diff --git a/config/redirects b/config/redirects index 0794caeb3df..c9f079850bf 100644 --- a/config/redirects +++ b/config/redirects @@ -1879,6 +1879,14 @@ raw: /manual/core/wildcard -> ${base}/manual/core/index-wildcard/ [v5.0-*]: /${version}/reference/read-concern-majority/#disable-read-concern-majority -> ${base}/${version}/reference/read-concern-majority/#primary-secondary-arbiter-replica-sets + +# +# Redirects for 5.1 and greater (if pages are removed in 5.0 that used to exist in earlier versions) +# + +[v5.0-*]: /${version}/core/core/authentication-mechanisms -> ${base}/${version}/core/authentication + + # # Upgrade / Downgrade redirects # diff --git a/source/core/authentication-mechanisms-enterprise.txt b/source/core/authentication-mechanisms-enterprise.txt deleted file mode 100644 index d4f02d35bc5..00000000000 --- a/source/core/authentication-mechanisms-enterprise.txt +++ /dev/null @@ -1,89 +0,0 @@ -==================================== -Enterprise Authentication Mechanisms -==================================== - -.. default-domain:: mongodb - -.. contents:: On this page - :local: - :backlinks: none - :depth: 1 - :class: singlecol - -In addition to the authentication mechanisms offered in MongoDB -Community, MongoDB Enterprise provides integration with the following -external authentication mechanisms. - -.. _security-auth-kerberos: - -Kerberos Authentication ------------------------ - -`MongoDB Enterprise `_ -supports authentication using a Kerberos service. Kerberos is an industry -standard authentication protocol for large client/server systems. - -To use MongoDB with Kerberos, you must have a properly configured -Kerberos deployment, configured :ref:`Kerberos service principals -` for MongoDB, and added :ref:`Kerberos -user principal ` to MongoDB. - -For more information on Kerberos and MongoDB, see: - -- :doc:`/core/kerberos`, - -- :doc:`/tutorial/control-access-to-mongodb-with-kerberos-authentication` and - -- :doc:`/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication`. - -.. _security-auth-ldap: - -LDAP Proxy Authentication -------------------------- - - -`MongoDB Enterprise -`_ supports -proxy authentication through a Lightweight Directory Access Protocol -(LDAP) service. - -.. versionchanged:: 3.4 - - MongoDB 3.4 supports using operating system libraries instead of the - `saslauthd `_ - daemon, allowing MongoDB 3.4 servers running on Linux and Microsoft Windows - to connect to LDAP servers. Linux MongoDB deployments continue to support - ``saslauthd``. - -Previous versions of MongoDB support authentication against an LDAP server -using simple and SASL binding via ``saslauthd``. This restricted LDAP -authentication support to only Linux MongoDB deployments. - -See :doc:`/core/security-ldap` for more information. - -LDAP Authorization -~~~~~~~~~~~~~~~~~~ - -.. versionadded:: 3.4 - -MongoDB Enterprise supports querying an LDAP server for the LDAP groups the -authenticated user is a member of. MongoDB maps the Distinguished Names (DN) -of each returned group to :ref:`roles ` on the ``admin`` database. -MongoDB authorizes the user based on the mapped roles and their associated -privileges. See :ref:`LDAP Authorization ` for more -information. - -.. seealso:: - - - :doc:`/core/security-ldap` - - :doc:`/tutorial/configure-ldap-sasl-openldap` - - :doc:`/tutorial/configure-ldap-sasl-activedirectory` - -.. toctree:: - :titlesonly: - :hidden: - - /core/kerberos - /core/security-ldap - /core/security-ldap-external - diff --git a/source/core/authentication-mechanisms.txt b/source/core/authentication-mechanisms.txt deleted file mode 100644 index 88166e441cf..00000000000 --- a/source/core/authentication-mechanisms.txt +++ /dev/null @@ -1,65 +0,0 @@ -.. _security-authentication-mechanisms: - -========================= -Authentication Mechanisms -========================= - -.. default-domain:: mongodb - -.. contents:: On this page - :local: - :backlinks: none - :depth: 1 - :class: singlecol - - -MongoDB supports the following authentication mechanisms: - -- :doc:`SCRAM Authentication ` (*Default*) - -- :doc:`x.509 Certificate Authentication `. - -In addition, MongoDB Enterprise provides integration with a number of -external authentication mechanisms, including Kerberos and LDAP. See -:doc:`/core/authentication-mechanisms-enterprise` for the additional -authentication mechanisms supported by MongoDB Enterprise. - -.. _authentication-mechanism-default: - -SCRAM Authentication --------------------- - -Salted Challenge Response Authentication Mechanism (SCRAM) is the -default authentication mechanism for MongoDB. - -For more information on SCRAM and MongoDB, see: - -- :doc:`SCRAM Authentication ` -- :ref:`scram-client-authentication` - -.. _authentication-mechanism-x509: - -x.509 Certificate Authentication --------------------------------- - -MongoDB supports x.509 certificate authentication for client -authentication and internal authentication of the members of replica -sets and sharded clusters. x.509 certificate authentication requires a -secure :doc:`TLS/SSL connection `. - -To use MongoDB with x.509, you must use valid certificates generated and -signed by a certificate authority. The client x.509 certificates -must meet the :ref:`client certificate requirements -`. - -For more information on x.509 and MongoDB, see: - -- :doc:`x.509 Certificate Authentication ` -- :ref:`x509-client-authentication` - -.. toctree:: - :titlesonly: - :hidden: - - /core/security-scram - /core/security-x.509 diff --git a/source/core/authentication.txt b/source/core/authentication.txt index 10f882b8f12..d4230bc36ab 100644 --- a/source/core/authentication.txt +++ b/source/core/authentication.txt @@ -34,22 +34,90 @@ To get started using access control, follow these tutorials: - :ref:`authentication-auth-as-user` .. _available-authentication-mechanisms: +.. _security-authentication-mechanisms: Authentication Mechanisms ------------------------- -MongoDB Community supports a number of :ref:`authentication mechanisms -` that clients can use to verify -their identity: +.. _authentication-mechanism-default: -- :ref:`authentication-scram` (*Default*) -- :ref:`x.509 Certificate Authentication `. +SCRAM Authentication +~~~~~~~~~~~~~~~~~~~~ -In addition to the preceding mechanisms, MongoDB Atlas and MongoDB -Enterprise support the following mechanisms: +:doc:`Salted Challenge Response Authentication Mechanism (SCRAM) +` is the default authentication mechanism for +MongoDB. -- :ref:`LDAP proxy authentication `, and -- :ref:`Kerberos authentication `. +For more information on SCRAM and MongoDB, see: + +- :doc:`SCRAM Authentication ` +- :ref:`scram-client-authentication` + +.. _authentication-mechanism-x509: + +x.509 Certificate Authentication +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +MongoDB supports :doc:`x.509 certificate authentication +` for client authentication and internal +authentication of the members of replica sets and sharded clusters. +x.509 certificate authentication requires a secure :doc:`TLS/SSL +connection `. + +To use MongoDB with x.509, you must use valid certificates generated and +signed by a certificate authority. The client x.509 certificates +must meet the :ref:`client certificate requirements +`. + +For more information on x.509 and MongoDB, see: + +- :doc:`x.509 Certificate Authentication ` +- :ref:`x509-client-authentication` + +.. _security-auth-kerberos: + +Kerberos Authentication +~~~~~~~~~~~~~~~~~~~~~~~ + +`MongoDB Enterprise +`_ +and `MongoDB Atlas +`__ support +:doc:`Kerberos Authentication `. Kerberos is an industry +standard authentication protocol for large client/server systems that +provides authentication using short-lived tokens that are called +tickets. + +To use MongoDB with Kerberos, you must have a properly configured +Kerberos deployment, configured :ref:`Kerberos service principals +` for MongoDB, and a :ref:`Kerberos user +principal ` added to MongoDB. + +For more information on Kerberos and MongoDB, see: + +- :doc:`Kerberos Authentication ` +- :doc:`/tutorial/control-access-to-mongodb-with-kerberos-authentication` +- :doc:`/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication` + +.. _security-auth-ldap: + +LDAP Proxy Authentication +~~~~~~~~~~~~~~~~~~~~~~~~~ + +`MongoDB Enterprise +`_ +and `MongoDB Atlas +`__ support +:doc:`LDAP Proxy Authentication ` proxy +authentication through a Lightweight Directory Access Protocol (LDAP) +service. + +For more information on Kerberos and MongoDB, see: + +- :doc:`LDAP Proxy Authentication ` +- :doc:`/tutorial/configure-ldap-sasl-activedirectory` +- :doc:`/tutorial/configure-ldap-sasl-openldap` +- :doc:`/tutorial/authenticate-nativeldap-activedirectory` These mechanisms allow MongoDB to integrate into your existing authentication system. @@ -68,8 +136,10 @@ for more information. :titlesonly: :hidden: - /core/security-users - /core/authentication-mechanisms - /core/authentication-mechanisms-enterprise + /core/security-scram + /core/security-x.509 + /core/kerberos + /core/security-ldap /core/security-internal-authentication /core/localhost-exception + /core/security-users diff --git a/source/core/authorization.txt b/source/core/authorization.txt index 45ad2fbe4e4..9e3d13d2f4a 100644 --- a/source/core/authorization.txt +++ b/source/core/authorization.txt @@ -103,6 +103,16 @@ If these built-in-roles cannot provide the desired set of privileges, MongoDB provides methods to create and modify :doc:`user-defined roles `. +LDAP Authorization +------------------ + +MongoDB Enterprise supports querying an LDAP server for the LDAP groups the +authenticated user is a member of. MongoDB maps the Distinguished Names (DN) +of each returned group to :ref:`roles ` on the ``admin`` database. +MongoDB authorizes the user based on the mapped roles and their associated +privileges. See :ref:`LDAP Authorization ` for more +information. + .. toctree:: :titlesonly: :hidden: @@ -112,3 +122,4 @@ MongoDB provides methods to create and modify :doc:`user-defined roles /tutorial/manage-users-and-roles /tutorial/change-own-password-and-custom-data /core/collection-level-access-control + /core/security-ldap-external