Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Enable Kerberos Authentication for your Ops Manager Group

Overview

Ops Manager enables you to configure the Authentication Mechanisms that all clients, including the Ops Manager Agents, use to connect to your MongoDB deployments. You can enable multiple authentication mechanisms for each of your groups, but you must choose only one mechanism for the Agents.

MongoDB Enterprise supports authentication using a Kerberos service. Kerberos is an industry standard authentication protocol for large client/server systems.

Important

Setting up and configuring a Kerberos deployment is beyond the scope of this document. This tutorial assumes you have configured a Kerberos principal for each Agent and you have a valid keytab file for each Agent.

To authenticate MongoDB with Kerberos, you must:

  1. Have a properly configured Kerberos deployment,
  2. Configure Kerberos service principals for MongoDB, and
  3. Add the Kerberos user principals for the Agents.

The Kerberos Authentication section of the MongoDB Manual provides more detail about using MongoDB with Kerberos.

Considerations

Kerberos (GSSAPI) is only available on MongoDB Enterprise builds. If you have existing deployments running on a MongoDB Community build, you must upgrade them to MongoDB Enterprise before you can enable Kerberos (GSSAPI) for your Ops Manager group.

This tutorial describes how to enable Kerberos for one of your Ops Manager groups and how to configure your Ops Manager Agents to connect to your Kerberos-enabled deployment.

Note

If Ops Manager is not managing any MongoDB deployment, you can reset Authentication and SSL settings for your group.

To remove all authentication and security settings as well as the users and roles you created using Ops Manager, click Clear Settings in the Authentication & SSL Settings dialog box .

See Clear Security Settings for more information.

To unmanage MongoDB deployments, see Remove a Process from Management or Monitoring.

Procedures

These procedures describe how to configure and enable Kerberos authentication when using Automation. If Ops Manager does not manage your Monitoring or Backup agents, you must manually configure them to authenticate using Kerberos.

See Configure the Monitoring Agent for Kerberos and Configure the Backup Agent for Kerberos for instructions.

Configure an Existing Linux Deployment for Kerberos-based Authentication

If you use Ops Manager to manage existing deployments on Linux in your group, all MongoDB deployments in the group must be configured for Kerberos authentication before you can enable Kerberos authentication for your group.

1

Click Deployment, then click the Processes tab, and then the Topology view.

2

On the line listing the process, click Modify.

3

Expand the Advanced Options area.

4

Set the kerberosKeytab Startup option to point to the keytab file and click Apply.

If kerberosKeytab is not already set, use the Add Option button to add a new startup option, and select kerberosKeytab from the drop-down menu. Input the path to the keytab file as the value, and then click Apply.

When you have configured the Kerberos options for each deployment, you can proceed to enable Kerberos for your Ops Manager group.

Enable Kerberos for your Ops Manager Group

1
2

Select Kerberos.

  1. Check Kerberos (GSSAPI).

  2. Input your SASL Service Name.

    The SASL Service Name is the Kerberos Service Principal Name for mongod or mongos.

  3. Click Next.

3

Configure the LDAP Authorization Settings. (Optional)

Important

Using LDAP Authorization, MongoDB 3.4 allows authenticating users via LDAP, Kerberos, or X.509 certificates without requiring local user documents in the $external database. When such a user successfully authenticates, MongoDB performs a query against the LDAP server to retrieve all groups which that LDAP user possesses and transforms those groups into their equivalent MongoDB roles.

This feature is available only for MongoDB 3.4 or later.

If you do not use LDAP Authorization, you can click Skip.

If you use LDAP Authorization, complete the following steps.

  1. Enter values for the following fields:

    Setting Value
    Authorization Query Template Specify a template for an LDAP query URL to retrieve the list of LDAP groups for an LDAP user.
    User to Distinguished Name Mapping Specify an array of JSON documents that provide the ordered transformation(s) MongoDB performs on the authenticated MongoDB usernames. MongoDB then matches the transformed username against the LDAP DNs.
  2. Click Use LDAP Authorization.

  3. Provide the following values:

    Setting Value
    Servers Specify the hostname:port combination of one or more LDAP servers.
    Transport Security Select TLS to encrypt your LDAP queries. If you do not need to encrypt the LDAP queries, select None.
    Timeout (ms) Specify how long an authentication request should wait before timing out.
    Bind Method

    Select either Simple or SASL.

    Important

    If you choose the Simple bind method, select TLS from the Transport Security because the Simple bind method passes the password in plain text.

    SASL Mechanisms Specify which SASL authentication service MongoDB uses with the LDAP server.
    Query User Specify the LDAP Distinguished Name to which MongoDB binds when connecting to the LDAP server.
    Query Password Specify the password with which MongoDB binds when connecting to an LDAP server.
    LDAP User Cache Invalidation Interval (s) Specify how long MongoDB waits to flush the LDAP user cache. Defaults to 30 seconds.
  4. Click Next.

4

Configure SSL if desired.

  1. Toggle the Enable SSL slider to Yes.
  2. Click Next

Note

See Enable SSL for a Deployment for SSL setup instructions.

SSL is not required for use with Kerberos (GSSAPI) authentication.

5

Configure Kerberos (GSSAPI) for the Agents.

You can enable more than one authentication mechanism for your MongoDB deployment, but the Ops Manager Agents can only use one authentication mechanism. Select Kerberos (GSSAPI) to connect to your MongoDB deployment.

  1. Select Kerberos (GSSAPI) from the Agent Auth Mechanism drop-down menu.

  2. Enter Agent Credentials for the appropriate operating system:

    Tip

    Only configure the Agents you installed. For example, if you did not install the Backup Agent, do not configure the Backup agent.

    If using Linux, configure:

    Setting Value
    <Agent> Kerberos Principal The Kerberos Principal.
    <Agent> Keytab Path The path for the Agent’s Keytab.
    <Agent> LDAP Group DN

    Enter the Distinguished Name for the Agent’s LDAP Group.

    The LDAP Group DN is then created as a role in MongoDB to grant the Agent the appropriate privileges.

    Note

    You only need to provide the Agent’s LDAP Group DN if you use LDAP Authorization.

    If using Windows, configure:

    Setting Value
    <Agent> Username The Active Directory user name.
    <Agent> Password The Active Directory password.
    Domain The NetBIOS name of a domain in Active Directory Domain Services. Must be in all capital letters.
  3. Click Save.

6

Click Review & Deploy to review your changes.

7

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.