Problem:
The client requires Active Directory/LDAP integration for MongoDB user management similar to the Enterprise edition of MongoDB. This includes managing user permissions, creation, and deletion.
Solution:
To address the reported requirements, several potential solutions were put forth.
Resolution 1. Utilize Percona MongoDB with LDAP Support:
- Implement LDAP support through Percona MongoDB.
- Conducted a Proof of Concept (POC) using Docker, Percona MongoDB 7.0, and OpenLDAP.
- Configure authentication mechanisms to allow users to authenticate with MongoDB using LDAP credentials.
- Automatically grant MongoDB roles based on LDAP group memberships.
Result:
- Seamless integration allows users to authenticate with MongoDB using LDAP credentials.
- Permissions are automatically synced from LDAP roles to MongoDB, reducing manual configuration.
- Drop-in replacement for MongoDB Enterprise edition with minimal custom changes required.
Pros:
- Percona MongoDB provides LDAP support, mirroring MongoDB Enterprise features.
- Minimal customizations needed for implementation.
Cons:
- Use of a different MongoDB version may introduce compatibility issues.
- Limited support from official MongoDB channels.
- Migration required for existing MongoDB installations to Percona MongoDB Server.
Resolution 2. Proxy Server Solution:
Proxy server method utilizing tools like mongoproxy to intercept MongoDB network requests and integrate LDAP authentication.
Pros:
- Full compatibility with MongoDB network protocol.
Cons:
- Significant engineering effort required.
- Potential for future compatibility issues.
- Lack of support and updates for mongoproxy.
- No POC conducted, not recommended for use.
Conclusion:
Implementing LDAP integration via Percona MongoDB offers enhanced security and simplified administration, aligning with client requirements. While alternative solutions exist, they entail higher complexity and potential risks, making the Percona approach the recommended choice.