mongodb/debian/mongoldap.1

.TH mongoldap 1
.SH MONGOLDAP
\fIMongoDB Enterprise\f1
.SH SYNOPSIS
.PP
MongoDB Enterprise provides
\fBmongoldap\f1\f1 for testing MongoDB\(aqs LDAP \fBconfiguration
options\f1 against a running LDAP server or set
of servers.
.PP
To validate the LDAP options in the configuration file, set the
\fBmongoldap\f1\f1 \fB\-\-config\f1\f1 option to the configuration file\(aqs
path.
.PP
To test the LDAP configuration options, you must specify a \fB\-\-user\f1\f1
and \fB\-\-password\f1\&. \fBmongoldap\f1\f1 simulates authentication to a
MongoDB server running with the provided configuration options and credentials.
.PP
\fBmongoldap\f1\f1 returns a report that includes the success or failure of
any step in the LDAP authentication or authorization procedure. Error messages
include information on specific errors encountered and potential advice for
resolving the error.
.PP
When configuring options related to \fBLDAP authorization\f1, \fBmongoldap\f1\f1 executes an LDAP query
constructed using the provided configuration options and username, and returns
a list of roles on the \fBadmin\f1 database which the user is authorized for.
.PP
You can use this information when configuring \fBLDAP authorization roles\f1 for user access control. For example, use
\fBmongoldap\f1\f1 to ensure your configuration allows privileged users to
gain the necessary roles to perform their expected tasks. Similarly, use
\fBmongoldap\f1\f1 to ensure your configuration disallows non\-privileged
users from gaining roles for accessing the MongoDB server, or performing
unauthorized actions.
.PP
When configuring options related to \fBLDAP authentication\f1, use \fBmongoldap\f1\f1 to ensure that the authentication
operation works as expected.
.PP
Run \fBmongoldap\f1\f1 from the system command line, not in the
\fBmongosh\f1\f1\&.
.PP
This document provides a complete overview of all command line options for
\fBmongoldap\f1\f1\&.
.SH INSTALLATION
.PP
The \fBmongoldap\f1\f1 tool is part of the \fIMongoDB Database Tools Extra\f1
package, and can be \fBinstalled with the MongoDB Server\f1 or as a
\fBstandalone installation\f1\&.
.SS INSTALL WITH SERVER
.PP
To install \fBmongoldap\f1\f1 as part of a MongoDB Enterprise Server
installation:
.RS
.IP \(bu 2
Follow the instructions for your platform:
\fBInstall MongoDB Enterprise Server\f1
.IP \(bu 2
After completing the installation, \fBmongoldap\f1\f1 and the other
included tools are available in the same location as the Server.
.IP
For the Windows \fB\&.msi\f1 installer wizard, the
Complete installation option includes \fBmongoldap\f1\f1\&.
.RE
.SS INSTALL AS STANDALONE
.PP
To install \fBmongoldap\f1\f1 as a standalone installation:
.RS
.IP \(bu 2
Follow the download link for MongoDB Enterprise Edition:
MongoDB Enterprise Download Center (https://www.mongodb.com/try/download/enterprise?tck=docs_server)
.IP \(bu 2
Select your Platform (operating system) from the dropdown
menu, then select the appropriate Package for your
platform according to the following chart:
.RS
.IP \(bu 4
.RS
.IP \(bu 6
OS
.IP \(bu 6
Package
.RE
.IP \(bu 4
.RS
.IP \(bu 6
Linux
.IP \(bu 6
\fBtgz\f1 package
.RE
.IP \(bu 4
.RS
.IP \(bu 6
Windows
.IP \(bu 6
\fBzip\f1 package
.RE
.IP \(bu 4
.RS
.IP \(bu 6
macOS
.IP \(bu 6
\fBtgz\f1 package
.RE
.RE
.IP \(bu 2
Once downloaded, unpack the archive and copy \fBmongoldap\f1\f1 to a
location on your hard drive.
.IP
Linux and macOS users may wish to copy \fBmongoldap\f1\f1 to a filesystem
location that is defined in the \fB$PATH\f1 environment variable, such
as \fB/usr/bin\f1\&. Doing so allows referencing \fBmongoldap\f1\f1 directly
on the command line by name, without needing to specify its full
path, or first navigating to its parent directory. See the
\fBinstallation guide\f1 for your platform
for more information.
.RE
.SH USAGE
.PP
A full description of LDAP or Active Directory is beyond the scope of
this documentation.
