How to enable LDAP authentication¶
LDAP (Lightweight Directory Access Protocol) enables centralized authentication for MongoDB Replica Sets and Sharded Clusters, reducing the overhead of managing local credentials and access policies.
This guide goes over the steps to integrate LDAP as an authentication method with the MongoDB charm within the Juju ecosystem.
Caution
In this guide, we use self-signed certificates provided by the self-signed-certificates
operator.
This is not recommended for a production environment.
Check the collection of Charmhub operators that implement the tls-certificate
interface.
Prerequisites¶
You’ll need:
Charmed MongoDB - Revision 213 or higher
(Optional) Charmed Mongos - Revision 42 or higher
A Kubernetes Juju controller
You’ll need:
Charmed MongoDB K8s - Revision 64 or higher
(Optional) Charmed Mongos - Revision 31 or higher
Deploy an LDAP server on Kubernetes¶
With MongoDB for machines, you’ll need a separate Juju controller with a K8s model in order to deploy the glauth-k8s
charm. We’ll then create a cross-controller relation to the MongoDB VM model.
juju switch <k8s-controller-name>
juju add-model <k8s-model-name>
With MongoDB for Kubernetes, you can simply deploy GLAuth alongside MongoDB without a separate Juju model.
Deploy glauth-k8s
, self-signed-certificates
, and postgresql-k8s
:
juju deploy glauth-k8s --channel edge --trust --config ldaps_enabled=true
juju deploy self-signed-certificates
juju deploy postgresql-k8s --channel 14/stable --trust
Integrate glauth-k8s
with self-signed-certificates
and postgresql-k8s
:
juju integrate glauth-k8s self-signed-certificates
juju integrate glauth-k8s postgresql-k8s
Deploy the glauth-utils
charm to manage LDAP users, and integrate it with the GLAuth application:
juju deploy glauth-utils --channel edge --trust
juju integrate glauth-k8s glauth-utils
Users and groups can now be created using glauth-utils
.
Create a cross-model relation (VM only)¶
Expose cross-controller URLs
Enable the required MicroK8s plugin:
IPADDR=$(ip -4 -j route get 2.2.2.2 | jq -r '.[] | .prefsrc')
sudo microk8s enable metallb $IPADDR-$IPADDR
Deploy the Traefik charm in order to expose endpoints from the K8s cluster:
juju deploy traefik-k8s --trust
Integrate the two applications:
juju integrate traefik-k8s glauth-k8s:ldaps-ingress
Expose cross-model relations
To offer the GLAuth interfaces, run:
juju offer glauth-k8s:ldap ldap
juju offer glauth-k8s:send-ca-cert send-ca-cert
Consume offers
Switch to the VM controller:
juju switch <lxd_controller>:<my-model>
Consume the LDAP offers:
juju consume <k8s_controller>:admin/<k8s-model-name>.ldap
juju consume <k8s_controller>:admin/<k8s-model-name>.send-ca-cert
This step is not needed with MongoDB K8s. Proceed to the next section: Configure roles.
Configure roles¶
With the MongoDB LDAP integration, you must define roles whose names are the exact Distinguished Name (DN) of a group in the LDAP directory.
For example, if you have a group named ou=superheroes,ou=users,dc=glauth,dc=com
, create a role such as:
db.createRole({role: 'ou=superheroes,ou=users,dc=glauth,dc=com',
privileges: [],
roles: [{'db': 'superdb', 'role': 'readWrite'}]
})
Disclaimer
The GLAuth service returns all groups as members of the Organizational Unit (OU) users
, meaning you must add ou=users
in the DN of your group when creating your role.
At this stage, you can fine tune some parameters used by MongoDB using two config options:
For a MongoDB replica set:
juju config mongodb ldap-query-template="<your-config>" ldap-user-to-dn-mapping="<your-config>"
For a MongoDB sharded cluster:
juju config <config-server-name> ldap-query-template="<your-config>" ldap-user-to-dn-mapping="<your-config>"
ldap-query-template
Query template used to get the group of a user
ldap-user-to-dn-mapping
Maps usernames to LDAP Distinguished Names for the users
These two configuration parameters are explained in detail in the Percona Server for MongoDB documentation, and in their descriptions accessible via the Juju CLI.
