Navigation

Save One LDAP Configuration

On this page

  • Syntax
  • Request Path Parameters
  • Request Query Parameters
  • Request Body Parameters
  • Response Elements
  • Example Request
  • Example Response
  • Response Header
  • Response Body

Saves an LDAP configuration for an Atlas project. This endpoint doesn't verify connectivity using the provided LDAP over TLS configuration details. To verify a configuration before saving it, use the Verify LDAP Configuration endpoint.

Note
  • Explaining RFC 4515 and RFC 4516 falls out of scope of the Atlas documentation. Review these RFCs or refer to your preferred LDAP documentation.
  • Groups and projects are synonymous. {GROUP-ID} and {GROUP-ID} have the same meaning. The unique identifier for your existing projects/groups remains the same. This endpoint and corresponding endpoints use the terms groups and groupId.

https://cloud.mongodb.com/api/atlas/v1.0

PATCH /groups/{GROUP-ID}/userSecurity
Parameter
Type
Necessity
Description
GROUP-ID
string
Required
Unique identifier for the Atlas project associated with the LDAP over TLS configuration.

This endpoint might use any of the HTTP request query parameters available to all Atlas API resources. All of these are optional.

Name
Type
Necessity
Description
Default
pretty
boolean
Optional
Flag indicating whether the response body should be in a prettyprint format.
false
envelope
boolean
Optional

Flag indicating if Atlas should wrap the response in a JSON envelope.

This option may be needed for some API clients. These clients cannot access the HTTP response headers or status code. To remediate this, set envelope=true in the query.

For endpoints that return one result, the response body includes:

status
HTTP response code
envelope
Expected response body
false
Name
Type
Description
ldap
document
Specifies an LDAP configuration for a Atlas project. Required.
ldap.authenticationEnabled
boolean
Specifies whether user authentication with LDAP is enabled. Required.
ldap.authorizationEnabled
boolean
Specifies whether user authorization with LDAP is enabled. You cannot enable user authorization with LDAP without first enabling user authentication with LDAP. Optional.
ldap.hostname
string
The hostname or IP address of the LDAP server. The server must be visible to the internet or connected to your Atlas cluster with VPC Peering. Required.
ldap.port
integer
The port to which the LDAP server listens for client connections. Required. Default: 636.
ldap.bindUsername
string
The user DN that Atlas uses to connect to the LDAP server. Must be the full DN, such as CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com. Required.
ldap.userToDNMapping
document array

Maps an LDAP username for authentication to an LDAP Distinguished Name (DN). Each document contains a match regular expression and either a substitution or ldapQuery template used to transform the LDAP username extracted from the regular expression. Atlas steps through the each document in the array in the given order, checking the authentication username against the match filter. If a match is found, Atlas applies the transformation and uses the output to authenticate the user. Atlas does not check the remaining documents in the array. See security.ldap.userToDNMapping for more information.

The following example provides a match regular expression that matches all users and substitutes the username into the {0} argument of the substitution template to create an LDAP DN.

"userToDNMapping": [
{
"match":"(.*)",
"substitution":"CN={0},CN=Users,DC=my-atlas-ldap-server,DC=myteam,DC=com"
}
]
ldap.userToDNMapping[i].match
string
A regular expression to match against a provided LDAP username. Each parenthesis-enclosed section represents a regular expression capture group used by the substitution or ldapQuery template.
ldap.userToDNMapping[i].substitution
string

An LDAP Distinguished Name (DN) formatting template that converts the LDAP name matched by the match regular expression into an LDAP Distinguished Name. Each bracket-enclosed numeric value is replaced by the corresponding regular expression capture group extracted from the LDAP username that matched the match regular expression.

Example:

"substitution":"CN={0},CN=Users,DC=my-atlas-ldap-server,DC=myteam,DC=com"

Each document in the ldap.userToDNMapping.match array must contain either a substitution or ldapQuery field, but not both.

ldap.userToDNMapping[i].ldapQuery
string

An LDAP query formatting template that inserts the LDAP name matched by the match regular expression into an LDAP query URI as specified by RFC 4515 and RFC 4516. Each numeric value is replaced by the corresponding regular expression capture group extracted from the LDAP username that matched the match regular expression.

Example:

"ou=engineering,dc=example, dc=com??one?(user={0})"

Each document in the ldap.userToDNMapping.match array must contain either a substitution or ldapQuery field, but not both.

bindPassword
string
The password used to authenticate the bindUsername. Required.
caCertificate
object

CA certificate used to verify the identify of the LDAP server. Self-signed certificates are allowed. Optional.

