As per K8SPSMDB-732, TLS is now supported with LDAP authentication on Percona Operator for MongoDB 1.16.0 and above. This feature has been documented here as well. I’ve written a previous article on using LDAP authentication and authorization without TLS, so let me provide the instructions here on incorporating TLS with LDAP.
First, you need to create a secret that contains the SSL certificates to connect to LDAP:
|
1 |
# kubectl create secret generic ldap-secret --from-file=ca.crt=ldap-ca.pem --from-file=tls.crt=ldap-cert.pem --from-file=tls.key=ldap-key.pem |
At the time of writing, it seems that only the CA certificate is being honored by the operator, so you can simply just add that certificate:
|
1 |
# kubectl create secret generic ldap-secret --from-file=ca.crt=ldap-ca.pem |
Second, under the secrets section of cr.yaml, add a reference to the secret using the key, ldapSecret and apply it:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# cat cr-minimal.yaml apiVersion: psmdb.percona.com/v1 kind: PerconaServerMongoDB metadata: name: minimal-cluster spec: crVersion: 1.16.1 image: percona/percona-server-mongodb:7.0.8-5 unsafeFlags: replsetSize: true mongosSize: true upgradeOptions: apply: disabled schedule: "0 2 * * *" secrets: users: minimal-cluster ldapSecret: ldap-secret replsets: - name: rs0 size: 1 volumeSpec: persistentVolumeClaim: resources: requests: storage: 3Gi sharding: enabled: true configsvrReplSet: size: 1 volumeSpec: persistentVolumeClaim: resources: requests: storage: 3Gi mongos: size: 1 # kubectl apply -f cr-minimal.yaml |
Third, enable TLS configuration for the replicaset, config server, and mongos by setting “transportSecurity: tls” in their configuration and apply this change:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# cat fulldn-config.yaml security: authorization: "enabled" ldap: authz: queryTemplate: 'DC=test,DC=com??sub?(&(objectClass=group)(member:={PROVIDED_USER}))' servers: "ldap.server.url" transportSecurity: tls bind: queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local" queryPassword: "SearchPassword1" setParameter: authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256' # kubectl create secret generic minimal-cluster-rs0-mongod --from-file=mongod.conf=fulldn-config.yaml # kubectl create secret generic minimal-cluster-cfg-mongod --from-file=mongod.conf=fulldn-config.yaml # cat fulldn-mongos-config.yaml security: ldap: servers: "ldap.server.url" transportSecurity: tls bind: queryUser: "CN=Search User01,CN=Users,DC=percona,DC=local" queryPassword: "SearchPassword1" setParameter: authenticationMechanisms: 'PLAIN,SCRAM-SHA-1,SCRAM-SHA-256' # kubectl create secret generic minimal-cluster-mongos --from-file=mongos.conf=fulldn-mongos-config.yaml |
Once the pods have restarted, you can see from the logs that it is using the CA certificate you have added for LDAP authentication:
|
1 2 3 4 5 6 7 8 9 |
# kubectl logs minimal-cluster-cfg-0 -c mongod | grep openldap + LDAP_SSL_DIR=/etc/openldap/certs + '[' -f /etc/openldap/certs/ca.crt ']' + echo 'TLS_CACERT /etc/openldap/certs/ca.crt' # kubectl logs minimal-cluster-rs0-0 -c mongod | grep openldap + LDAP_SSL_DIR=/etc/openldap/certs + '[' -f /etc/openldap/certs/ca.crt ']' + echo 'TLS_CACERT /etc/openldap/certs/ca.crt' |
Voila! Now your replicasets, config servers, and mongos can authenticate to LDAP over TLS instead of sending plain usernames and passwords to LDAP on an unencrypted network.
Try out Percona Operator for MongoDB. It allows you to deploy and manage clusters in minutes anywhere, including cloud, on-prem, and hybrid environments.
MongoDB Performance Tuning is a collection of insights, strategies, and best practices from Percona’s MongoDB experts. Use it to diagnose — and correct — the issues that may be affecting your database’s performance.
About the Author
Jaime SicamJaime is a Senior Support Engineer at Percona. Prior to joining Percona, Jaime worked as a remote system administrator managing high-traffic websites and consultant for several local companies. He also conducted Linux trainings in several schools. Jaime is based in the Philippines. He enjoys road trips and photography in his spare time.