.PP
Consider the following sample configuration file, designed to support
LDAP authentication and authorization via Active Directory:
.PP
.EX
  security:
     authorization: "enabled"
     ldap:
        servers: "activedirectory.example.net"
        bind:
           queryUser: "mongodbadmin@dba.example.com"
           queryPassword: "secret123"
        userToDNMapping:
           \(aq[
              {
                 match : "(.+)",
                 ldapQuery: "DC=example,DC=com??sub?(userPrincipalName={0})"
              }
           ]\(aq
        authz:
           queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))"
  setParameter:
     authenticationMechanisms: "PLAIN"
.EE
.PP
You can use \fBmongoldap\f1\f1 to validate the configuration file, which
returns a report of the procedure. You must specify a username and password
for \fBmongoldap\f1\f1\&.
.PP
.EX
  mongoldap \-\-config=<path\-to\-config> \-\-user="bob@dba.example.com" \-\-password="secret123"
.EE
.PP
If the provided credentials are valid, and the LDAP options in the
configuration files are valid, the output might be as follows:
.PP
.EX
  Checking that an LDAP server has been specified...
  [OK] LDAP server found
  
  Connecting to LDAP server...
  [OK] Connected to LDAP server
  
  Parsing MongoDB to LDAP DN mappings..
  [OK] MongoDB to LDAP DN mappings appear to be valid
  
  Attempting to authenticate against the LDAP server...
  [OK] Successful authentication performed
  
  Checking if LDAP authorization has been enabled by configuration...
  [OK] LDAP authorization enabled
  
  Parsing LDAP query template..
  [OK] LDAP query configuration template appears valid
  
  Executing query against LDAP server...
  [OK] Successfully acquired the following roles:
  ...
.EE
.SH BEHAVIOR
.PP
Starting in MonogoDB 5.1, \fBmongoldap\f1 supports prefixing LDAP
server with \fBsrv:\f1 and \fBsrv_raw:\f1\&.
.PP
If your connection string specifies \fB"srv:<DNS_NAME>"\f1, \fBmongoldap\f1
verifies that \fB"_ldap._tcp.gc._msdcs.<DNS_NAME>"\f1 exists for SRV to
support Active Directory. If not found, it verifies
\fB"_ldap._tcp.<DNS_NAME>"\f1 exists for SRV. If an SRV record cannot be
found, \fBmongoldap\f1 warns you to use \fB"srv_raw:<DNS_NAME>"\f1 instead.
\fBmongoldap\f1 does the reverse check for \fB"srv_raw:<DNS_NAME>"\f1 by
checking for \fB"_ldap._tcp.<DNS NAME>"\f1\&.
.SH OPTIONS
.PP
\fBmongoldap \-\-config\f1, \fBmongoldap \-f\f1
.RS
.PP
Specifies a configuration file for runtime configuration options.
The options are equivalent to the command\-line
configuration options. See \fBConfiguration File Options\f1 for
more information.
.PP
\fBmongoldap\f1\f1 uses any configuration options related to \fBLDAP Proxy Authentication\f1
or \fBLDAP Authorization\f1 for testing LDAP authentication or
authorization.
.PP
Requires specifying \fB\-\-user\f1\f1\&. May accept \fB\-\-password\f1\f1 for
testing LDAP authentication.
.PP
Ensure the configuration file uses ASCII encoding. The \fBmongoldap\f1\f1
instance does not support configuration files with non\-ASCII encoding,
including UTF\-8.
.RE
.PP
\fBmongoldap \-\-user\f1
.RS
.PP
Username for \fBmongoldap\f1\f1 to use when attempting LDAP authentication or
authorization.
.RE
.PP
\fBmongoldap \-\-password\f1
.RS
.PP
Password of the \fB\-\-user\f1\f1 for
\fBmongoldap\f1\f1 to use when attempting LDAP authentication. Not
required for LDAP authorization.
.RE
.PP
\fBmongoldap \-\-ldapServers\f1
.RS
.PP
The LDAP server against which the \fBmongoldap\f1\f1 authenticates users or
determines what actions a user is authorized to perform on a given
database. If the LDAP server specified has any replicated instances,
you may specify the host and port of each replicated server in a
comma\-delimited list.
.PP
If your LDAP infrastructure partitions the LDAP directory over multiple LDAP
servers, specify \fIone\f1 LDAP server or any of its replicated instances to
\fB\-\-ldapServers\f1\f1\&. MongoDB supports following LDAP referrals as defined in RFC 4511
4.1.10 (https://www.rfc\-editor.org/rfc/rfc4511.txt)\&. Do not use \fB\-\-ldapServers\f1\f1
for listing every LDAP server in your infrastructure.
