DOCS-2751 reformat steps: Authenticate Using SASL and LDAP

source/core/authentication.txt

@@ -113,7 +113,8 @@ LDAP Proxy Authority Authentication
 `MongoDB Enterprise <http://www.mongodb.com/products/mongodb-enterprise>`_
 supports proxy authentication through a Lightweight Directory Access
 Protocol (LDAP) service. See
-:doc:`/tutorial/configure-ldap-sasl-authentication`.
+:doc:`/tutorial/configure-ldap-sasl-authentication-with-active-directory`
+and :doc:`/tutorial/configure-ldap-sasl-authentication-with-open-ldap`.
 
 .. include:: /includes/admonition-mongodb-enterprise-windows-ldap.rst
 

source/includes/steps-authenticate-through-ldap-active-directory.yaml

@@ -0,0 +1,5 @@
+stepnum: 1
+source:
+  file: steps-authenticate-through-ldap.yaml
+  ref: authenticate
+...

source/includes/steps-authenticate-through-ldap.yaml

@@ -0,0 +1,28 @@
+title: Authenticate the user in the ``mongo`` shell.
+stepnum: 1
+ref: authenticate
+pre: |
+  To perform the authentication in the :program:`mongo` shell, use the
+  :method:`db.auth()` method in the ``$external`` database.
+action:
+  pre: |
+    Specify the value ``"PLAIN"`` in the ``mechanism`` field, the user and
+    password in the ``user`` and ``pwd`` fields respectively, and the
+    value ``false`` in the ``digestPassword`` field. You **must** specify
+    ``false`` for ``digestPassword`` since the server must receive an
+    undigested password to forward on to ``saslauthd``, as in the
+    following example:
+  language: javascript
+  code: |
+    db.getSiblingDB("$external").auth(
+       {
+         mechanism: "PLAIN",
+         user: <username>,
+         pwd:  <cleartext password>,
+         digestPassword: false
+       }
+    )
+post:
+  The server forwards the password in plain text. In general, use only on
+  a trusted channel (VPN, SSL, trusted wired network).
+...

source/includes/steps-configure-ldap-sasl-authentication-with-active-directory.yaml

@@ -0,0 +1,73 @@
+title: Specify the mechanism.
+stepnum: 1
+ref: specify-mechanism
+action:
+  - pre: |
+      On systems that configure ``saslauthd`` with the
+      ``/etc/sysconfig/saslauthd`` file, such as Red Hat Enterprise Linux,
+      Fedora, CentOS, and Amazon Linux AMI, set the mechanism ``MECH`` to
+      ``ldap``:
+    language: javascript
+    code: |
+      MECH=ldap
+  - pre: |
+      On systems that configure ``saslauthd`` with the
+      ``/etc/default/saslauthd`` file, set the ``MECHANISMS`` option to
+      ``ldap``:
+    language: javascript
+    code: |
+      MECHANISMS="ldap"
+---
+title: Set the caching behavior.
+stepnum: 2
+ref: caching-behavior
+pre: |
+  On certain Linux distributions, ``saslauthd`` starts with the caching
+  of authentication credentials *enabled*. Until restarted or until the
+  cache expires, ``saslauthd`` will not contact the LDAP server to
+  re-authenticate users in its authentication cache. This allows
+  ``saslauthd`` to successfully authenticate users in its cache, even in
+  the LDAP server is down or if the cached users' credentials are revoked.
+action:
+  pre: |
+    To set the expiration time (in seconds) for the authentication cache, see
+    the `-t option <http://www.linuxcommand.org/man_pages/saslauthd8.html>`_ of
+    ``saslauthd``.
+---
+title: Configure ``saslauthd`` LDAP options.
+stepnum: 3
+ref: ldap-options
+pre: |
+  If the ``saslauthd.conf`` file does not exist, create it.
+  The ``saslauthd.conf`` file usually resides in the ``/etc``
+  folder. If specifying a different file path, see the
+  `-O option <http://www.linuxcommand.org/man_pages/saslauthd8.html>`_ of
+  ``saslauthd``.
+action:
+  - heading: Configure for Use with ActiveDirectory
+    pre: |
+      To use with ActiveDirectory, start ``saslauthd`` with the following
+      configuration options set in the ``saslauthd.conf`` file:
+    language: javascript
+    code: |
+      ldap_servers: <ldap uri>
+      ldap_use_sasl: yes
+      ldap_mech: DIGEST-MD5
+      ldap_auth_method: fastbind
+    post: |
+      For the ``<ldap uri>``, specify the uri of the ldap server. For
+      example, ``ldap_servers: ldaps://ad.example.net``.
+  - heading: Configure for Use with OpenLDAP
+    pre: |
+      .. include:: /includes/steps-configure-openldap.rst
+---
+title: Test the ``saslauthd`` configuration.
+stepnum: 4
+ref: 
+action:
+  pre: |
+    Use ``testsaslauthd`` utility. For example:
+  language: javascript
+  code: |
+    testsaslauthd -u testuser -p testpassword -f /var/run/saslauthd/mux
+...

