diff --git a/source/includes/admonition-mongodb-enterprise-windows-ldap.rst b/source/includes/admonition-mongodb-enterprise-windows-ldap.rst deleted file mode 100644 index 531aaf93f68..00000000000 --- a/source/includes/admonition-mongodb-enterprise-windows-ldap.rst +++ /dev/null @@ -1,2 +0,0 @@ -MongoDB Enterprise for Windows does **not** include LDAP support for -authentication. diff --git a/source/includes/admonition-saslauthd-ldap-considerations.rst b/source/includes/admonition-saslauthd-ldap-considerations.rst new file mode 100644 index 00000000000..1b53593cb6c --- /dev/null +++ b/source/includes/admonition-saslauthd-ldap-considerations.rst @@ -0,0 +1,14 @@ +MongoDB Enterprise for Windows does **not** include LDAP support for +authentication. + +MongoDB does **not** support LDAP authentication in mixed sharded +cluster deployments that contain both version 2.4 and version 2.6 +shards. See :doc:`/release-notes/2.6-upgrade` for upgrade instructions. + +.. _ldap-password-in-plaintext: + +Use secure encrypted or trusted connections between clients and the server, +as well as between ``saslauthd`` and the LDAP server. The LDAP server uses +the ``SASL PLAIN`` mechanism, sending and receiving data in **plain text**. +You should use only a trusted channel such as a VPN, a connection encrypted +with SSL, or a trusted wired network. diff --git a/source/includes/steps-configure-ldap-mongodb.yaml b/source/includes/steps-configure-ldap-mongodb.yaml index 867fe8a2ef3..0be90c0f9fc 100644 --- a/source/includes/steps-configure-ldap-mongodb.yaml +++ b/source/includes/steps-configure-ldap-mongodb.yaml @@ -40,6 +40,9 @@ pre: | :doc:`--setParameter ` or the :doc:`configuration file `. Specify additional configurations as appropriate for your configuration. + + If you use the :setting:`~security.authorization` option to enforce + authentication, you will need privileges to create a user. action: - heading: Use specific ``saslauthd`` socket path. pre: | diff --git a/source/includes/steps-configure-ldap-saslauthd.yaml b/source/includes/steps-configure-ldap-saslauthd-activedir.yaml similarity index 59% rename from source/includes/steps-configure-ldap-saslauthd.yaml rename to source/includes/steps-configure-ldap-saslauthd-activedir.yaml index ad6798c5f6e..b47c3ec12dd 100644 --- a/source/includes/steps-configure-ldap-saslauthd.yaml +++ b/source/includes/steps-configure-ldap-saslauthd-activedir.yaml @@ -34,7 +34,7 @@ action: the `-t option `_ of ``saslauthd``. --- -title: Configure with LDAP Options. +title: Configure LDAP Options with ActiveDirectory. stepnum: 3 ref: ldap-options pre: | @@ -44,7 +44,6 @@ pre: | `-O option `_ of ``saslauthd``. action: - - heading: Configure for Use with ActiveDirectory pre: | To use with ActiveDirectory, start ``saslauthd`` with the following configuration options set in the ``saslauthd.conf`` file: @@ -57,44 +56,6 @@ action: post: | For the ````, specify the uri of the ldap server. For example, ``ldap_servers: ldaps://ad.example.net``. - - heading: Configure for Use with OpenLDAP - pre: | - To connect to an OpenLDAP server, update the ``saslauthd.conf`` - file with the following configuration options: - language: none - code: | - ldap_servers: - ldap_search_base: - ldap_filter: - post: | - The ``ldap_servers`` specifies the uri of the LDAP server used - for authentication. In general, for OpenLDAP installed on the - local machine, you can specify the value ``ldap://localhost:389`` - or if using LDAP over SSL, you can specify the value - ``ldaps://localhost:636``. - - The ``ldap_search_base`` specifies distinguished name to which - the search is relative. The search includes the base or objects - below. - - The ``ldap_filter`` specifies the search filter. - - The values for these configuration options should correspond to the - values specific for your test. For example, to filter on email, specify - ``ldap_filter: (mail=%n)`` instead. - - heading: