDNMapping document array

Maps an LDAP username for authentication to an LDAP Distinguished Name (DN). Each document contains a match regular expression and either a substitution or ldapQuery template used to transform the LDAP username extracted from the regular expression. Atlas steps through the each document in the array in the given order, checking the authentication username against the match filter. If a match is found, Atlas applies the transformation and uses the output to authenticate the user. Atlas does not check the remaining documents in the array. See security.ldap.userToDNMapping for more information.

The following example provides a match regular expression that matches all users and substitutes the username into the {0} argument of the substitution template to create an LDAP DN.

"userToDNMapping": [
  {
   "match":"(.*)",
   "substitution":"CN={0},CN=Users,DC=my-atlas-ldap-server,DC=myteam,DC=com"
  }
]
ldap.userToDNMapping[i].match string A regular expression to match against a provided LDAP username. Each parenthesis-enclosed section represents a regular expression capture group used by the substitution or ldapQuery template.
ldap.userToDNMapping[i].substitution string

An LDAP Distinguished Name (DN) formatting template that converts the LDAP name matched by the match regular expression into an LDAP Distinguished Name. Each bracket-enclosed numeric value is replaced by the corresponding regular expression capture group extracted from the LDAP username that matched the match regular expression.

Example:

"substitution":"CN={0},CN=Users,DC=my-atlas-ldap-server,DC=myteam,DC=com"

Each document in the ldap.userToDNMapping.match array must contain either a substitution or ldapQuery field, but not both.

ldap.userToDNMapping[i].ldapQuery string

An LDAP query formatting template that inserts the LDAP name matched by the match regular expression into an LDAP query URI as specified by RFC 4515 and RFC 4516. Each numeric value is replaced by the corresponding regular expression capture group extracted from the LDAP username that matched the match regular expression.

Example:

"ou=engineering,dc=example, dc=com??one?(user={0})"

Each document in the ldap.userToDNMapping.match array must contain either a substitution or ldapQuery field, but not both.

bindPassword string The password used to authenticate the bindUsername. Required.
caCertificate object CA certificate used to verify the identify of the LDAP server. Self-signed certificates are allowed. Optional.
authzQueryTemplate string An LDAP query template that Atlas executes to obtain the LDAP groups to which the authenticated user belongs. Used only for user authorization. Use the {USER} placeholder in the URL to substitute the authenticated username. The query is relative to the host specified with hostname. The formatting for the query must conform to RFC4515 and RFC 4516. If you do not provide a query template, Atlas attempts to use the default value: {USER}?memberOf?base. Optional.

Response Elements

Name Type Description
ldap document Specifies the LDAP over SSL configuration details for an Atlas group.
ldap.authenticationEnabled boolean Specifies whether user authentication with LDAP is enabled.
ldap.authorizationEnabled boolean Specifies whether user authorization with LDAP is enabled. You cannot enable user authorization with LDAP without first enabling user authentication with LDAP.
ldap.hostname string The hostname or IP address of the LDAP server. The server must be visible to the internet or connected to your Atlas cluster with VPC Peering.
ldap.port integer The port to which the LDAP server listens for client connections.
ldap.bindUsername string The user DN that Atlas uses to connect to the LDAP server. Must be the full DN, such as CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com.
ldap.userToDNMapping document array The user to Distinguished Name (DN) mapping used to transform an LDAP username into an LDAP Distinguished Name.
ldap.userToDNMapping[i].match string The regular expression used to match against the provided LDAP username. Each parenthesis-enclosed section represents a regular expression capture group used by the substitution or ldapQuery template.
ldap.userToDNMapping[i].substitution string The LDAP Distinguished Name (DN) formatting template that converts the LDAP username matched by the match regular expression into an LDAP Distinguished Name.
ldap.userToDNMapping[i].ldapQuery string The LDAP query formatting template that inserts the LDAP username matched by the match regular expression into an LDAP query URI as specified by RFC 4515 and RFC 4516.
caCertificate object CA certificate used to verify the identify of the LDAP server. Self-signed certificates are allowed.
authzQueryTemplate string The LDAP query template that Atlas executes to obtain the LDAP groups to which the authenticated user belongs. Used only for user authorization. Use the {USER} placeholder in the URL to substitute the authenticated username. The query is relative to the host specified with hostname. The formatting for the query must conform to RFC4515 and RFC 4516. If you do not provide a query template, Atlas attempts to use the default value: {USER}?memberOf?base.

Example Request

The following example saves an LDAP configuration.

curl  -X PATCH -i -u "fred@example.com:457026b5-07a6-40a9-9706-ae0b374e775g" \
   -H "Content-Type: application/json" --digest "https://cloud.mongodb.co/api/atlas/v1.0/groups/6b8df67087d9d615da86401c/userSecurity?pretty=true" --data '
   {
     "ldap": {
       "authenticationEnabled":true,
        "authorizationEnabled":true,
        "hostname":"atlas-ldaps-01.ldap.myteam.com",
        "port":636,
        "bindUsername": "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com",
        "bindPassword":"MyldapPassWord",
        "authzQueryTemplate":"{USER}?memberOf?base",
        "userToDNMapping" : [ {
          "match" : "(.*)",
          "substitution" : "CN={0},CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com"
        } ]
     }
   }'

Example Response

The following example shows a JSON document returned after successfully saving an LDAP over SSL configuration:

{
  "ldap" : {
    "authenticationEnabled" : true,
    "authorizationEnabled" : true,
    "authzQueryTemplate" : "{USER}?memberOf?base",
    "bindUsername" : "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com",
    "hostname" : "atlas-ldaps-01.ldap.myteam.com",
    "port" : 636,
    "userToDNMapping" : [ {
      "match" : "(.*)",
      "substitution" : "CN={0},CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com"
    } ]
  }
}