[SERVER-6407] Authenticate users via LDAP proxy Created: 11/Jul/12 Updated: 27/Oct/15 Resolved: 01/May/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.0 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Ian Whalen (Inactive) | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 6 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
The user supplies to a mongo node credentials for authenticating to an LDAP directory, and the mongo node uses those credentials to authenticate itself to the directory. This proves to the mongo node that the LDAP server believe's the end user's identity. |
| Comments |
| Comment by auto [ 01/May/13 ] | |||||||||||||||||||||||||||||||||
|
Author: {u'date': u'2013-05-01T17:54:20Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: The only use of SASL PLAIN authentication against the $external database is for | |||||||||||||||||||||||||||||||||
| Comment by Andy Schwerin [ 01/May/13 ] | |||||||||||||||||||||||||||||||||
|
Splitting this ticket in three. This ticket covers proxy authentication. | |||||||||||||||||||||||||||||||||
| Comment by Kevin J. Rice [ 23/Apr/13 ] | |||||||||||||||||||||||||||||||||
|
We have a development team and an operations team. We'd like to give our operations team ("ops") read-only permissions. Ops is a VERY dynamically changing group of part-time/full-time folks who work all 3 shifts 7x24x365.25. We have SAS-70 and other security requirements that specify no shared user/password accounts, and would have to have documentation and weird organizational conniptions to allow them to all share a common login. So, in short, this saves us all sorts of time creating/deleting user accounts or creating vast reams of paperwork explaining why we weren't spending all sorts of time creating/deleting user accounts. | |||||||||||||||||||||||||||||||||
| Comment by Ron Cordell [ 18/Mar/13 ] | |||||||||||||||||||||||||||||||||
|
Here is the RabbitMQ LDAP plugin configuration:
| |||||||||||||||||||||||||||||||||
| Comment by Scott Hernandez (Inactive) [ 17/Mar/13 ] | |||||||||||||||||||||||||||||||||
|
Ron, can you share your RabbitMQ config (minus username/password of course)? In addition, if anyone has has a working LDAP config that they like for any other systems (apache http, app-servers, other dbs, cache/proxy, portals, etc) it would be good to see how people are using OUs, DNs, groups, attributes, and bind (as user, as service account, and hopefully not anon) options. | |||||||||||||||||||||||||||||||||
| Comment by Ron Cordell [ 15/Mar/13 ] | |||||||||||||||||||||||||||||||||
|
I would like to second the encouragement | |||||||||||||||||||||||||||||||||
| Comment by Scott Hernandez (Inactive) [ 15/Mar/13 ] | |||||||||||||||||||||||||||||||||
|
Kevin, how would you use LDAP support? How would you like it to work for your environment (and what is your env)? | |||||||||||||||||||||||||||||||||
| Comment by Kevin J. Rice [ 15/Mar/13 ] | |||||||||||||||||||||||||||||||||
|
<mode="encouragement">We'd like this, too.</mode> |