[SERVER-6407] Authenticate users via LDAP proxy Created: 11/Jul/12  Updated: 27/Oct/15  Resolved: 01/May/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.0

Type: New Feature Priority: Major - P3
Reporter: Ian Whalen (Inactive) Assignee: Andy Schwerin
Resolution: Done Votes: 6
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-6406 Add authentication module Closed
depends on SERVER-7115 Modular Authentication support Closed
is depended on by CSHARP-747 support SASL PLAIN Closed
is depended on by DRIVERS-1887 Support SASL PLAIN authentication Closed
is depended on by SERVER-4319 MongoDB Authentication related querie... Closed
is depended on by SERVER-4321 MongoDB Logging Related Issue Closed
Related
related to SERVER-9529 Authenticate users with credentials s... Closed
related to SERVER-9530 LDAP Support for User Role Resolution Closed
is related to DOCS-1531 LDAP Authentication documentation Closed
is related to SERVER-9531 Let user configure mongo nodes to sup... Backlog
Backwards Compatibility: Fully Compatible
Participants:

 Description   

The user supplies to a mongo node credentials for authenticating to an LDAP directory, and the mongo node uses those credentials to authenticate itself to the directory. This proves to the mongo node that the LDAP server believe's the end user's identity.



 Comments   
Comment by auto [ 01/May/13 ]

Author:

{u'date': u'2013-05-01T17:54:20Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-6407 When using PLAIN mechanism and $external database, do not digest password by default.

The only use of SASL PLAIN authentication against the $external database is for
LDAP proxy authentication, so this is the intelligent default choice in this scenario.
Branch: master
https://github.com/mongodb/mongo/commit/340ccbb1cced25e5e9e9b33ede652b728134d50b

Comment by Andy Schwerin [ 01/May/13 ]

Splitting this ticket in three. This ticket covers proxy authentication. SERVER-9529 covers credential information stored in an LDAP directory. SERVER-9530 convers fetching group/role membership information from an LDAP directory, so that a user's roles may be stored and managed externally to mongodb.

Comment by Kevin J. Rice [ 23/Apr/13 ]

We have a development team and an operations team. We'd like to give our operations team ("ops") read-only permissions. Ops is a VERY dynamically changing group of part-time/full-time folks who work all 3 shifts 7x24x365.25. We have SAS-70 and other security requirements that specify no shared user/password accounts, and would have to have documentation and weird organizational conniptions to allow them to all share a common login.

So, in short, this saves us all sorts of time creating/deleting user accounts or creating vast reams of paperwork explaining why we weren't spending all sorts of time creating/deleting user accounts.

Comment by Ron Cordell [ 18/Mar/13 ]

Here is the RabbitMQ LDAP plugin configuration:

[
  {rabbit, [{auth_backends, [rabbit_auth_backend_ldap]},
            {ssl_listeners, [5671]},
            {ssl_options, [{fail_if_no_peer_cert, false},
                                     { verify, verify_none}]},
            {default_vhost, <<"/">>}]},
  {rabbitmq_auth_backend_ldap,
   [ {servers,               ["RHB.AD"]},
     {dn_lookup_attribute,   "userPrincipalName"},
     {dn_lookup_base,        "DC=RHB,DC=AD"},
     {user_dn_pattern,       "${username}@RHB.AD"},
     {use_ssl,               false},
     {port,                  389},
     {log,                   network},
     {vhost_access_query,    {in_group, "CN=PERMQ_DL - Users,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}},
     {resource_access_query,
      {for, [{permission, configure, {in_group, "CN=PERMQ_DL - Users,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}},
             {permission, write,
              {for, [{resource, queue,    {in_group, "CN=PERMQ_DL - ${vhost} vHost Write Permissions,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}},
                     {resource, exchange, {in_group, "CN=PERMQ_DL - ${vhost} vHost Write Permissions,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}}]}},
             {permission, read,
              {for, [{resource, exchange, {in_group, "CN=PERMQ_DL - ${vhost} vHost Read Permissions,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}},
                     {resource, queue,    {in_group, "CN=PERMQ_DL - ${vhost} vHost Read Permissions,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}}]}}
            ]
      }},
                                                                                                                  
                 {tag_queries,    [{administrator,     {in_group, "CN=PERMQ_DL - RabbitMQ User Access Administrator,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}},
                                              {administrator,    {in_group, "CN=Access Profile - SCM,OU=Access Profiles,OU=Servers,DC=RHB,DC=AD"}},
                                              {monitoring,        {in_group, "CN=PERMQ_DL - RabbitMQ User Access Monitoring,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}},
                                             {management,    {in_group, "CN=PERMQ_DL - RabbitMQ User Access Management,OU=PERMQ,OU=PERFORMANCE,OU=Environments,OU=Servers,DC=RHB,DC=AD"}}]}
   ]
  }
]

Comment by Scott Hernandez (Inactive) [ 17/Mar/13 ]

Ron, can you share your RabbitMQ config (minus username/password of course)?

In addition, if anyone has has a working LDAP config that they like for any other systems (apache http, app-servers, other dbs, cache/proxy, portals, etc) it would be good to see how people are using OUs, DNs, groups, attributes, and bind (as user, as service account, and hopefully not anon) options.

Comment by Ron Cordell [ 15/Mar/13 ]

I would like to second the encouragement Here is how we would like to use it: we would like the current simple auth mechanism used to access a collection to be able to use the LDAP instead. Ideally we'd be able to script in some way what we're looking for: user credentials presented belong to an OU, for example (see the RabbitMQ LDAP plugin as an example). We use Active Directory to manage the various OU's and the LDAP capability should be able to talk to Active Directory. We'd like to have read only groups, read/write groups, and admin groups. The way RabbitMQ allows us to customize how the LDAP lookup works well and seems like a useful pattern.

Comment by Scott Hernandez (Inactive) [ 15/Mar/13 ]

Kevin, how would you use LDAP support? How would you like it to work for your environment (and what is your env)?

Comment by Kevin J. Rice [ 15/Mar/13 ]

<mode="encouragement">We'd like this, too.</mode>

Generated at Thu Feb 08 03:11:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.