Install On Prem MMS >
Global Application Configuration >
Configure Users and Groups with LDAP for On-Prem MongoDB Management Service

Configure Users and Groups with LDAP for On-Prem MongoDB Management Service¶

On this page

Overview
Prerequisites
Considerations
Procedure
Configuration Files

Important

There is no method to transition an existing MMS deployment with independent user management to use LDAP for user management. You will need to start with a fresh installation of the latest version of MMS.

Overview¶

On-Prem MongoDB Management Service can use a Lightweight Directory Access Protocol (LDAP) service to store users and manage user authentication. Users continue to log in using the standard MMS interface. After successful LDAP authentication, MMS synchronizes the firstName, lastName, and email attributes in a LDAP user record with their MMS user record. Integration requires adding LDAP user record values in the MMS configuration file.

Upon submission of login form data, MMS authenticates in two steps:

First, MMS searches the LDAP server for a matching LDAP user record with the MMS mms.ldap.bindDn and mms.ldap.bindPassword configuration values to match the username.
With a match, MMS searches the LDAP server with the user record attribute defined for the mms.ldap.user.searchAttribute parameter to authenticate for MMS access.

Upon successful login with LDAP, the first user completes a welcome form to create the initial MMS group.

Prerequisites¶

LDAP server installed, configured, and accessible to MMS.
An LDAP group name used to populate the mms.ldap.global.role.owner configuration value used to match LDAP records with MMS data.
MMS server installed and configured.

It’s also possible to create LDAP groups to assign to users with read only or other non-administrative roles, then update the global roles property settings as needed. In this case, create one or more additional LDAP groups.

Considerations¶

For successful integration, each user record sent by the LDAP server must contain the list of LDAP groups assigned to the user.

The first user to login with LDAP authentication must have the LDAP Owner role assigned to their account. The mms.ldap.global.role.owner property setting in the MMS configuration file must match an LDAP owner group.

For example, if LDAP has an admin group for use by MMS admins, set the mms.ldap.global.role.owner property to admin in the MMS configuration file.

Procedure¶

To configure the On-Prem MongoDB Management Service to authenticate to its backing MongoDB replica sets using LDAP:

Define LDAP record schema attributes and values.
Update the LDAP server configuration values in the MMS conf-mms.properties file.
Update the LDAP user configuration values in the MMS conf-mms.properties file.
Update the Global Role configuration values in the MMS conf-mms.properties file.

The sections below define configuration values to update for each step.

Configuration Files¶

Configuration parameters connect one or more LDAP groups to roles used in MMS, as well as retrieve user data to authenticate users.

LDAP Server Configuration Parameter¶

Update this LDAP server property in the MMS conf-mms.properties configuration file.

Property	Value
`mms.userSvcClass`	`com.xgen.svc.mms.svc.user.UserSvcLdap`

LDAP User Configuration Parameters¶

Update these LDAP directory schema properties in the MMS conf-mms.properties configuration file:

Property	Example	Description
`mms.ldap.url`	`ldap://acme-dc1.acme.example.net:3890`	The URI for the LDAP server
`mms.ldap.bindDn`	`authUser@acme.example.net`	The LDAP user used to execute searches for other users
`mms.ldap.bindPassword`	`<user-password>`	The credentials for the search user
`mms.ldap.user.baseDn`	`DC\=acme,DC\=example,DC\=net`	The base dn used for searching for users
`mms.ldap.user.searchAttribute`	`mail`	The LDAP user record attribute MMS uses to search then authenticate users when a user types their username into the MMS login form.
`mms.ldap.user.firstName`	`givenName`	The LDAP user attribute that contains the user’s first name.
`mms.ldap.user.lastName`	`sn`	The LDAP user attribute that contains the user’s last name.
`mms.ldap.user.email`	`mail`	The LDAP user attribute that contains the user’s email address.
`mms.ldap.user.group`	`memberOf`	The LDAP user attribute that contains the list of groups that the user belongs to. These can be `cn s` or `dn s`. It doesn’t matter as long as they are consistent with those provided in the MMS global role configuration, explained below.

Global Role Configuration¶

Global parameters can be in any format for an LDAP group. They can be a cn (Common Name) or a dn (Distinguished Name). The format must match the property specified by the mms.ldap.user.group configuration property defined in the table above.

Update these LDAP directory schema properties in the MMS conf-mms.properties configuration file:

Property	Example	Description
`mms.ldap.global.role.readOnly`	`CN\= MMS-ReadOnly,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net`	The LDAP group attribute name for users assigned the global read-only role in MMS. This role can only view data in MMS.
`mms.ldap.global.role.userAdmin`	`CN\=MMS-UserAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net`	The LDAP group attribute name for users assigned the global user administrative role in MMS. This role can manage users’ group memberships and update the billing email address.
`mms.ldap.global.role.monitoringAdmin`	`CN\=MMS-MonitoringAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net`	The LDAP group attribute name for users assigned the global monitoring administrative role in MMS. This role can view hosts, charts, and other data, as well as monitor hosts, manage monitoring settings, download the Monitoring Agent, and other tasks.
`mms.ldap.global.role.backupAdmin`	`CN\=MMS-BackupAdmin,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net`	The LDAP group attribute name for users assigned the global backup administrative role in MMS. This role can view backup status, snapshot lists, and modify backup settings, as well as start/stop/terminate backups, request restores, view/edit host passwords, and other tasks.
`mms.ldap.global.role.owner`	`CN\=MMSGlobalOwner,OU\=MMS,OU\=acme Groups,DC\=acme,DC\=example,DC\=net`	The LDAP group attribute name for users assigned the global owner role in MMS. This role can perform all administrative tasks in MMS.
`mms.ldap.group.separator`	`;`	Each of the global role values may also take a delimited list of groups; for example: `"dbas,sysadmins"`. If any group value contains the delimiter (`,` in the above case), the delimiter must be set to another value, e.g. `;`. Otherwise, MMS will parse `"CN\=foo,DN\=bar"` as two elements rather than as the description for a single group. The default delimiter for MMS 1.5 is `;;`.

← Configure On-Prem MongoDB Management Service to use HTTPS Manage Two-Factor Authentication for On Prem MMS →