Navigation

Configure Backup Agent for LDAP Authentication

On this page

If your MongoDB deployment enforces access control, the Backup Agent must authenticate to MongoDB as a user with the proper access. If you use Automation, Cloud Manager takes care of this for you.

MongoDB Enterprise supports simple and SASL binding to Lightweight Directory Access Protocol (LDAP) servers via saslauthd and operating system libraries:

  • MongoDB Enterprise for Linux can bind to an LDAP server either via saslauthd or starting in MongoDB 3.4, via operating system libraries.
  • Starting in MongoDB version 3.4, MongoDB Enterprise for Windows can bind to an LDAP server via the operating system libraries.

Backup Agent support authenticating to MongoDB instances using LDAP.

If your MongoDB deployment uses LDAP to authenticate users, to authenticate the Backup Agent, create a user in the $external database with the appropriate roles in MongoDB.

Note

Cloud Manager can manage agent authentication for you if you are using Automation to manage the agents. With Automation, Cloud Manager creates the users for each agent and configures the agent appropriately. See: Enable LDAP Authentication for your Cloud Manager Group for more information.

Considerations

You must configure LDAP authentication separately for each agent. See Configure Monitoring Agent for LDAP for configuration instructions for the Monitoring Agent.

You can configure LDAP authentication when activating backup or by editing the an existing host’s configuration. Enable LDAP Authentication for your Cloud Manager Group for instructions.

Procedures

Create User in MongoDB

To back up MongoDB 2.6+ instances that are using LDAP authentication, add a user that possess the required roles to the $external database in MongoDB. The $external database allows mongod to consult an external source, such as an LDAP server, to authenticate.

Use the following commands to create the users from a mongo shell connected to your MongoDB deployment:

MongoDB 3.0 or later

db.getSiblingDB("$external").createUser(
    {
      user : "<username>",
      roles: [ { role: "backup", db: "admin" } ]
    }
)

MongoDB 2.6

db.getSiblingDB("$external").createUser(
   {
     user: "<username>",
     roles: [
        "clusterAdmin",
        "readAnyDatabase",
        "userAdminAnyDatabase",
        { role: "readWrite", db: "admin" },
        { role: "readWrite", db: "local" },
     ]
   }
)

See Required Access for Backup Agent for more information on the required access.

Host Settings

MongoDB agents interact with the MongoDB databases in your deployment as a MongoDB user would. Each agent must be authenticated and then granted privileges according to what their roles are on your deployment. As a result, you must configure your MongoDB deployment and your agents to support authentication.

You can specify the deployment’s authentication mechanisms when adding the deployment, or you can edit the settings for an existing deployment. At minimum, the deployment must enable the Kerberos authentication mechanism you want the agents to use.

Adding an agent as a MongoDB user requires configuring an authentication mechanism. Agents can use any supported authentication mechanism, but all agents must use the same mechanism.

For the purposes of this tutorial, you must ensure your:

  • Deployment supports Kerberos authentication and
  • Agents use Kerberos authentication.

See Enable Kerberos Authentication for your Cloud Manager Group for how to enable Kerberos authentication.