source/includes/toc-security-tutorials-access-control.yaml

@@ -17,9 +17,13 @@ file: /tutorial/configure-x509
 description: |
   Use x.509 for client authentication and internal member authentication.
 ---
-file: /tutorial/configure-ldap-sasl-authentication
+file: /tutorial/configure-ldap-sasl-authentication-with-active-directory
 description: |
-  Describes for MongoDB Enterprise the process to authenticate with SASL/LDAP.
+  Describes authentication with SASL/LDAP and ActiveDirectory.
+---
+file: /tutorial/configure-ldap-sasl-authentication-with-open-ldap
+description: |
+  Describes authentication with SASL/LDAP and OpenLDAP.
 ---
 file: /tutorial/control-access-to-mongodb-with-kerberos-authentication
 description: |

source/release-notes/2.6.txt

@@ -337,7 +337,8 @@ MongoDB Enterprise provides support for proxy authentication of users.
 This allows administrators to configure a MongoDB cluster to
 authenticate users via Linux PAM or by proxying authentication requests
 to a specified Lightweight Directory Access Protocol (LDAP) service.
-See :doc:`/tutorial/configure-ldap-sasl-authentication`.
+See :doc:`/tutorial/configure-ldap-sasl-authentication-with-active-directory`
+and :doc:`/tutorial/configure-ldap-sasl-authentication-with-open-ldap`.
 
 .. include:: /includes/admonition-mongodb-enterprise-windows-ldap.rst
 

source/tutorial/add-user-to-database.txt

@@ -43,10 +43,10 @@ You can create a user without assigning roles, choosing instead to assign the
 roles later. To do so, create the user with an empty
 :data:`~admin.system.users.roles` array.
 
-.. [#external-auth-mechanisms] :doc:`Kerberos
-   </tutorial/control-access-to-mongodb-with-kerberos-authentication>`,
-   :doc:`LDAP </tutorial/configure-ldap-sasl-authentication>`, and
-   x.509 certificates provide external authentication mechanisms.
+.. [#external-auth-mechanisms] :doc:`/tutorial/control-access-to-mongodb-with-kerberos-authentication`,
+   :doc:`/tutorial/configure-ldap-sasl-authentication-with-active-directory`,
+   :doc:`/tutorial/configure-ldap-sasl-authentication-with-open-ldap`,
+   and x.509 certificates provide external authentication mechanisms.
 
 .. _add-user-prereq:
 

source/tutorial/configure-ldap-sasl-authentication-with-active-directory.txt

@@ -0,0 +1,109 @@
+=====================================================
+Authenticate Using SASL and LDAP with ActiveDirectory
+=====================================================
+
+.. default-domain:: mongodb
+
+Overview
+--------
+
+MongoDB Enterprise provides support for proxy authentication of users.
+This allows administrators to configure a MongoDB cluster to authenticate
+users via Linux PAM or by proxying authentication requests to a specified
+Lightweight Directory Access Protocol (LDAP) service.
+
+MongoDB does **not** support LDAP authentication in mixed sharded cluster
+deployments that contain both version 2.4 and version 2.6 shards. See
+:doc:`/release-notes/2.6-upgrade` for upgrade instructions.
+
+.. include:: /includes/admonition-mongodb-enterprise-windows-ldap.rst
+
+Considerations
+--------------
+
+Because the transmission of the username and password from the client to
+the MongoDB server, from the MongoDB server to ``saslauthd``, and from
+``saslauthd`` to the LDAP server uses ``SASL PLAIN`` mechanism, i.e. in
+**plain text**, you should, in general, use only on a trusted channel
+(VPN, SSL, trusted wired network).
+
+Procedures
+----------
+
+To use LDAP with ActiveDirectory, configure the ``saslauthd`` daemon
+process and the MongoDB server, as described here.
+
+Configure ``saslauthd`` to use ActiveDirectory as the Authentication Mechanism
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/steps/ldap-sasl-authentication-with-active-directory.rst
+
+Configure MongoDB Server to use ``saslauthd`` for Authentication
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To configure the MongoDB server to use ``saslauthd`` set the following
+options. Use either the :doc:`configuration file
+</reference/configuration-options>` or the command line:
+
+- :setting:`auth`. This option enables authentication and authorization.
+  Either set :setting:`auth` to ``true`` in the configuration file or
+  enable :option:`--auth` on the command-line.
+
+- :parameter:`authenticationMechanisms`. Set this parameter to ``PLAIN``.
+
+  - If using the configuration file, set the following:
+
+    .. code-block:: sh
+
+       setParameter=authenticationMechanisms=PLAIN
+
+  - If using the command line, use :doc:`--setParameter
+    </reference/parameters>` to set the following:
+
+    .. code-block:: sh
+
+       --setParameter authenticationMechanisms=PLAIN
+
+- :parameter:`saslauthdPath`. Set this parameter to the path of the
+  Unix-domain Socket of the ``saslauthd`` instance.
+
+  For example, to set this option in the configuration file for a system
+  that uses ``/etc/sysconfig/saslauthd``, set the following:
+
+  .. code-block:: sh
+
+     setParameter=saslauthdPath=/etc/sysconfig/saslauthd/mux
+
+  To use the default Unix-domain socket path, set
+  :parameter:`saslauthdPath` to the empty string ``""``.
+
+The following example sets the parameters using a :doc:`configuration file
+</reference/configuration-options>`:
+
+.. code-block:: sh
+
+   auth=true
+   setParameter=authenticationMechanisms=PLAIN
+   setParameter=saslauthdPath=/<path>/saslauthd/mux
+
+Add a User for Authentication
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add the user to the ``$external`` database in MongoDB. To specify the
+user's privileges, assign :doc:`roles </core/authorization>` to the user.
+For example, the following adds a user with read-only access to the
+records database:
+
+.. code-block:: sh
+
+   db.getSiblingDB("$external").createUser(
+       {
+           user : <username>,
+           roles: [ { role: "read", db: "records" } ]
+       }
+   )
+
+Authenticate a Client
+~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/steps/authenticate-through-ldap-active-directory.rst