Monitoring MongoDB Enterprise using LDAP Authentication

I had a recent need to dig into MongoDB monitoring with Aria Operations. In those posts, I used a preconfigured Bitnami MongoDB virtual appliance. This virtual appliance used MongoDB Community Edition. As a follow-up, I was looking into if it were possible to use an active directory user for monitoring instead of the local user from the previous post.

Looking into this question, I learned that it is possible… but there are a few requirements. This post will explain how to configure MongoDB to use an active directory user account for authentication, specifically for the Aria Operations management pack.

MongoDB has a community edition, which was installed in my previous appliance. If we look at the ‘ldap’ configuration options documented here: https://www.mongodb.com/docs/manual/reference/configuration-options/, we’ll notice that those settings say “Available in MongoDB Enterprise only.”

The MongoDB folks have some really good documentation on installing mongodb-enterprise available here: https://www.mongodb.com/docs/manual/tutorial/install-mongodb-enterprise-on-ubuntu/#std-label-install-mdb-enterprise-ubuntu. I choose the Ubuntu version of this document as I already had Ubuntu template VMs available in my lab. The installation went very smooth, I’ll include the commands I ran below as a quick reference. I had already su - and was running as root, so I didn’t require he sudo from the above example.

apt-get install gnupg curl
# no change, these packages already in image

curl -fsSL https://pgp.mongodb.com/server-7.0.asc | \
   gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \
   --dearmor

echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] http://repo.mongodb.com/apt/ubuntu focal/mongodb-enterprise/7.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-enterprise-7.0.list

apt-get update

apt-get install -y mongodb-enterprise

ps --no-headers -o comm 1
# returns systemd

sudo systemctl start mongod

With a working MongoDB Enterprise installation, I was able to start configuring LDAP/Active Directory authentication. MongoDB docs discuss using groups only to delegate roles, so I created two objects in Active Directory:

Group: CN=LAB MongoDB Ent Monitoring,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org
User: CN=svc-mgdbeops,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org

This directory has an existing service account used for generic binds. I’m going to re-use this account: CN=svc-ldapbind,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org. In the real world the MongoDB admins would likely have their own service account for this purpose, or perhaps create a unique account per environment.

The first step is to grant my group limited access to the instance. I’ve also decided to create a local root user to use for administration, if needed. We’ll do all this using the mongosh command directly on the appliance.

mongosh # no credentials were required

var admin = db.getSiblingDB("admin")

# create a root user to have, just in case
admin.createUser(
   {
       user: "root", 
       pwd: "VMware1!", 
       roles:["root"]
   })
# returns: { ok: 1 }

# give our AD service account limited access
admin.createRole(
    {
        role: "CN=LAB MongoDB Ent Monitoring,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org",
        roles: [ { role: "clusterMonitor", db: "admin" } ]
    }
)
# returns: { ok: 1 }

With our permissions delegated, we now need to update our /etc/mongod.conf to make it aware of our directory. We’ll make to edits to this default file. First, in the network interfaces section, we’ll change the entry that binds to localhost only to allow binding to all IPs. I left the previous configuration as a comment, so I could revert back easily if needed. The change looks like this in my config:

# network interfaces
net:
  port: 27017
  bindIpAll: true
  #bindIp: 127.0.0.1 

We’ll continue to the end of the file. I do not have security: or setParameter: sections, so I will create them:

security:
   authorization: "enabled"
   ldap:
      servers: "core-control-21.lab.enterpriseadmins.org:389"
      bind:
         queryUser: "CN=svc-ldapbind,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org"
         queryPassword: "VMware1!"
      transportSecurity: "none"
      authz:
         queryTemplate: "{USER}?memberOf?base"
      validateLDAPServerConfig: true
setParameter:
   authenticationMechanisms: "PLAIN"

MongoDB documentation has additional configuration options for userToDNMapping, but I’m not using those and opting instead to just pass the distinguished name as the user name.

With the configuraiton file update, I restarted the mongod service and confirmed that it was running with the following syntax:

sudo systemctl restart mongod.service
sudo systemctl status mongod.service

Finally, in Aria Operations I was able to configure the adapter instance to use this LDAP credential. For the adapter name, I entered the short host name of the monitored server, and for the host attribute I used the fully qualified domain name. When creating the credential, I entered my user distinguished name, as well as selected ‘LDAP SASL’ for the type of authentication. I’ve included a screenshot below for reference:

With these properties configured, I was able to create the configuration of the adapter instance.

After a few minutes, the dashboards begin populating with the mongod information.

Hopefully this post helps with configuration of MongoDB Enterprise LDAP authentication.

Previous MongoDB posts:

This entry was posted in Lab Infrastructure, Virtualization. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Notify me of followup comments via e-mail. You can also subscribe without commenting.