Authentication & Authorization Questions

[Darshan Shah]

Hi,

If setting up a sharded cluster (where each shard is a 3 node replicaset) using WiredTiger & MongoDb Enterprise, we can use LDAP for Authentication & Authorization. 

In this context, here are my questions:

1. How do we handle "batch ids" or ids used by programs that do not exist in LDAP?
2. Is it possible to disable internal authentication overhead between the mongod, mongos & config servers when using LDAP for the?

Thanks.

[Chris Cunningham]

Hi Darshan,

I will try to answer your question:

Is it possible to disable internal authentication overhead between the mongod, mongos & config servers when using LDAP for the?

The internal authentication between components and LDAP Authentication have different purposes. Internal authentication in a sharded cluster or replica set members is to verify their membership to the cluster. This is to ensure that the instance that is configured is the instance they are actually communicating with. There are two ways where you can achieve this: Using key files or using x509. When you enable internal authentication, it also enables Role-based access control. Although you can configure the cluster so that users authenticate for access control using proxy authentication requests to LDAP, this differs to internal authentication.

Please be aware that LDAP Authentication is part of MongoDB Enterprise which is a commercially supported product. If you have a commercial subscription, I would suggest to open a case in the Commercial Support MongoDB ticket. Alternatively if you are evaluating MongoDB Enterprise, feel free to send me a private message and I can request a MongoDB Account Executive to reach out to you.

You may also find the following links helpful:

• LDAP Proxy Authority Authentication
• Authenticate Using SASL and LDAP with ActiveDirectory
• Authenticate Using SASL and LDAP with OpenLDAP
• MongoDB LDAP and Kerberos Authentication

Regards,

Chris

​