.PP
If unset, \fBmongoldap\f1\f1 cannot use \fBLDAP authentication or authorization\f1\&.
.RE
.PP
\fBmongoldap \-\-ldapQueryUser\f1
.RS
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
The identity with which \fBmongoldap\f1\f1 binds as, when connecting to or
performing queries on an LDAP server.
.PP
Only required if any of the following are true:
.RS
.IP \(bu 2
Using \fBLDAP authorization\f1\&.
.IP \(bu 2
Using an LDAP query for \fBusername transformation\f1\f1\&.
.IP \(bu 2
The LDAP server disallows anonymous binds
.RE
.PP
You must use \fB\-\-ldapQueryUser\f1\f1 with \fB\-\-ldapQueryPassword\f1\f1\&.
.PP
If unset, \fBmongoldap\f1\f1 will not attempt to bind to the LDAP server.
.PP
Windows MongoDB deployments can use \fB\-\-ldapBindWithOSDefaults\f1\f1
instead of \fB\-\-ldapQueryUser\f1\f1 and \fB\-\-ldapQueryPassword\f1\f1\&. You cannot specify
both \fB\-\-ldapQueryUser\f1\f1 and \fB\-\-ldapBindWithOSDefaults\f1\f1 at the same time.
.RE
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
The password used to bind to an LDAP server when using
\fB\-\-ldapQueryUser\f1\f1\&. You must use \fB\-\-ldapQueryPassword\f1\f1 with
\fB\-\-ldapQueryUser\f1\f1\&.
.PP
If not set, \fBmongoldap\f1\f1 does not attempt to bind to the LDAP server.
.PP
You can configure this setting on a running \fBmongoldap\f1\f1 using
\fBsetParameter\f1\f1\&.
.PP
Starting in MongoDB 4.4, the \fBldapQueryPassword\f1
\fBsetParameter\f1\f1 command accepts either a string or
an array of strings. If \fBldapQueryPassword\f1 is set to an array, MongoDB tries
each password in order until one succeeds. Use a password array to roll over the
LDAP account password without downtime.
.PP
Windows MongoDB deployments can use \fB\-\-ldapBindWithOSDefaults\f1\f1
instead of \fB\-\-ldapQueryUser\f1\f1 and \fB\-\-ldapQueryPassword\f1\f1\&.
You cannot specify both \fB\-\-ldapQueryPassword\f1\f1 and
\fB\-\-ldapBindWithOSDefaults\f1\f1 at the same time.
.PP
\fBmongoldap \-\-ldapBindWithOSDefaults\f1
.RS
.PP
\fIDefault\f1: false
.PP
Available in MongoDB Enterprise for the Windows platform only.
.PP
Allows \fBmongoldap\f1\f1 to authenticate, or bind, using your Windows login
credentials when connecting to the LDAP server.
.PP
Only required if:
.RS
.IP \(bu 2
Using \fBLDAP authorization\f1\&.
.IP \(bu 2
Using an LDAP query for \fBusername transformation\f1\f1\&.
.IP \(bu 2
The LDAP server disallows anonymous binds
.RE
.PP
Use \fB\-\-ldapBindWithOSDefaults\f1\f1 to replace \fB\-\-ldapQueryUser\f1\f1 and
\fB\-\-ldapQueryPassword\f1\f1\&.
.RE
.PP
\fBmongoldap \-\-ldapBindMethod\f1
.RS
.PP
\fIDefault\f1: simple
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
The method \fBmongoldap\f1\f1 uses to authenticate to an LDAP
server. Use with \fB\-\-ldapQueryUser\f1\f1 and \fB\-\-ldapQueryPassword\f1\f1 to connect to the LDAP server.
.PP
\fB\-\-ldapBindMethod\f1\f1 supports
the following values:
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Value
.IP \(bu 4
Description
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBsimple\f1
.IP \(bu 4
\fBmongoldap\f1\f1 uses simple authentication.
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBsasl\f1
.IP \(bu 4
\fBmongoldap\f1\f1 uses SASL protocol for authentication.
.RE
.RE
.PP
If you specify \fBsasl\f1, you can configure the available SASL mechanisms
using \fB\-\-ldapBindSaslMechanisms\f1\f1\&. \fBmongoldap\f1\f1 defaults to
using \fBDIGEST\-MD5\f1 mechanism.
