mongodb
diff --git a/‎source/includes/fact-example-secret-prefix-cluster-file.rst
Lines changed: 3 additions & 3 deletions b/‎source/includes/fact-example-secret-prefix-cluster-file.rst
Lines changed: 3 additions & 3 deletions
diff --git a/‎source/includes/list-tables/ldap-settings.rst
Lines changed: 104 additions & 0 deletions b/‎source/includes/list-tables/ldap-settings.rst
Lines changed: 104 additions & 0 deletions
diff --git a/‎source/includes/options-k8s-shared.yaml
Lines changed: 1 addition & 1 deletion b/‎source/includes/options-k8s-shared.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎source/includes/steps-add-database-user-ldap.yaml
Lines changed: 196 additions & 0 deletions b/‎source/includes/steps-add-database-user-ldap.yaml
Lines changed: 196 additions & 0 deletions
diff --git a/‎source/includes/steps-add-database-user-secret-scram.yaml
Lines changed: 0 additions & 4 deletions b/‎source/includes/steps-add-database-user-secret-scram.yaml
Lines changed: 0 additions & 4 deletions
diff --git a/‎source/includes/steps-add-database-user.yaml
Lines changed: 9 additions & 11 deletions b/‎source/includes/steps-add-database-user.yaml
Lines changed: 9 additions & 11 deletions
@@ -1,7 +1,7 @@
 .. example::
 
-   If you call your deployment ``my-replica-set`` and you set the 
+   If you call your deployment ``my-deployment`` and you set the 
    prefix to ``mdb``, you must name the |tls| secret for the
-   client |tls| communications ``mdb-my-replica-set-cert``. Also, 
+   client |tls| communications ``mdb-my-deployment-cert``. Also, 
    you must name the |tls| secret for internal cluster authentication 
-   (if enabled) ``mdb-my-replica-set-clusterfile``.
+   (if enabled) ``mdb-my-deployment-clusterfile``.
@@ -0,0 +1,104 @@
+.. list-table::
+   :widths: 45 10 20 25
+   :header-rows: 1
+
+   * - Key
+     - Type and necessity
+     - Description
+     - Example
+
+   * - | ``spec.security``
+       | :setting:`.authentication.enabled<spec.security.authentication.enabled>`
+     - | boolean,
+       | required
+     - Set to ``true`` to enable LDAP authentication.
+     - ``true``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.ldap.bindQueryUser<spec.security.authentication.ldap.bindQueryUser>`
+     - | string,
+       | required
+     - Specify the LDAP Distinguished Name to which MongoDB binds when
+       connecting to the LDAP server.
+     - ``cn=admin,dc=example,dc=org``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.ldap.bindQueryPasswordSecretRef<spec.security.authentication.ldap.bindQueryPasswordSecretRef.name>`
+     - | string,
+       | required
+     - Specify the name of the |k8s-secret| that contains the
+       LDAP Bind Distinguished Name's password with which MongoDB binds
+       when connecting to an LDAP server.
+     - ``<secret-name>``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.ldap.caConfigMapRef.name<spec.security.authentication.ldap.caConfigMapRef.name>`
+     - | string,
+       | optional
+     - Add the |k8s-configmap|\'s name that stores the custom |certauth|
+       that you used to sign your deployment's |tls| certificates.
+     - ``<configmap-name>``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.ldap.caConfigMapRef.key<spec.security.authentication.ldap.caConfigMapRef.key>`
+     - | string,
+       | optional
+     - Add the field name that stores the |certauth| which validates the
+       LDAP server's |tls| certificate.
+     - ``<configmap-key>``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.ldap.servers<spec.security.authentication.ldap.servers>`
+     - | array of strings,
+       | required
+     - Specify the list of ``hostname:port`` combinations of one or more
+       LDAP servers. For each server, use a separate line.
+     - ``<example.com:636>``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.ldap.transportSecurity<spec.security.authentication.ldap.transportSecurity>`
+     - | string,
+       | optional
+     - Set to ``tls`` to use LDAPS (LDAP over |tls|). Leave blank if your
+       LDAP server doesn't accept TLS.
+     - ``tls``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.ldap.userToDNMapping<spec.security.authentication.ldap.userToDNMapping>`
+     - | string,
+       | required
+     - Specify the mapping that maps the username provided to
+       :binary:`~bin.mongod` or :binary:`~bin.mongos` for authentication
+       to an LDAP Distinguished Name (DN).
+
+       To learn more, see :manual:`security.ldap.userToDNMapping
+       </reference/configuration-options/#security.ldap.userToDNMapping>`
+       and :manual:`LDAP Query Templates
+       </core/security-ldap-external/#ldap-query-template>` in the
+       MongoDB Server documentation.
+     - ``<match: "(.+)",substitution: "uid={0},ou=groups,dc=example,dc=org">``
+
+   * - | ``spec.security``
+       | :setting:`.authentication.modes<spec.security.authentication.modes>`
+     - | string,
+       | required
+     - Set to ``LDAP`` to enable authentication through LDAP.
+     - ``LDAP``
+
+   * - | ``spec.security``
+       | :setting:`.certsSecretPrefix<spec.security.certsSecretPrefix>`
+     - | string,
+       | optional
+     - Add the ``<prefix>`` of the secret name that contains your
+       MongoDB deployment's |tls| certificates.
+
+       .. include:: /includes/fact-example-secret-prefix-cluster-file.rst
+     - ``devDb``
+
+   * - | ``spec.security``
+       | :setting:`.tls.ca<spec.security.tls.ca>`
+     - | string,
+       | optional
+     - Add the |k8s-configmap|\'s name that stores the custom |certauth|
+       that you used to sign your deployment's |tls| certificates.
+     - ``<custom-ca>``
@@ -1001,7 +1001,7 @@ type: string
 directive: setting
 description: |
 
