- Security Features and Setup >
- Set up User Authentication and Authorization with LDAP
Set up User Authentication and Authorization with LDAP¶
On this page
Feature unavailable in Free and Shared-Tier Clusters
This feature is not available for M0 (Free Tier), M2, and
M5 clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Tier), M2, and M5 Limitations.
Overview¶
Atlas provides the ability to manage user authentication and authorization from all Mongo clients using your own Lightweight Directory Access Protocol (LDAP) server over TLS/SSL. A single LDAPS (LDAP over TLS/SSL) configuration applies to all clusters in a project.
If you enable user authorization with LDAP, you can create LDAP groups on the
admin database by mapping LDAP groups to MongoDB roles on your Atlas
databases. To use LDAP groups effectively, create additional projects within Atlas to control access to specific
deployments in your organization, such as creating separate Atlas
projects for development and production environments. You can then map an
LDAP group to a role in the Atlas project to provide access to the
desired deployment.
Note
When user authorization is enabled and an LDAP user does not belong to any LDAP group, Atlas does not assign any database roles to the user. When user authentication is enabled and user authorization is disabled, Atlas assigns MongoDB database roles to the LDAP user.
If you have multiple departments with their own billing needs, alert settings, and project members, create a new organization for each department.
Prerequisites¶
You must meet the following prerequisites to manage user authentication and authorization using LDAP in Atlas:
- Atlas cluster using MongoDB 3.4+
- LDAP server using TLS/SSL that is accessible to Atlas from the Internet or VPC (AWS only)
- (user authorization only) LDAP group memberships for each user are embedded as an attribute in each user’s LDAP entry
- VPC where the LDAP server runs
Note
MongoDB recommends running your server in a VPC and establishing a peering connection to your Atlas project. Alternatively, run your LDAPS server in your data center where it is accessible from the Internet.
Considerations¶
Usernames¶
Atlas uses the full Distinguished Name (DN) of users in your LDAP server
as the Atlas username. For example, an example LDAP user named ralph
has the following username in Atlas:
cn=ralph,cn=Users,dc=aws-atlas-ldap-01,dc=myteam,dc=com
Connection String¶
If the administrator enables user authentication or both user authentication and authorization with LDAP, database users must override the following parameters in the connection string for their clients.
authSourcemust be$externalauthenticationMechanismmust bePLAIN
The following connection string for the mongo client authenticates
an LDAP user named rob:
mongo "mongodb+srv://cluster0-tijis.mongodb.net/test?authSource=%24external" --authenticationMechanism PLAIN --username cn=rob,cn=Users,dc=atlas-ldaps-01,dc=myteam,dc=com
You can copy the connection string by clicking Connect on the
Clusters page. Edit the string with your User DN and password.
Note
Use escape characters in place of special characters in MongoDB connection strings. The example above passes ‘%24’ for the ‘$’.
Limitatons¶
Using LDAP for user authentication and authorization has the following limitations:
- Cannot establish a peering connection between a Virtual Private Cloud (VPC) and clusters running on Azure Virtual Networks and Google Cloud Platform (GCP) Virtual Private Clouds.
- Cannot provide public NAT addresses to whitelist Atlas traffic to your LDAP server.
- Cannot use both LDAP and SCRAM authentication for the same MongoDB user
Procedures¶
Configure Authentication with LDAP¶
Use the following procedure to configure user authentication with LDAP for all clusters in a project.
Log into Atlas.¶
Toggle the button next to LDAP Authentication to On.¶
Enter the server details and bind credentials for your LDAP server in the Configure Your LDAP Server panel.¶
Optional: Enter a certificate issued from a Certificate Authority (CA) for your LDAP server in the CA Root Certificate field.¶
You may provide a self-signed certificate.
Click Verify and Save.¶
Wait for Atlas to deploy your changes. Atlas verifies that your clusters can connect to, authenticate with, and query your LDAP server using the configuration details that you provide.
Configure Authorization¶
Use the following procedure to configure user authorization with LDAP for all clusters in a project.
Note
You must enable authentication with LDAP before enabling authorization.
Important
When the administrator configures LDAP authorization, previous database users configured for LDAP authentication only can no longer access databases.
Log into Atlas.¶
Select a project from Context.¶
In the Security section of the left navigation, click Advanced.¶
Toggle the button next to LDAP Authorization to On.¶
Enter the server details and bind credentials for your LDAP server in the Configure Your LDAP Server panel.¶
Optional: Enter a query template in Query Template.¶
Atlas executes the LDAP query template
to obtain the LDAP groups to which the authenticated user belongs.
Use the {USER} placeholder in the URL to substitute the authenticated
username. The query is relative to the host specified in Server Hostname.
The formatting for the query must conform to RFC4515
and RFC 4516.
If you do not provide a query template, Atlas applies the default
value: {USER}?memberOf?base.
Click Verify and Save.¶
Wait for Atlas to deploy your changes. Atlas verifies that your clusters can connect to, authenticate with, and query your LDAP server using the configuration details that you provide.