How to enable LDAP authentication

LDAP (Lightweight Directory Access Protocol) enables centralized authentication for MongoDB Replica Sets and Sharded Clusters, reducing the overhead of managing local credentials and access policies.

This guide goes over the steps to integrate LDAP as an authentication method with the MongoDB K8s charm, all within the Juju ecosystem.

Prerequisites

You’ll need:

• A Kubernetes Juju controller with a Charmed MongoDB deployment
  • See How to deploy Charmed MongoDB

Deploy an LDAP server

Deploy the GLAuth charm:

juju add-model glauth
juju deploy self-signed-certificates
juju deploy postgresql-k8s --channel 14/stable --trust
juju deploy glauth-k8s --channel edge --trust

Integrate (formerly known as “relate”) glauth-k8s with both self-signed-certificates and postgresql-k8s:

juju integrate glauth-k8s self-signed-certificates
juju integrate glauth-k8s postgresql-k8s

Deploy the GLAuth-utils charm in order to manage LDAP users:

juju deploy glauth-utils --channel edge --trust

Integrate the two applications:

juju integrate glauth-k8s glauth-utils

You will then have to create users and groups using glauth-utils.

Configure roles

With the MongoDB LDAP integration, you must define roles which names are the exact Distinguished Name (DN) of a group in the LDAP directory.

For example, if you have a group named ou=superheroes,ou=users,dc=glauth,dc=com, create a role such as:

db.createRole({role: 'ou=superheroes,ou=users,dc=glauth,dc=com', privileges: [], roles: [{'db': 'superdb', 'role': 'readWrite'}]})

At this stage, you can fine tune some parameters used by MongoDB using two config options.

For a MongoDB replica set:

juju config mongodb-k8s ldap-query-template="" ldap-user-to-dn-mapping=""

For a MongoDB sharded cluster:

juju config <config-server-name> ldap-query-template="" ldap-user-to-dn-mapping=""

• ldap-query-template is the query template used to get the group of a user
• ldap-user-to-dn-mapping is used to map usernames to LDAP Distinguished Names for the users.

Those two configuration parameters are explained in detail in the Percona Server for MongoDB documentation, and in the description of the two config options.

juju config mongodb-k8s ldap-query-template="dc=glauth,dc=com??sub?(&(objectClass=posixGroup)(uniqueMember={USER}))" ldap-user-to-dn-mapping='[{"match": "([^@]+)@([^@]+)", "substitution": "cn={0},ou={1},ou=users,dc=glauth,dc=com"}]'

juju config <config-server-name> ldap-query-template="dc=glauth,dc=com??sub?(&(objectClass=posixGroup)(uniqueMember={USER}))" ldap-user-to-dn-mapping='[{"match": "([^@]+)@([^@]+)", "substitution": "cn={0},ou={1},ou=users,dc=glauth,dc=com"}]'

Enable LDAP

To enable LDAP authentication on MongoDB, integrate the MongoDB K8s charm with the GLAuth charm.

If you are using the mongos router, also integrate it with GLAuth charm in the same way as the MongoDB K8s application shown below:

For a MongoDB replica set:

juju integrate mongodb-k8s:ldap glauth-k8s:ldap
juju integrate mongodb-k8s:ldap-certificate-transfer glauth-k8s:send-ca-cert

For a MongoDB sharded cluster:

juju integrate <config-server-name>:ldap glauth-k8s:ldap
juju integrate <config-server-name>:ldap-certificate-transfer glauth-k8s:send-ca-cert

When everything is stabilised, you will be able to log in using your username johndoe@superheroes and your LDAP password. You will inherit from the permissions granted by the roles corresponding to your LDAP groups.

Disable LDAP

You can disable LDAP by removing the following relations:

If you are using the mongos router, also remove the relations with the GLAuth charm in the same way as the MongoDB K8s application shown below:

For a MongoDB replica set:

juju remove-relation mongodb-k8s:ldap-certificate-transfer glauth-k8s:send-ca-cert
juju remove-relation mongodb-k8s:ldap glauth-k8s:ldap

For a MongoDB sharded cluster:

juju remove-relation <config-server-name>:ldap-certificate-transfer glauth-k8s:send-ca-cert
juju remove-relation <config-server-name>:ldap glauth-k8s:ldap