-  Name of the user the that {+mdbagent+}s use to interact with your
+  Name of the user that the {+mdbagent+}s use to interact with your
   MongoDB deployment. The username is mapped to an LDAP Distinguished
   Name (DN) according to
   :setting:`spec.security.authentication.ldap.userToDNMapping`. The
 
@@ -0,0 +1,196 @@
+---
+ref: configure-kubectl-user
+stepnum: 1
+inherit:
+  file: steps-configure-kubectl-namespace.yaml
+  ref: configure-kubectl-namespace
+---
+title: "Copy the following example |k8s-crd|."
+level: 4
+stepnum: 2
+ref: copy-k8s-user-crd
+content: |
+
+  .. literalinclude:: /reference/k8s/example-ldap-user.yaml
+     :language: yaml
+
+---
+title: "Open your preferred text editor and paste the example |k8s-crd| into a new text file."
+stepnum: 3
+level: 4
+ref: paste-k8s-crd
+---
+title: "Change the lines for the following parameters, as needed."
+level: 4
+stepnum: 4
+ref: change-k8s-user-crd
+content: |
+
+  Use the following table to guide you through changing the relevant
+  lines in the|k8s-crd|. For a full list of LDAP user settings, see
+  :ref:`security settings <security-settings>` in the |k8s-op-short|
+  MongoDB resource specification.
+
+  .. list-table::
+     :widths: 20 10 50 20
+     :header-rows: 1
+
+     * - Key
+       - Type
+       - Description
+       - Example
+
+     * - ``metadata.name``
+       - string
+       - The name of the resource for the MongoDB database user.
+
+         .. include:: /includes/fact-resource-name-char-limit.rst
+       
+       - ``ldap-user-1``
+
+     * - ``spec.db``
+       - string
+       - The name of the MongoDB database where users will be added. This
+         value must be ``$external``.
+       - ``$external``
+
+     * - ``spec.mongodbResourceRef.name``
+       - string
+       - The name of the :ref:`MongoDB resource <k8s-deploy-mdb-resources>`
+         to which this user is associated.
+       - ``my-resource``
+
+     * - ``spec.opsManager.configMapRef.name``
+       - string
+       - The name of the project containing the MongoDB database
+         where the user will be added. The
+         :setting:`spec.cloudManager.configMapRef.name` setting is an
+         alias for this setting and can be used in its place.
+       - ``my-project``
+
+     * - ``spec.roles.db``
+       - string
+       - The database the :ref:`role <roles>` can act on.
+       - ``admin``
+
+     * - ``spec.roles.name``
+       - string
+       - The name of the :ref:`role <roles>` to grant the database user.
+         The role name can be any :ref:`built-in MongoDB role <built-in-roles>`
+         or :opsmgr:`custom role </tutorial/manage-mongodb-roles>` that
+         exists in |com|.
+       - ``readWriteAnyDatabase``
+
+     * - ``spec.username``
+       - string
+       - The authenticated username that is mapped to an LDAP Distinguished
+         Name (DN) according to
+         :setting:`spec.security.authentication.ldap.userToDNMapping`.
+         The DN must already exist in your LDAP deployment.
+         This username must comply with the `RFC 2253 <https://tools.ietf.org/html/rfc2253>`__
+         LDAPv3 Distinguished Name standard. :setting:`transformed <security.ldap.userToDNMapping>`
+       
+         To learn more, see
+         :manual:`LDAP Query Templates
+         </core/security-ldap-external/#ldap-query-template>` in the
+         MongoDB Manual.
+       - ``uid=mdb0,dc=example,dc=org``
+
+
+---
+title: "Add any additional roles for the user to the |k8s-crd|."
+level: 4
+stepnum: 5
+ref: add-additional-roles-k8s-user
+content: |
+  You may grant additional roles to this user using the format defined
+  in the following example:
+
+  .. code-block:: yaml
+     :copyable: false
+
+     ---
+     apiVersion: mongodb.com/v1
+     kind: MongoDBUser
+     metadata:
+       name: ldap-user-1
+     spec:
+       username: "uid=mdb0,dc=example,dc=org"
+       db: "$external"
+       mongodbResourceRef:
+         name: ldap-replica-set
+       roles:
+       - db: "admin"
+         name: "clusterAdmin"
+       - db: "admin"
+         name: "readWriteAnyDatabase"
+       - db: "admin"
+         name: "dbAdminAnyDatabase"
+
+     ...
+
+---
+title: "Create the user."
+level: 4
+stepnum: 6
+ref: create-k8s-user
+content: |
+
+  Invoke the following |k8s| command to create your database user:
+
+  .. code-block:: sh
+
+     kubectl apply -f <database-user-conf>.yaml
+
+  The following examples illustrate the connection string formats that you
+  can use when enabling authentication with LDAP in |k8s-op-short| MongoDB
+  deployments. These examples use the ``mongodb`` namespace and a replica
+  set deployment named ``replica-set-ldap``. The examples are similar for
+  sharded clusters.
+
+  - ``connectionString.standard``::manual:`Standard connection string
+    </reference/connection-string#std-label-connections-standard-connection-string-format>`
+    that can connect you to the database as this database user.
+
+    .. code-block:: sh
+
+       mongodb://replica-set-ldap-0-0-svc.mongodb.svc.cluster.local/?connectTimeoutMS=20000&replicaSet=replica-set-ldap&serverSelectionTimeoutMS=20000&ssl=true&authSource=$external
+
+  - ``connectionString.standardSrv``: :manual:`DNS seed list connection string
+    </reference/connection-string/#dns-seed-list-connection-format>` that
+    can connect you to the database as this database user.
+
+    .. code-block:: sh
+
+       mongodb+srv://replica-set-ldap-svc.mongodb.svc.cluster.local/?connectTimeoutMS=20000&replicaSet=replica-set-ldap&serverSelectionTimeoutMS=20000&ssl=true&authSource=$external
+
+  Using the previously-shown formats, you can connect to the MongoDB
+  database with the MongoDB Shell (``mongosh``), as in the following
+  example:
+
+  .. code-block:: sh
+
+     mongosh <connection-string> \
+       --host <my-replica-set>/web1.example.com \
+       --port 30907 \
+       --authenticationMechanism PLAIN \
+       --username cn=rob,cn=Users,dc=ldaps-01,dc=myteam,dc=com
+
+  You can use these credentials to
+  :ref:`connect to a MongoDB Database Resource from Inside Kubernetes <connect-from-inside-k8s>`.
+
+---
+title: "View the newly created user in |com|."
+level: 4
+stepnum: 7
+ref: view-k8s-user
+content: |
+
+  You can view the newly-created user in |com|:
+
+  1. From the Project's :guilabel:`Deployment` view, click
+     the :guilabel:`Security` tab.
+
+  #. Click the :guilabel:`MongoDB Users` nested tab.
+
+...
@@ -16,16 +16,12 @@ content: |
   .. literalinclude:: /reference/k8s/example-scram-user-secret.yaml
      :language: yaml
      :linenos:
-     :lines: 1-10,14
-     :emphasize-lines: 5, 9
 