Example
John Doe is a member of the group ou=superheroes,ou=users,dc=glauth,dc=com
.
To allow the user cn=johndoe,ou=superheroes,ou=users,dc=glauth,dc=com
to authenticate using the username johndoe@superheroes
, one could configure the following mapping:
For a MongoDB replica set:
juju config mongodb ldap-query-template="dc=glauth,dc=com??sub?(&(objectClass=posixGroup)(uniqueMember={USER}))" ldap-user-to-dn-mapping='[{"match": "([^@]+)@([^@]+)", "substitution": "cn={0},ou={1},ou=users,dc=glauth,dc=com"}]'
For a MongoDB replica set:
juju config mongodb-k8s ldap-query-template="dc=glauth,dc=com??sub?(&(objectClass=posixGroup)(uniqueMember={USER}))" ldap-user-to-dn-mapping='[{"match": "([^@]+)@([^@]+)", "substitution": "cn={0},ou={1},ou=users,dc=glauth,dc=com"}]'
For a MongoDB sharded cluster:
juju config <config-server-name> ldap-query-template="dc=glauth,dc=com??sub?(&(objectClass=posixGroup)(uniqueMember={USER}))" ldap-user-to-dn-mapping='[{"match": "([^@]+)@([^@]+)", "substitution": "cn={0},ou={1},ou=users,dc=glauth,dc=com"}]'
Enable LDAP¶
To enable LDAP authentication on MongoDB, integrate the MongoDB charm with the GLAuth charm.
For a MongoDB replica set:
juju integrate mongodb:ldap ldap:ldap
juju integrate mongodb:ldap-certificate-transfer send-ca-cert:send-ca-cert
For a MongoDB sharded cluster:
juju integrate <config-server-name>:ldap ldap:ldap
juju integrate <config-server-name>:ldap-certificate-transfer send-ca-cert:send-ca-cert
If you are using the mongos
router, integrate it with the GLAuth charm in the same way as the MongoDB application. The mongos charm supports LDAP starting from revision 42.
For a MongoDB replica set:
juju integrate mongodb-k8s:ldap glauth-k8s:ldap
juju integrate mongodb-k8s:ldap-certificate-transfer glauth-k8s:send-ca-cert
For a MongoDB sharded cluster:
juju integrate <config-server-name>:ldap glauth-k8s:ldap
juju integrate <config-server-name>:ldap-certificate-transfer glauth-k8s:send-ca-cert
If you are using the mongos
router, integrate it with the GLAuth charm in the same way as the MongoDB application. The mongos charm supports LDAP starting from revision 31.
When everything has stabilised, you will be able to log in using your username johndoe@superheroes
and your LDAP password. You will inherit from the permissions granted by the roles corresponding to your LDAP groups.
Disable LDAP¶
You can disable LDAP by removing the relations with GLAuth.
If you are using the mongos
router, remove the relations in the same way as the MongoDB application shown below.
For a MongoDB replica set:
juju remove-relation mongodb:ldap-certificate-transfer send-ca-cert:send-ca-cert
juju remove-relation mongodb:ldap ldap:ldap
For a MongoDB sharded cluster:
juju remove-relation <config-server-name>:ldap-certificate-transfer send-ca-cert:send-ca-cert
juju remove-relation <config-server-name>:ldap ldap:ldap
If you are using the mongos
router, remove the relations in the same way as the MongoDB application shown below.
For a MongoDB replica set:
juju remove-relation mongodb-k8s:ldap-certificate-transfer glauth-k8s:send-ca-cert
juju remove-relation mongodb-k8s:ldap glauth-k8s:ldap
For a MongoDB sharded cluster:
juju remove-relation <config-server-name>:ldap-certificate-transfer glauth-k8s:send-ca-cert
juju remove-relation <config-server-name>:ldap glauth-k8s:ldap