Tip

Pass an empty string to delete a previously assigned value:

"caCertificate": ""
authzQueryTemplate
string

An LDAP query template that Atlas executes to obtain the LDAP groups to which the authenticated user belongs. Used only for user authorization. Use the {USER} placeholder in the URL to substitute the authenticated username. The query is relative to the host specified with hostname. The formatting for the query must conform to RFC4515 and RFC 4516. If you do not provide a query template, Atlas attempts to use the default value: {USER}?memberOf?base. Optional.

Tip

Pass an empty string to delete a previously assigned value:

"authzQueryTemplate": ""
Name
Type
Description
ldap
document
Specifies the LDAP over TLS/SSL configuration details for an Atlas group.
ldap.authenticationEnabled
boolean
Specifies whether user authentication with LDAP is enabled.
ldap.authorizationEnabled
boolean
Specifies whether user authorization with LDAP is enabled. You cannot enable user authorization with LDAP without first enabling user authentication with LDAP.
ldap.hostname
string
The hostname or IP address of the LDAP server. The server must be visible to the internet or connected to your Atlas cluster with VPC Peering.
ldap.port
integer
The port to which the LDAP server listens for client connections.
ldap.bindUsername
string
The user DN that Atlas uses to connect to the LDAP server. Must be the full DN, such as CN=BindUser,CN=Users,DC=myldapserver,DC=mycompany,DC=com.
ldap.userToDNMapping
document array
The user to Distinguished Name (DN) mapping used to transform an LDAP username into an LDAP Distinguished Name.
ldap.userToDNMapping[i].match
string
The regular expression used to match against the provided LDAP username. Each parenthesis-enclosed section represents a regular expression capture group used by the substitution or ldapQuery template.
ldap.userToDNMapping[i].substitution
string
The LDAP Distinguished Name (DN) formatting template that converts the LDAP username matched by the match regular expression into an LDAP Distinguished Name.
ldap.userToDNMapping[i].ldapQuery
string
The LDAP query formatting template that inserts the LDAP username matched by the match regular expression into an LDAP query URI as specified by RFC 4515 and RFC 4516.
caCertificate
object
CA certificate used to verify the identify of the LDAP server. Self-signed certificates are allowed.
authzQueryTemplate
string
The LDAP query template that Atlas executes to obtain the LDAP groups to which the authenticated user belongs. Used only for user authorization. Use the {USER} placeholder in the URL to substitute the authenticated username. The query is relative to the host specified with hostname. The formatting for the query must conform to RFC4515 and RFC 4516. If you do not provide a query template, Atlas attempts to use the default value: {USER}?memberOf?base.

The following example saves an LDAP configuration.

1curl --include --user "{PUBLIC-KEY}:{PRIVATE-KEY}" \
2 --header "Accept: application/json" \
3 --header "Content-Type: application/json" \
4 --digest \
5 --request PATCH "https://cloud.mongodb.com/api/atlas/v1.0/groups/{GROUP-ID}/userSecurity?pretty=true" \
6 --data '
7 {
8 "ldap": {
9 "authenticationEnabled":true,
10 "authorizationEnabled":true,
11 "hostname":"atlas-ldaps-01.ldap.myteam.com",
12 "port":636,
13 "bindUsername": "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com",
14 "bindPassword":"MyldapPassWord",
15 "authzQueryTemplate":"{USER}?memberOf?base",
16 "userToDNMapping" : [ {
17 "match" : "(.*)",
18 "substitution" : "CN={0},CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com"
19 } ]
20 }
21 }'

The following example shows a JSON document returned after successfully saving an LDAP over TLS configuration:

HTTP/1.1 401 Unauthorized
Content-Type: application/json;charset=ISO-8859-1
Date: {dateInUnixFormat}
WWW-Authenticate: Digest realm="MMS Public API", domain="", nonce="{nonce}", algorithm=MD5, op="auth", stale=false
Content-Length: {requestLengthInBytes}
Connection: keep-alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/json
Strict-Transport-Security: max-age=300
Date: {dateInUnixFormat}
Connection: keep-alive
Content-Length: {requestLengthInBytes}
1{
2 "ldap" : {
3 "authenticationEnabled" : true,
4 "authorizationEnabled" : true,
5 "authzQueryTemplate" : "{USER}?memberOf?base",
6 "bindUsername" : "CN=Administrator,CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com",
7 "hostname" : "atlas-ldaps-01.ldap.myteam.com",
8 "port" : 636,
9 "userToDNMapping" : [ {
10 "match" : "(.*)",
11 "substitution" : "CN={0},CN=Users,DC=atlas-ldaps-01,DC=myteam,DC=com"
12 } ]
13 }
14}
Give Feedback

On this page

  • Syntax
  • Request Path Parameters
  • Request Query Parameters
  • Request Body Parameters
  • Response Elements
  • Example Request
  • Example Response
  • Response Header
  • Response Body