   or you can choose to use a Base64-encoded password:
 
   .. literalinclude:: /reference/k8s/example-scram-user-secret.yaml
      :language: yaml
      :linenos:
-     :lines: 1-7,11-14
-     :emphasize-lines: 5, 9
 
   .. note::
 
 
@@ -5,30 +5,29 @@ inherit:
   file: steps-configure-kubectl-namespace.yaml
   ref: configure-kubectl-namespace
 ---
-title: "Copy the following example |k8s-configmap|."
+title: "Copy the following example |k8s-crd|."
 level: 4
 stepnum: 2
-ref: copy-k8s-user-configmap
+ref: copy-k8s-user-crd
 content: |
 
   .. literalinclude:: /reference/k8s/example-x509-user.yaml
      :language: yaml
-     :emphasize-lines: 5,7-8,11-13
 
 ---
-title: "Open your preferred text editor and paste the example ConfigMap into a new text file."
+title: "Open your preferred text editor and paste the example |k8s-crd| into a new text file."
 stepnum: 3
 level: 4
-ref: paste-k8s-configmap
+ref: paste-k8s-crd
 ---
-title: "Change the five highlighted lines."
+title: "Change the lines for the following parameters, as needed."
 level: 4
 stepnum: 4
-ref: change-k8s-user-configmap
+ref: change-k8s-user-crd
 content: |
 
-  Use the following table to guide you through changing the highlighted
-  lines in the ConfigMap:
+  Use the following table to guide you through changing the relevant
+  lines in the |k8s-crd|:
 
   .. list-table::
    :widths: 20 20 40 20
@@ -97,7 +96,7 @@ content: |
        in |com|.
      - ``readWriteAnyDatabase``
 ---
-title: "Add any additional roles for the user to the ConfigMap."
+title: "Add any additional roles for the user to the |k8s-crd|."
 level: 4
 stepnum: 5
 ref: add-additional-roles-k8s-user
@@ -107,7 +106,6 @@ content: |
 
   .. code-block:: yaml
      :copyable: false
-     :emphasize-lines: 10-14
 
      ---
      apiVersion: mongodb.com/v1