The MongoDB folks have some really good documentation on installing With a working MongoDB Enterprise installation, I was able to start configuring LDAP\/Active Directory authentication. MongoDB docs discuss using groups only to delegate roles, so I created two objects in Active Directory:<\/p>\n\n\n\n This directory has an existing service account used for generic binds. I’m going to re-use this account:\u00a0 The first step is to grant my group limited access to the instance. I’ve also decided to create a local With our permissions delegated, we now need to update our We’ll continue to the end of the file. I do not have MongoDB documentation has additional configuration options for With the configuraiton file update, I restarted the mongod service and confirmed that it was running with the following syntax:<\/p>\n\n\n\n Finally, in Aria Operations I was able to configure the adapter instance to use this LDAP credential. For the adapter name, I entered the short host name of the monitored server, and for the host attribute I used the fully qualified domain name. When creating the credential, I entered my user distinguished name, as well as selected ‘LDAP SASL’ for the type of authentication. I’ve included a screenshot below for reference:<\/p>\n\n\n\n With these properties configured, I was able to create the configuration of the adapter instance.<\/p>\n\n\n\n After a few minutes, the dashboards begin populating with the Hopefully this post helps with configuration of MongoDB Enterprise LDAP authentication. <\/p>\n\n\n\n Previous MongoDB posts:<\/strong><\/p>\n\n\n\n I had a recent need to dig into MongoDB monitoring with Aria Operations. In those posts, I used a preconfigured Bitnami MongoDB virtual appliance. This virtual appliance used MongoDB Community Edition. As a follow-up, I was looking into if it … Continue reading mongodb-enterprise<\/code> available here: https:\/\/www.mongodb.com\/docs\/manual\/tutorial\/install-mongodb-enterprise-on-ubuntu\/#std-label-install-mdb-enterprise-ubuntu<\/a>. I choose the Ubuntu version of this document as I already had Ubuntu template VMs available in my lab. The installation went very smooth, I’ll include the commands I ran below as a quick reference. I had already su -<\/code> and was running as root, so I didn’t require he sudo<\/code> from the above example.<\/p>\n\n\n\napt-get install gnupg curl\n# no change, these packages already in image\n\ncurl -fsSL https:\/\/pgp.mongodb.com\/server-7.0.asc | \\\n gpg -o \/usr\/share\/keyrings\/mongodb-server-7.0.gpg \\\n --dearmor\n\necho \"deb [ arch=amd64,arm64 signed-by=\/usr\/share\/keyrings\/mongodb-server-7.0.gpg ] http:\/\/repo.mongodb.com\/apt\/ubuntu focal\/mongodb-enterprise\/7.0 multiverse\" | tee \/etc\/apt\/sources.list.d\/mongodb-enterprise-7.0.list\n\napt-get update\n\napt-get install -y mongodb-enterprise\n\nps --no-headers -o comm 1\n# returns systemd\n\nsudo systemctl start mongod<\/code><\/pre>\n\n\n\nGroup: CN=LAB MongoDB Ent Monitoring,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org\nUser: CN=svc-mgdbeops,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org<\/code><\/pre>\n\n\n\nCN=svc-ldapbind,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org<\/code>. In the real world the MongoDB admins would likely have their own service account for this purpose, or perhaps create a unique account per environment.<\/p>\n\n\n\nroot<\/code> user to use for administration, if needed. We’ll do all this using the mongosh<\/code> command directly on the appliance.<\/p>\n\n\n\nmongosh # no credentials were required\n\nvar admin = db.getSiblingDB(\"admin\")\n\n# create a root user to have, just in case\nadmin.createUser(\n {\n user: \"root\", \n pwd: \"VMware1!\", \n roles:[\"root\"]\n })\n# returns: { ok: 1 }\n\n# give our AD service account limited access\nadmin.createRole(\n {\n role: \"CN=LAB MongoDB Ent Monitoring,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org\",\n roles: [ { role: \"clusterMonitor\", db: \"admin\" } ]\n }\n)\n# returns: { ok: 1 }<\/code><\/pre>\n\n\n\n\/etc\/mongod.conf<\/code> to make it aware of our directory. We’ll make to edits to this default file. First, in the network interfaces<\/code> section, we’ll change the entry that binds to localhost only to allow binding to all IPs. I left the previous configuration as a comment, so I could revert back easily if needed. The change looks like this in my config:<\/p>\n\n\n\n# network interfaces\nnet:\n port: 27017\n bindIpAll: true\n #bindIp: 127.0.0.1 <\/code><\/pre>\n\n\n\nsecurity:<\/code> or setParameter:<\/code> sections, so I will create them:<\/p>\n\n\n\nsecurity:\n authorization: \"enabled\"\n ldap:\n servers: \"core-control-21.lab.enterpriseadmins.org:389\"\n bind:\n queryUser: \"CN=svc-ldapbind,OU=LAB Service Accounts,DC=lab,DC=enterpriseadmins,DC=org\"\n queryPassword: \"VMware1!\"\n transportSecurity: \"none\"\n authz:\n queryTemplate: \"{USER}?memberOf?base\"\n validateLDAPServerConfig: true\nsetParameter:\n authenticationMechanisms: \"PLAIN\"<\/code><\/pre>\n\n\n\nuserToDNMapping<\/code>, but I’m not using those and opting instead to just pass the distinguished name as the user name.<\/p>\n\n\n\nsudo systemctl restart mongod.service\nsudo systemctl status mongod.service<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/enterpriseadmins.org\/blog\/wp-content\/uploads\/2024\/08\/image.png\")
<\/a><\/figure>\n\n\n\n![\"\"](\"https:\/\/enterpriseadmins.org\/blog\/wp-content\/uploads\/2024\/08\/image-1.png\")
<\/a><\/figure>\n\n\n\nmongod<\/code> information. <\/p>\n\n\n\n\n