- Install On Prem MMS >
- Global Application Configuration >
- Configure Users and Groups with LDAP for On-Prem MongoDB Management Service
Configure Users and Groups with LDAP for On-Prem MongoDB Management Service¶
On this page
Important
There is no method to transition an existing MMS deployment with independent user management to use LDAP for user management. You will need to start with a fresh installation of the latest version of MMS.
Overview¶
On-Prem MongoDB Management Service can use a Lightweight Directory Access Protocol (LDAP) service to
store users and manage user authentication. Users continue to log in
using the standard MMS interface. After successful LDAP
authentication, MMS synchronizes the firstName
, lastName
, and email
attributes in a LDAP user record with their MMS user record. Integration
requires adding LDAP user record values in the MMS configuration file.
Upon submission of login form data, MMS authenticates in two steps:
- First, MMS searches the LDAP server for a matching LDAP user record with the
MMS
mms.ldap.bindDn
andmms.ldap.bindPassword
configuration values to match the username. - With a match, MMS searches the LDAP server with the user record attribute
defined for the
mms.ldap.user.searchAttribute
parameter to authenticate for MMS access.
Upon successful login with LDAP, the first user completes a welcome form to create the initial MMS group.
Prerequisites¶
- LDAP server installed, configured, and accessible to MMS.
- An LDAP group name used to populate the
mms.ldap.global.role.owner
configuration value used to match LDAP records with MMS data. - MMS server installed and configured.
It’s also possible to create LDAP groups to assign to users with read only or other non-administrative roles, then update the global roles property settings as needed. In this case, create one or more additional LDAP groups.
Considerations¶
For successful integration, each user record sent by the LDAP server must contain the list of LDAP groups assigned to the user.
The first user to login with LDAP authentication must have the LDAP Owner role
assigned to their account. The mms.ldap.global.role.owner
property
setting in the MMS configuration file must match an LDAP owner group.
For example, if LDAP has an admin
group for use by MMS admins, set the
mms.ldap.global.role.owner
property to admin
in the MMS configuration file.
Procedure¶
To configure the On-Prem MongoDB Management Service to authenticate to its backing MongoDB replica sets using LDAP:
- Define LDAP record schema attributes and values.
- Update the LDAP server configuration values in the MMS
conf-mms.properties
file. - Update the LDAP user configuration values in the MMS
conf-mms.properties
file. - Update the Global Role configuration values in the MMS
conf-mms.properties
file.
The sections below define configuration values to update for each step.
Configuration Files¶
Configuration parameters connect one or more LDAP groups to roles used in MMS, as well as retrieve user data to authenticate users.
LDAP Server Configuration Parameter¶
Update this LDAP server property in the MMS conf-mms.properties
configuration file.
Property | Value |
---|---|
mms.userSvcClass |
com.xgen.svc.mms.svc.user.UserSvcLdap |
LDAP User Configuration Parameters¶
Update these LDAP directory schema properties in the MMS conf-mms.properties
configuration file:
Property | Example | Description |
---|---|---|
mms.ldap.url |
ldap://acme-dc1.acme.example.net:3890 |
The URI for the LDAP server |
mms.ldap.bindDn |
authUser@acme.example.net |
The LDAP user used to execute searches for other users |
mms.ldap.bindPassword |
<user-password> |
The credentials for the search user |
mms.ldap.user.baseDn |
DC\=acme,DC\=example,DC\=net |
The base dn used for searching for users |
mms.ldap.user.searchAttribute |
mail |
The LDAP user record attribute MMS uses to search then authenticate users when a user types their username into the MMS login form. |
mms.ldap.user.firstName |
givenName |
The LDAP user attribute that contains the user’s first name. |
mms.ldap.user.lastName |
sn |
The LDAP user attribute that contains the user’s last name. |
mms.ldap.user.email |
mail |
The LDAP user attribute that contains the user’s email address. |
mms.ldap.user.group |
memberOf |
The LDAP user attribute that contains the list of groups that the user
belongs to. These can be cn s or dn s . It doesn’t matter as long
as they are consistent with those provided in the MMS global role
configuration, explained below. |
Global Role Configuration¶
Global parameters can be in any format for an LDAP group. They can be a cn
(Common Name) or a dn
(Distinguished Name). The format must match the
property specified by the mms.ldap.user.group
configuration property
defined in the table above.
Update these LDAP directory schema properties in the MMS conf-mms.properties
configuration file:
Property | Example | Description |
---|---|---|
mms.ldap.global.role.readOnly |
CN\= MMS-ReadOnly,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net |
The LDAP group attribute name for users assigned the global read-only role in MMS. This role can only view data in MMS. |
mms.ldap.global.role.userAdmin |
CN\=MMS-UserAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net |
The LDAP group attribute name for users assigned the global user administrative role in MMS. This role can manage users’ group memberships and update the billing email address. |
mms.ldap.global.role.monitoringAdmin |
CN\=MMS-MonitoringAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net |
The LDAP group attribute name for users assigned the global monitoring administrative role in MMS. This role can view hosts, charts, and other data, as well as monitor hosts, manage monitoring settings, download the Monitoring Agent, and other tasks. |
mms.ldap.global.role.backupAdmin |
CN\=MMS-BackupAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net |
The LDAP group attribute name for users assigned the global backup administrative role in MMS. This role can view backup status, snapshot lists, and modify backup settings, as well as start/stop/terminate backups, request restores, view/edit host passwords, and other tasks. |
mms.ldap.global.role.owner |
CN\=MMSGlobalOwner,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net |
The LDAP group attribute name for users assigned the global owner role in MMS. This role can perform all administrative tasks in MMS. |
mms.ldap.group.separator |
; |
Each of the global role values may also take a delimited list of
groups; for example: The default delimiter for MMS 1.5 is |