Example - pre: | - A sample ``saslauthd.conf`` file for OpenLDAP includes the following content: - language: none - code: | - ldap_servers: ldaps://ad.example.net - ldap_search_base: ou=Users,dc=example,dc=com - ldap_filter: (uid=%u) - post: | - To use this sample OpenLDAP configuration, create users with a ``uid`` - attribute (login name) and place under the ``Users`` organizational - unit (``ou``) under the domain components (``dc``) ``example`` and - ``com``. For more information on ``saslauthd`` configuration, see ``_. diff --git a/source/includes/steps-configure-ldap-saslauthd-openldap.yaml b/source/includes/steps-configure-ldap-saslauthd-openldap.yaml new file mode 100644 index 00000000000..eff2a38663b --- /dev/null +++ b/source/includes/steps-configure-ldap-saslauthd-openldap.yaml @@ -0,0 +1,66 @@ +stepnum: 1 +source: + ref: specify-mechanism + file: steps-configure-ldap-saslauthd-activedir.yaml +--- +stepnum: 2 +source: + ref: caching-behavior + file: steps-configure-ldap-saslauthd-activedir.yaml +--- +title: Configure LDAP Options with OpenLDAP. +stepnum: 3 +ref: ldap-options +pre: | + If the ``saslauthd.conf`` file does not exist, create it. + The ``saslauthd.conf`` file usually resides in the ``/etc`` + folder. If specifying a different file path, see the + `-O option `_ of + ``saslauthd``. +action: + - pre: | + To connect to an OpenLDAP server, update the ``saslauthd.conf`` + file with the following configuration options: + language: none + code: | + ldap_servers: + ldap_search_base: + ldap_filter: + post: | + The ``ldap_servers`` specifies the uri of the LDAP server used + for authentication. In general, for OpenLDAP installed on the + local machine, you can specify the value ``ldap://localhost:389`` + or if using LDAP over SSL, you can specify the value + ``ldaps://localhost:636``. + + The ``ldap_search_base`` specifies distinguished name to which + the search is relative. The search includes the base or objects + below. + + The ``ldap_filter`` specifies the search filter. + + The values for these configuration options should correspond to the + values specific for your test. For example, to filter on email, specify + ``ldap_filter: (mail=%n)`` instead. + - heading: OpenLDAP Example + pre: | + A sample ``saslauthd.conf`` file for OpenLDAP includes the following content: + language: none + code: | + ldap_servers: ldaps://ad.example.net + ldap_search_base: ou=Users,dc=example,dc=com + ldap_filter: (uid=%u) + post: | + To use this sample OpenLDAP configuration, create users with a ``uid`` + attribute (login name) and place under the ``Users`` organizational + unit (``ou``) under the domain components (``dc``) ``example`` and + ``com``. + + For more information on ``saslauthd`` configuration, see + ``_. +--- +stepnum: 4 +source: + ref: test-saslauthd-conf + file: steps-configure-ldap-saslauthd-activedir.yaml +... diff --git a/source/includes/toc-security-tutorials-access-control.yaml b/source/includes/toc-security-tutorials-access-control.yaml index 3203cc334b4..004ac0674e4 100644 --- a/source/includes/toc-security-tutorials-access-control.yaml +++ b/source/includes/toc-security-tutorials-access-control.yaml @@ -17,9 +17,13 @@ file: /tutorial/configure-x509 description: | Use x.509 for client authentication and internal member authentication. --- -file: /tutorial/configure-ldap-sasl-authentication +file: /tutorial/configure-ldap-sasl-activedirectory description: | - Describes the process for authentication with SASL/LDAP. + Describes the process for authentication using SASL/LDAP with ActiveDirectory. +--- +file: /tutorial/configure-ldap-sasl-openldap +description: | + Describes the process for authentication using SASL/LDAP with OpenLDAP. --- file: /tutorial/control-access-to-mongodb-with-kerberos-authentication description: | diff --git a/source/tutorial/configure-ldap-sasl-activedirectory.txt b/source/tutorial/configure-ldap-sasl-activedirectory.txt