• Security >
• Authentication >
• Enterprise Authentication Mechanisms >
• LDAP Proxy Authority Authentication

LDAP Proxy Authority Authentication

MongoDB Enterprise supports proxy authentication through a Lightweight Directory Access Protocol (LDAP) service.

Considerations

MongoDB Enterprise for Windows does not include LDAP support for authentication. However, MongoDB Enterprise for Linux supports using LDAP authentication with an ActiveDirectory server.

MongoDB does not support LDAP authentication in mixed sharded cluster deployments that contain both version 2.4 and version 2.6 shards. See Upgrade MongoDB to 2.6 for upgrade instructions.

Use secure encrypted or trusted connections between clients and the server, as well as between saslauthd and the LDAP server. The LDAP server uses the SASL PLAIN mechanism, sending and receiving data in plain text. You should use only a trusted channel such as a VPN, a connection encrypted with TLS/SSL, or a trusted wired network.

MongoDB Configuration

To configure the MongoDB server to use LDAP authentication mechanism, use the following command line options:

• --auth to enable access control,
• --authenticationMechanisms set to PLAIN, and
• --saslauthdPath parameter set to the path to the Unix-domain Socket of the saslauthd instance.

Or, if using the YAML configuration file, use the following settings:

• security.authorization set to enabled,
• setParameter.authenticationMechanisms set to PLAIN, and
• setParameter.saslauthdPath set to the path to the Unix-domain Socket of the saslauthd instance.

LDAP User

In order to authenticate a user with the LDAP authentication mechanism, add a corresponding user to the $external database. You do not need to save the user’s password in MongoDB.

The $external database is the authentication database for the LDAP user. To authenticate the LDAP user, you must authenticate against the $external database. When authenticating, specify PLAIN for the authentication mechanism .

LDAP authentication requires that MongoDB forward the user’s password in plain text. As such, you must specify digestPassword set to false during authentication.

Additional Information

For information on configuring MongoDB to use LDAP and authenticating users using LDAP, see:

• Authenticate Using SASL and LDAP with OpenLDAP and
• Authenticate Using SASL and LDAP with ActiveDirectory.

• Authenticate Using SASL and LDAP with ActiveDirectory
• Authenticate Using SASL and LDAP with OpenLDAP

←   Troubleshoot Kerberos Authentication Authenticate Using SASL and LDAP with ActiveDirectory  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.