.RE
.PP
\fBmongoldap \-\-ldapBindSaslMechanisms\f1
.RS
.PP
\fIDefault\f1: DIGEST\-MD5
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
A comma\-separated list of SASL mechanisms \fBmongoldap\f1\f1 can
use when authenticating to the LDAP server. The \fBmongoldap\f1\f1 and the
LDAP server must agree on at least one mechanism. The \fBmongoldap\f1\f1
dynamically loads any SASL mechanism libraries installed on the host
machine at runtime.
.PP
Install and configure the appropriate libraries for the selected
SASL mechanism(s) on both the \fBmongoldap\f1\f1 host and the remote
LDAP server host. Your operating system may include certain SASL
libraries by default. Defer to the documentation associated with each
SASL mechanism for guidance on installation and configuration.
.PP
If using the \fBGSSAPI\f1 SASL mechanism for use with
\fBKerberos Authentication\f1, verify the following for the
\fBmongoldap\f1\f1 host machine:
.PP
\fBLinux\f1\f1
.RS
.RS
.IP \(bu 2
The \fBKRB5_CLIENT_KTNAME\f1 environment
variable resolves to the name of the client \fBLinux Keytab Files\f1
for the host machine. For more on Kerberos environment
variables, please defer to the
Kerberos documentation (https://web.mit.edu/kerberos/krb5\-1.13/doc/admin/env_variables.html)\&.
.IP \(bu 2
The client keytab includes a
\fBUser Principal\f1 for the \fBmongoldap\f1\f1 to use when
connecting to the LDAP server and execute LDAP queries.
.RE
.RE
.PP
\fBWindows\f1\f1
.RS
.PP
If connecting to an Active Directory server, the Windows
Kerberos configuration automatically generates a
Ticket\-Granting\-Ticket (https://msdn.microsoft.com/en\-us/library/windows/desktop/aa380510(v=vs.85).aspx)
when the user logs onto the system. Set \fB\-\-ldapBindWithOSDefaults\f1\f1 to
\fBtrue\f1 to allow \fBmongoldap\f1\f1 to use the generated credentials when
connecting to the Active Directory server and execute queries.
.RE
.PP
Set \fB\-\-ldapBindMethod\f1\f1 to \fBsasl\f1 to use this option.
.PP
For a complete list of SASL mechanisms see the
IANA listing (http://www.iana.org/assignments/sasl\-mechanisms/sasl\-mechanisms.xhtml)\&.
Defer to the documentation for your LDAP or Active Directory
service for identifying the SASL mechanisms compatible with the
service.
.PP
MongoDB is not a source of SASL mechanism libraries, nor
is the MongoDB documentation a definitive source for
installing or configuring any given SASL mechanism. For
documentation and support, defer to the SASL mechanism
library vendor or owner.
.PP
For more information on SASL, defer to the following resources:
.RS
.IP \(bu 2
For Linux, please see the Cyrus SASL documentation (https://www.cyrusimap.org/sasl/)\&.
.IP \(bu 2
For Windows, please see the Windows SASL documentation (https://msdn.microsoft.com/en\-us/library/cc223500.aspx)\&.
.RE
.RE
.PP
\fBmongoldap \-\-ldapTransportSecurity\f1
.RS
.PP
\fIDefault\f1: tls
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
By default, \fBmongoldap\f1\f1 creates a TLS/SSL secured connection to the LDAP
server.
.PP
For Linux deployments, you must configure the appropriate TLS Options in
\fB/etc/openldap/ldap.conf\f1 file. Your operating system\(aqs package manager
creates this file as part of the MongoDB Enterprise installation, via the
\fBlibldap\f1 dependency. See the documentation for \fBTLS Options\f1 in the
ldap.conf OpenLDAP documentation (http://www.openldap.org/software/man.cgi?query=ldap.conf&manpath=OpenLDAP+2.4\-Release)
for more complete instructions.
.PP
For Windows deployment, you must add the LDAP server CA certificates to the
Windows certificate management tool. The exact name and functionality of the
tool may vary depending on operating system version. Please see the
documentation for your version of Windows for more information on
certificate management.
.PP
Set \fB\-\-ldapTransportSecurity\f1\f1 to \fBnone\f1 to disable TLS/SSL between \fBmongoldap\f1\f1 and the LDAP
server.
