Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

How to enable LDAP authentication

LDAP (Lightweight Directory Access Protocol) enables centralized authentication for MongoDB Replica Sets and Sharded Clusters, reducing the overhead of managing local credentials and access policies.

This guide goes over the steps to integrate LDAP as an authentication method with the MongoDB charm, all within the Juju ecosystem.

Prerequisites

You’ll need:

Deploy an LDAP server in a K8s environment

In this guide, we use self-signed certificates provided by the self-signed-certificates operator.

This is not recommended for a production environment.

Check the collection of Charmhub operators that implement the tls-certificate interface.

Switch to the Kubernetes controller:

juju switch <k8s_controller>

Deploy the GLAuth charm:

juju add-model glauth
juju deploy self-signed-certificates
juju deploy postgresql-k8s --channel 14/stable --trust
juju deploy glauth-k8s --channel edge --trust

Integrate (formerly known as “relate”) glauth-k8s with both self-signed-certificates and postgresql-k8s:

juju integrate glauth-k8s self-signed-certificates
juju integrate glauth-k8s postgresql-k8s

Deploy the GLAuth-utils charm in order to manage LDAP users:

juju deploy glauth-utils --channel edge --trust

Integrate the two applications:

juju integrate glauth-k8s glauth-utils

You will then have to create users and groups using glauth-utils.

Expose cross-controller URLs

Enable the required MicroK8s plugin:

IPADDR=$(ip -4 -j route get 2.2.2.2 | jq -r '.[] | .prefsrc')
sudo microk8s enable metallb $IPADDR-$IPADDR

Deploy the Traefik charm in order to expose endpoints from the K8s cluster:

juju deploy traefik-k8s --trust

Integrate the two applications:

juju integrate traefik-k8s glauth-k8s:ingress

Expose cross-model relations

To offer the GLAuth interfaces, run:

juju offer glauth-k8s:ldap ldap
juju offer glauth-k8s:send-ca-cert send-ca-cert

Consume offers

Switch to the VM controller:

juju switch <lxd_controller>:<my-model>

Consume the LDAP offers:

juju consume <k8s_controller>:admin/glauth.ldap
juju consume <k8s_controller>:admin/glauth.send-ca-cert

Configure roles

With the MongoDB LDAP integration, you must define roles which names are the exact Distinguished Name (DN) of a group in the LDAP directory.

For example, if you have a group named ou=superheroes,ou=users,dc=glauth,dc=com, create a role such as:

db.createRole({role: 'ou=superheroes,ou=users,dc=glauth,dc=com', privileges: [], roles: [{'db': 'superdb', 'role': 'readWrite'}]})

Disclaimer: Glauth service returns all groups as members of the Organizational Unit (OU) users, meaning you must add ou=users in the DN of your group when creating your role.

At this stage, you can fine tune some parameters used by MongoDB using two config options:

For a MongoDB replica set:

juju config mongodb ldap-query-template="" ldap-user-to-dn-mapping=""

For a MongoDB sharded cluster:

juju config <config-server-name> ldap-query-template="" ldap-user-to-dn-mapping=""
  • ldap-query-template is the query template used to get the group of a user
  • ldap-user-to-dn-mapping is used to map usernames to LDAP Distinguished Names for the users.

Those two configuration parameters are explained in detail in the Percona Server for MongoDB documentation, and in the description of the two config options.

Example

John Doe is a member of the group ou=superheroes,ou=users,dc=glauth,dc=com.

To allow the user cn=johndoe,ou=superheroes,ou=users,dc=glauth,dc=com to authenticate using the username johndoe@superheroes, one could configure the following mapping:

For a MongoDB replica set:

juju config mongodb ldap-query-template="dc=glauth,dc=com??sub?(&(objectClass=posixGroup)(uniqueMember={USER}))" ldap-user-to-dn-mapping='[{"match": "([^@]+)@([^@]+)", "substitution": "cn={0},ou={1},ou=users,dc=glauth,dc=com"}]'

For a MongoDB sharded cluster:

juju config <config-server-name> ldap-query-template="dc=glauth,dc=com??sub?(&(objectClass=posixGroup)(uniqueMember={USER}))" ldap-user-to-dn-mapping='[{"match": "([^@]+)@([^@]+)", "substitution": "cn={0},ou={1},ou=users,dc=glauth,dc=com"}]'

Enable LDAP

To enable LDAP authentication on MongoDB, integrate the MongoDB charm with the GLAuth charm.

If you are using the mongos router, also integrate it with GLAuth charm in the same way as the MongoDB application shown below:

For a MongoDB replica set:

juju integrate mongodb:ldap ldap:ldap
juju integrate mongodb:ldap-certificate-transfer send-ca-cert:send-ca-cert

For a MongoDB sharded cluster:

juju integrate <config-server-name>:ldap ldap:ldap
juju integrate <config-server-name>:ldap-certificate-transfer send-ca-cert:send-ca-cert

When everything is stabilised, you will be able to log in using your username johndoe@superheroes and your LDAP password. You will inherit from the permissions granted by the roles corresponding to your LDAP groups.

Disable LDAP

You can disable LDAP by removing the relations with GLAuth.

If you are using the mongos router, also remove the relations it with GLAuth charm in the same way as the MongoDB application shown below:

For a MongoDB replica set:

juju remove-relation mongodb:ldap-certificate-transfer send-ca-cert:send-ca-cert
juju remove-relation mongodb:ldap ldap:ldap

For a MongoDB sharded cluster:

juju remove-relation <config-server-name>:ldap-certificate-transfer send-ca-cert:send-ca-cert
juju remove-relation <config-server-name>:ldap ldap:ldap
Previous Manage client connections Next Back up and restore: Configure S3

Last updated a day ago. Help improve this document in the forum.