- Security >
- Authentication >
- Enterprise Authentication Mechanisms >
- LDAP Proxy Authority Authentication
LDAP Proxy Authority Authentication¶
MongoDB Enterprise supports proxy authentication through a Lightweight Directory Access Protocol (LDAP) service.
Considerations¶
MongoDB Enterprise for Windows does not include LDAP support for authentication. However, MongoDB Enterprise for Linux supports using LDAP authentication with an ActiveDirectory server.
MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version 2.4 and version 2.6 shards. See Upgrade MongoDB to 2.6 for upgrade instructions.
Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the LDAP server. The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. You should use only a trusted channel such as a VPN, a connection encrypted with TLS/SSL, or a trusted wired network.
MongoDB Configuration¶
To configure the MongoDB server to use LDAP authentication mechanism, use the following command line options:
- --auth to enable access control,
- --authenticationMechanisms set to PLAIN, and
- --saslauthdPath parameter set to the path to the Unix-domain Socket of the saslauthd instance.
Or, if using the YAML configuration file, use the following settings:
- security.authorization set to enabled,
- setParameter.authenticationMechanisms set to PLAIN, and
- setParameter.saslauthdPath set to the path to the Unix-domain Socket of the saslauthd instance.
LDAP User¶
In order to authenticate a user with the LDAP authentication mechanism, add a corresponding user to the $external database. You do not need to save the user’s password in MongoDB.
The $external database is the authentication database for the LDAP user. To authenticate the LDAP user, you must authenticate against the $external database. When authenticating, specify PLAIN for the authentication mechanism .
LDAP authentication requires that MongoDB forward the user’s password in plan text. As such, you must specify digestPassword set to false during authentication.
Additional Information¶
For information on configuring MongoDB to use LDAP and authenticating users using LDAP, see:
Thank you for your feedback!
We're sorry! You can Report a Problem to help us improve this page.