new file mode 100644 index 00000000000..9175d19ae2a --- /dev/null +++ b/source/tutorial/configure-ldap-sasl-activedirectory.txt @@ -0,0 +1,28 @@ +===================================================== +Authenticate Using SASL and LDAP with ActiveDirectory +===================================================== + +.. default-domain:: mongodb + +MongoDB Enterprise provides support for proxy authentication of users. +This allows administrators to configure a MongoDB cluster to +authenticate users by proxying authentication requests to a specified +Lightweight Directory Access Protocol (LDAP) service. + +Considerations +-------------- + +.. include:: /includes/admonition-saslauthd-ldap-considerations.rst + +Configure ``saslauthd`` +----------------------- + +LDAP support for user authentication requires proper configuration of +the ``saslauthd`` daemon process as well as the MongoDB server. + +.. include:: /includes/steps/configure-ldap-saslauthd-activedir.rst + +Configure MongoDB +----------------- + +.. include:: /includes/steps/configure-ldap-mongodb.rst diff --git a/source/tutorial/configure-ldap-sasl-authentication.txt b/source/tutorial/configure-ldap-sasl-authentication.txt deleted file mode 100644 index 1196ef652fe..00000000000 --- a/source/tutorial/configure-ldap-sasl-authentication.txt +++ /dev/null @@ -1,40 +0,0 @@ -================================ -Authenticate Using SASL and LDAP -================================ - -.. default-domain:: mongodb - -MongoDB Enterprise provides support for proxy authentication of users. -This allows administrators to configure a MongoDB cluster to -authenticate users by proxying authentication requests to a specified -Lightweight Directory Access Protocol (LDAP) service. - -.. include:: /includes/admonition-mongodb-enterprise-windows-ldap.rst - -MongoDB does **not** support LDAP authentication in mixed sharded -cluster deployments that contain both version 2.4 and version 2.6 -shards. See :doc:`/release-notes/2.6-upgrade` for upgrade instructions. - -.. _ldap-password-in-plaintext: - -Considerations --------------- - -Because the transmission of the username and password from the client -to the MongoDB server, from the MongoDB server to ``saslauthd``, and -from ``saslauthd`` to the LDAP server uses ``SASL PLAIN`` mechanism, -i.e. in **plain text**, you should, in general, use only on a trusted -channel (VPN, SSL, trusted wired network). - -Configure ``saslauthd`` ------------------------ - -LDAP support for user authentication requires proper configuration of -the ``saslauthd`` daemon process as well as the MongoDB server. - -.. include:: /includes/steps/configure-ldap-saslauthd.rst - -Configure MongoDB ------------------ - -.. include:: /includes/steps/configure-ldap-mongodb.rst diff --git a/source/tutorial/configure-ldap-sasl-openldap.txt b/source/tutorial/configure-ldap-sasl-openldap.txt new file mode 100644 index 00000000000..d282a5851d5 --- /dev/null +++ b/source/tutorial/configure-ldap-sasl-openldap.txt @@ -0,0 +1,28 @@ +============================================== +Authenticate Using SASL and LDAP with OpenLDAP +============================================== + +.. default-domain:: mongodb + +MongoDB Enterprise provides support for proxy authentication of users. +This allows administrators to configure a MongoDB cluster to +authenticate users by proxying authentication requests to a specified +Lightweight Directory Access Protocol (LDAP) service. + +Considerations +-------------- + +.. include:: /includes/admonition-saslauthd-ldap-considerations.rst + +Configure ``saslauthd`` +----------------------- + +LDAP support for user authentication requires proper configuration of +the ``saslauthd`` daemon process as well as the MongoDB server. + +.. include:: /includes/steps/configure-ldap-saslauthd-openldap.rst + +Configure MongoDB +----------------- + +.. include:: /includes/steps/configure-ldap-mongodb.rst