.PP
Setting \fB\-\-ldapTransportSecurity\f1\f1 to \fBnone\f1 transmits plaintext information and possibly
credentials between \fBmongoldap\f1\f1 and the LDAP server.
.RE
.PP
\fBmongoldap \-\-ldapTimeoutMS\f1
.RS
.PP
\fIDefault\f1: 10000
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
The amount of time in milliseconds \fBmongoldap\f1\f1 should wait for an LDAP server
to respond to a request.
.PP
Increasing the value of \fB\-\-ldapTimeoutMS\f1\f1 may prevent connection failure between the
MongoDB server and the LDAP server, if the source of the failure is a
connection timeout. Decreasing the value of \fB\-\-ldapTimeoutMS\f1\f1 reduces the time
MongoDB waits for a response from the LDAP server.
.RE
.PP
\fBmongoldap \-\-ldapUserToDNMapping\f1
.RS
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
Maps the username provided to \fBmongoldap\f1\f1 for authentication to a LDAP
Distinguished Name (DN). You may need to use \fB\-\-ldapUserToDNMapping\f1\f1 to transform a
username into an LDAP DN in the following scenarios:
.RS
.IP \(bu 2
Performing LDAP authentication with simple LDAP binding, where users
authenticate to MongoDB with usernames that are not full LDAP DNs.
.IP \(bu 2
Using an \fBLDAP authorization query template\f1\f1 that requires a DN.
.IP \(bu 2
Transforming the usernames of clients authenticating to Mongo DB using
different authentication mechanisms (e.g. x.509, kerberos) to a full LDAP
DN for authorization.
.RE
.PP
\fB\-\-ldapUserToDNMapping\f1\f1 expects a quote\-enclosed JSON\-string representing an ordered array
of documents. Each document contains a regular expression \fBmatch\f1 and
either a \fBsubstitution\f1 or \fBldapQuery\f1 template used for transforming the
incoming username.
.PP
Each document in the array has the following form:
.PP
.EX
  {
    match: "<regex>"
    substitution: "<LDAP DN>" | ldapQuery: "<LDAP Query>"
  }
.EE
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Field
.IP \(bu 4
Description
.IP \(bu 4
Example
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBmatch\f1
.IP \(bu 4
An ECMAScript\-formatted regular expression (regex) to match against a
provided username. Each parenthesis\-enclosed section represents a
regex capture group used by \fBsubstitution\f1 or \fBldapQuery\f1\&.
.IP \(bu 4
\fB"(.+)ENGINEERING"\f1
\fB"(.+)DBA"\f1
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBsubstitution\f1
.IP \(bu 4
An LDAP distinguished name (DN) formatting template that converts the
authentication name matched by the \fBmatch\f1 regex into a LDAP DN.
Each curly bracket\-enclosed numeric value is replaced by the
corresponding regex capture group (http://www.regular\-expressions.info/refcapture.html) extracted
from the authentication username via the \fBmatch\f1 regex.
.IP
The result of the substitution must be an RFC4514 (https://www.ietf.org/rfc/rfc4514.txt) escaped string.
.IP \(bu 4
\fB"cn={0},ou=engineering,
dc=example,dc=com"\f1
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBldapQuery\f1
.IP \(bu 4
A LDAP query formatting template that inserts the authentication
name matched by the \fBmatch\f1 regex into an LDAP query URI encoded
respecting RFC4515 and RFC4516. Each curly bracket\-enclosed numeric
value is replaced by the corresponding regex capture group (http://www.regular\-expressions.info/refcapture.html) extracted
from the authentication username via the \fBmatch\f1 expression.
\fBmongoldap\f1\f1 executes the query against the LDAP server to retrieve
the LDAP DN for the authenticated user. \fBmongoldap\f1\f1 requires
exactly one returned result for the transformation to be
successful, or \fBmongoldap\f1\f1 skips this transformation.
.IP \(bu 4
\fB"ou=engineering,dc=example,
dc=com??one?(user={0})"\f1
.RE
.RE
.PP
An explanation of  RFC4514 (https://www.ietf.org/rfc/rfc4514.txt),
RFC4515 (https://tools.ietf.org/html/rfc4515),
RFC4516 (https://tools.ietf.org/html/rfc4516), or LDAP queries is out
of scope for the MongoDB Documentation. Please review the RFC directly or
use your preferred LDAP resource.
.PP
For each document in the array, you must use either \fBsubstitution\f1 or
\fBldapQuery\f1\&. You \fIcannot\f1 specify both in the same document.
