Configure User Authentication and Authorization with Azure AD Domain Services¶
This feature is not available for M0
(Free Tier), M2
, and
M5
clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Tier), M2, and M5 Limitations.
This guide shows you how to enable Atlas to authenticate and authorize database users (not Atlas users) from Azure AD Domain Services, a third-party LDAP provider.
You can enable LDAP authentication only or you can enable both LDAP authentication and authorization:
- If you enable LDAP authentication only, you add individual users to Atlas and assign database access privileges to each user you add.
- If you enable LDAP authentication and authorization, you add user groups to Atlas and assign database access privileges to each group. Users inherit the database access privileges from the LDAP group they belong to.
Atlas supports authenticating and authorizing database users from Azure AD Domain Services.
Limitations¶
- You must deploy
M10
or larger Atlas clusters to enable LDAP integration. LDAP integration is an Atlas Enterprise feature. - Atlas does not support single sign-on integration for database users. To learn about single-sign on integration for the Atlas administrative web interface, see Configure Federated Authentication.
Prerequisites¶
To integrate Azure AD Domain Services LDAP with Atlas, you must have:
- An Azure subscription. To obtain a subscription, visit the Microsoft Azure portal.
Contributor
privileges or greater for your Azure subscription to create the resources the LDAP integration requires.- An Azure AD tenant associated with your subscription. For information about setting up an Azure AD tenant, see the Azure AD Documentation.
Global Administrator
privileges in your Azure AD tenant to enable Azure AD Domain Services.- A custom, routable domain name.
Procedures¶
Configure Azure AD Domain Services for Your Domain¶
Configure Azure AD Domain Services for your domain.¶
To configure Azure AD Domain Services, follow the
Create an advanced managed domain
tutorial in the Azure Documentation using the
Custom domain names
DNS name option.
When you configure your managed domain, make sure that you note the
value you enter in the DNS domain name field. This value
is your <managed-domain>
. You must provide it in several places in
this tutorial.
aadds.example.com
Obtain an SSL certificate for secure LDAP.¶
Azure AD Domain Services uses SSL certificates to secure LDAP. Your certificate must adhere to the requirements outlined in the Azure Documentation.
To obtain a certificate, either:
Get one from the public or enterprise certificate authority (CA) your organization uses.
- You must obtain a wildcard certificate to ensure secure LDAP works properly with Azure AD Domain Services.
The certificate's subject name must match the
<managed-domain>
you used when you configured Azure AD Domain Services.Example