Set up User Authentication and Authorization with LDAP¶
This feature is not available for M0 (Free Tier), M2, and
M5 clusters. To learn more about which features are unavailable,
see Atlas M0 (Free Tier), M2, and M5 Limitations.
Atlas provides the ability to manage user authentication and authorization from all MongoDB clients using your own Lightweight Directory Access Protocol (LDAP ) server over TLS . A single LDAPS (LDAP over TLS ) configuration applies to all clusters in a project.
If you enable user authorization with LDAP , you can create LDAP
groups on the admin database by mapping LDAP groups to MongoDB
roles on your Atlas databases. To use LDAP groups effectively,
create additional projects within
Atlas to control access to specific deployments in your
organization, such as creating separate Atlas projects for
development and production environments. You can then map an LDAP
group to a role in the Atlas project to provide access to the
desired deployment.
When user authorization is enabled and an LDAP user does not belong to any LDAP group, Atlas does not assign any database roles to the user. When user authentication is enabled and user authorization is disabled, Atlas assigns MongoDB database roles to the LDAP user.
If you have multiple departments with their own billing needs, alert settings, and project members, create a new organization for each department.
Prerequisites¶
You must meet the following prerequisites to manage user authentication and authorization using LDAP in Atlas:
- Atlas cluster using MongoDB 3.6 or later.
- LDAP server using TLS that is accessible to Atlas clusters over the network using either VPC or VNet peering connection or the cluster nodes' public IP addresses.
- LDAP group memberships for each user are embedded as an attribute in each user's LDAP entry for user authorization only.
Recommendation¶
For your LDAPS service to access Atlas clusters, MongoDB recommends one of two configurations:
Using a VPC or VNet:
- Run your LDAP server in a VPC or VNet.
- Establish a peering connection to your Atlas project.
- Use a public FQDN that resolves to the private IP address of your LDAP server.
Using your data center:
- Run your LDAP server with a public FQDN that resolves to a public IP address.
- Configure the LDAP server to allow inbound access from the Atlas cluster nodes' public IP addresses.
Considerations¶
Usernames¶
Atlas uses the full Distinguished Name (DN) of users in your LDAP
server as the Atlas username. For example, an example LDAP user
named ralph has the following username in Atlas:
cn=ralph,cn=Users,dc=aws-atlas-ldap-01,dc=myteam,dc=com
Connection String¶
If the administrator enables user authentication or both user authentication and authorization with LDAP , database users must override the following parameters in the connection string for their clients.
authSourcemust be$externalauthenticationMechanismmust bePLAIN
The following connection string for the mongo client
authenticates an LDAP user named rob:
mongo "mongodb+srv://cluster0-tijis.mongodb.net/test?authSource=%24external" --authenticationMechanism PLAIN --username cn=rob,cn=Users,dc=atlas-ldaps-01,dc=myteam,dc=com
To copy the connection string:
- Click Connect on the Clusters page.
- Edit the string with your
User DNand password.
Use escape characters in place of special characters in MongoDB connection strings. The example above passes '%24' for the '$'.
Limitations¶
If you use LDAP to authenticate and authorize users, you cannot:
- Provide public IP addresses that refer to other internal or private IP addresses using Network Address Translation to allow Atlas traffic to your LDAP server.
- Use both LDAP and SCRAM authentication for the same database user.
Procedures¶
Configure Authentication with LDAP¶
Use the following procedure to configure user authentication with LDAP for all clusters in a project.
Log into Atlas.¶
Navigate to the Advanced page for your project.¶
- If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
- If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
- Click Advanced in the sidebar.
Toggle the button next to LDAP Authentication to On.¶
You might incur additional costs when you enable this feature. See Advanced Security.
Enter the server details and bind credentials for your LDAP server in the Configure Your LDAP Server panel.¶
Optional: Enter a certificate issued from a Certificate Authority (CA) for your LDAP server in the CA Root Certificate field.¶
You may provide a self-signed certificate.
Click Verify and Save.¶
Wait for Atlas to deploy your changes. Atlas verifies that your clusters can connect to, authenticate with, and query your LDAP server using the configuration details that you provide.
Configure Authorization¶
Use the following procedure to configure user authorization with LDAP for all clusters in a project:
- You must enable authentication with LDAP before enabling authorization.
- When you enable and configure LDAP authorization, database users who are only configured for LDAP authentication will no longer be able to access databases.
Log into Atlas.¶
Navigate to the Advanced page for your project.¶
- If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
- If it is not already displayed, select your desired project from the Projects menu in the navigation bar.
- Click Advanced in the sidebar.
Toggle the button next to LDAP Authorization to On.¶
Enter the server details and bind credentials for your LDAP server in the Configure Your LDAP Server panel.¶
Optional: Enter a query template in Query Template.¶
When a user attempts to perform an action, Atlas executes the LDAP query template to obtain the LDAP groups to which the authenticated user belongs. Atlas permits the action if the query returns at least one group that is authorized to perform the action. Atlas does not permit the action if the query returns no groups that are authorized to perform the action.
Atlas substitutes the authenticated username in the {USER}
placeholder when it runs the query. The query is relative to the host
specified in Server Hostname.
The formatting for the query must conform to RFC4515
If you do not provide a query template, Atlas applies the default
value: {USER}?memberOf?base.
Click Verify and Save.¶
Wait for Atlas to deploy your changes. Atlas verifies that your clusters can connect to, authenticate with, and query your LDAP server using the configuration details that you provide.
Tutorials for Third-Party LDAP Providers¶
Use the following tutorials to configure Atlas to authenticate and authorize users from third-party LDAP providers: