LDAP Proxy Authentication
On this page
MongoDB Enterprise supports proxying authentication requests to a Lightweight Directory Access Protocol (LDAP) service.
MongoDB 3.4 supports simple and SASL binding to LDAP servers via:
Operating system libraries
New in version 3.4: MongoDB 3.4 supports binding to an LDAP server via operating system libraries. This allows Linux and Windows MongoDB 3.4 servers to use an LDAP server for authentication.
Linux MongoDB servers supports binding to an LDAP server via the
mongoscannot successfully authenticate via
saslauthdwithout the specified permission on the
saslauthddirectory and its contents.
Previous versions of MongoDB support LDAP authentication using
saslauthd. This restricted LDAP authentication support to Linux MongoDB deployments only.
Previous versions of Microsoft Windows MongoDB cannot connect to LDAP servers. MongoDB 3.4 on Windows remains incompatible with
A full description of LDAP is beyond the scope of this documentation. This page assumes prior knowledge of LDAP.
This documentation only describes MongoDB LDAP authentication, and does not replace other resources on LDAP. We encourage you to thoroughly familiarize yourself with LDAP and its related subject matter before configuring LDAP authentication.
MongoDB can provide professional services for optimal configuration of LDAP authentication for your MongoDB deployment.
User management requires managing users both on the LDAP server and the MongoDB server. For each user authenticating via LDAP, MongoDB requires a user on the
$external database whose name exactly matches the authentication username. Changes to a user on the LDAP server may require changes to the corresponding MongoDB
Changed in version 3.6.3: To use sessions with
$external authentication users (i.e. Kerberos, LDAP, x.509 users), the usernames cannot be greater than 10k bytes.
A user authenticates as
[email protected]. The MongoDB server binds to the LDAP server and authenticates the user, respecting any
username transformations. On successful authentication, the MongoDB server then checks the
$external database for a user
[email protected] and grants the authenticated user the roles and privileges associated to that user.
To manage users on the MongoDB server, you must authenticate as an LDAP user whose corresponding MongoDB
$external user has user administrative privileges on the
$external database, such as those provided by
$external users have user administrative privileges on
$external database, you cannot perform user management for LDAP authentication. This scenario may occur if you configure users prior to enabling LDAP authentication, but do not create the appropriate user administrators.
If there are existing users not on the
$external database, you must meet the following requirements for each user to ensure continued access:
- User has a corresponding user object on the LDAP server
- User exists on the
$externaldatabase with equivalent roles and privileges
If you want to continue allowing access by users not on the
$external database, you must configure
authenticationMechanisms to include
SCRAM-SHA-1. Users must then specify
--authenticationMechanism SCRAM-SHA-1 when authenticating.
For replica sets, configure LDAP authentication on secondary and arbiter members first before configuring the primary. This also applies to shard replica sets, or config server replica sets. Configure one replica set member at a time to maintain a majority of members for write availability.
New in version 3.4.
The LDAP authentication via OS libraries process is summarized below:
A client authenticates to MongoDB, providing a user’s credentials.
If the username requires mapping to an LDAP DN prior to binding against the LDAP server, MongoDB can apply transformations based on the configured
MongoDB binds to an LDAP server specified in
security.ldap.serversusing the provided username or, if a transformation was applied, the transformed username.
If a transformation requires querying the LDAP server, or if the LDAP server disallows anonymous binds, MongoDB uses the username and password specified to
security.ldap.bind.queryPasswordto bind to the LDAP server before attempting to authenticate the provided user credentials.
The LDAP server returns the result of the bind attempt to MongoDB. On success, MongoDB attempts to authorize the user.
The MongoDB server attempts to map the username to a user on the
$externaldatabase, assigning the user any roles or privileges associated to a matching user. If MongoDB cannot find a matching user, authentication fails.
The client can perform those actions for which MongoDB granted the authenticated user roles or privileges.
||Quote-enclosed comma-separated list of LDAP servers in
|NO, unless using
|NO, unless setting
The LDAP entity, identified by its distinguished name (DN) or SASL name, with which the MongoDB server authenticates, or binds, when connecting to an LDAP server.
The user specified must have the appropriate privileges to execute queries on the LDAP server.
|NO, unless specifying a query as part of a
||The password used to authenticate to an LDAP server when using
||NO, unless specifying
||Windows MongoDB deployments can use the operating system credentials in place of
||NO, unless replacing
Clients may authenticate using a username whose format is incompatible with the format expected by the configured