[DOCS-2445] Provide sample LDAP, MongoDB user/role mapping sync script Created: 19/Aug/13  Updated: 02/Feb/15  Resolved: 23/Sep/14

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: mongodb-2.6

Type: Task Priority: Major - P3
Reporter: Rob Young (Inactive) Assignee: David Hows
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File david-ldap.ldif     PNG File ldap users.png    
Issue Links:
Depends
depends on RUBY-614 Implement SASL PLAIN Authentication S... Closed
Gantt Dependency
has to be done after DRIVERS-103 Manipulate user objects exclusively v... Closed
has to be done after RUBY-530 Implement GSSAPI (Kerberos) Authentic... Closed
Related
related to SERVER-9530 LDAP Support for User Role Resolution Closed
related to SERVER-12303 Group, Role-based Authentication/Auth... Closed
Participants:
Days since reply: 10 years, 12 weeks, 5 days ago

 Description   

MongoDB 2.6 will integrate LDAP authentication, allowing users to authenticate in MongoDB through a call to LDAP. MongoDB 2.6, however, will not automate syncing of MongoDB user and role mappings between MongoDB and LDAP; customers will still have to manually update user credentials within MongoDB.

To simplify this, MongoDB will provide a sample script that will allow users to synch changes made to LDAP user and role mappings with their corresponding definitions in MongoDB. The script will be provided to work with a simple LDAP hierarchy that defines a MongoDB group and underlying users:

LDAP Organization - acme
LDAP MongoDB Group - MongoDB_dbAdminAnyDatabase
LDAP MongoDB User - Bob Jones

Users can then customize to meet their specific LDAP structures or requirements.

Functional requirements and proposed test plan is here:

https://docs.google.com/a/10gen.com/document/d/1s64LFwniLKMUlL_xs2Z1xOvIfVVD7fYEaYyPwaz_h8Y/edit?usp=sharing



 Comments   
Comment by Rob Young (Inactive) [ 22/Nov/13 ]

david.hows, barrie Can you guys please coordinate on the required driver changes?

Comment by David Hows [ 22/Oct/13 ]

Attached are an example of the hierarchy within LDAP that we suggest for making the synchronisation script.

Comment by Rob Young (Inactive) [ 17/Oct/13 ]

The functional requirement is still open for discussion, but I think we need to make these assumptions:

  • MongoDB roles (default or user-defined) must exist for the MongoDB instances using LDAP for authentication. The script we provide will sync LDAP user/group or role mappings with MongoDB user/role mappings, but will not create new MongoDB roles or update MongoDB role level privilege mappings. To do this, we would need to provide and maintain a defined LDAP schema for MongoDB, which is out of scope.
  • We need to brainstorm on if/how the script will add new MongoDB user/role mappings when needed. As you note, this requires more MongoDB user specific data from LDAP and adds complexity to the script implementation.

I will set up call to discuss.

Generated at Thu Feb 08 07:43:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.