.PP
When performing authentication or authorization, \fBmongoldap\f1\f1 steps through
each document in the array in the given order, checking the authentication
username against the \fBmatch\f1 filter.  If a match is found,
\fBmongoldap\f1\f1 applies the transformation and uses the output for
authenticating the user. \fBmongoldap\f1\f1 does not check the remaining documents
in the array.
.PP
If the given document does not match the provided authentication
name, \fBmongoldap\f1\f1 continues through the list of documents
to find additional matches. If no matches are found in any document,
or the transformation the document describes fails,
\fBmongoldap\f1\f1 returns an error.
.PP
Starting in MongoDB 4.4, \fBmongoldap\f1\f1 also returns an error
if one of the transformations cannot be evaluated due to networking
or authentication failures to the LDAP server. \fBmongoldap\f1\f1
rejects the connection request and does not check the remaining
documents in the array.
.PP
Starting in MongoDB 5.0, \fB\-\-ldapUserToDNMapping\f1\f1
accepts an empty string \fB""\f1 or empty array \fB[ ]\f1 in place of a
mapping documnent. If providing an empty string or empty array to
\fB\-\-ldapUserToDNMapping\f1\f1, MongoDB will map the
authenticated username as the LDAP DN. Previously, providing an
empty mapping document would cause mapping to fail.
.PP
The following shows two transformation documents. The first
document matches against any string ending in \fB@ENGINEERING\f1, placing
anything preceeding the suffix into a regex capture group. The
second document matches against any string ending in \fB@DBA\f1, placing
anything preceeding the suffix into a regex capture group.
.PP
.EX
  "[
     {
        match: "(.+)@ENGINEERING.EXAMPLE.COM",
        substitution: "cn={0},ou=engineering,dc=example,dc=com"
     },
     {
        match: "(.+)@DBA.EXAMPLE.COM",
        ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})"
  
     }
  
  ]"
.EE
.PP
A user with username \fBalice@ENGINEERING.EXAMPLE.COM\f1 matches the first
document. The regex capture group \fB{0}\f1 corresponds to the string
\fBalice\f1\&. The resulting output is the DN
\fB"cn=alice,ou=engineering,dc=example,dc=com"\f1\&.
.PP
A user with username \fBbob@DBA.EXAMPLE.COM\f1 matches the second document.
The regex capture group \fB{0}\f1 corresponds to the string \fBbob\f1\&.  The
resulting output is the LDAP query
\fB"ou=dba,dc=example,dc=com??one?(user=bob)"\f1\&. \fBmongoldap\f1\f1 executes this
query against the LDAP server, returning the result
\fB"cn=bob,ou=dba,dc=example,dc=com"\f1\&.
.PP
If \fB\-\-ldapUserToDNMapping\f1\f1 is unset, \fBmongoldap\f1\f1 applies no transformations to the username
when attempting to authenticate or authorize a user against the LDAP server.
.RE
.PP
\fBmongoldap \-\-ldapAuthzQueryTemplate\f1
.RS
.PP
\fIAvailable in MongoDB Enterprise only.\f1
.PP
A relative LDAP query URL formatted conforming to RFC4515 (https://tools.ietf.org/html/rfc4515) and RFC4516 (https://tools.ietf.org/html/rfc4516) that \fBmongoldap\f1\f1 executes to obtain
the LDAP groups to which the authenticated user belongs to. The query is
relative to the host or hosts specified in \fB\-\-ldapServers\f1\f1\&.
.PP
In the URL, you can use the following substituion tokens:
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Substitution Token
.IP \(bu 4
Description
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fB{USER}\f1
.IP \(bu 4
Substitutes the authenticated username, or the
\fBtransformed\f1\f1
username if a \fBusername mapping\f1\f1 is specified.
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fB{PROVIDED_USER}\f1
.IP \(bu 4
Substitutes the supplied username, i.e. before either
authentication or \fBLDAP transformation\f1\f1\&.
.RE
.RE
.PP
When constructing the query URL, ensure that the order of LDAP parameters
respects RFC4516:
.PP
.EX
  [ dn  [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ]
.EE
.PP
If your query includes an attribute, \fBmongoldap\f1\f1 assumes that the query
retrieves a the DNs which this entity is member of.
.PP
If your query does not include an attribute, \fBmongoldap\f1\f1 assumes
the query retrieves all entities which the user is member of.
.PP
For each LDAP DN returned by the query, \fBmongoldap\f1\f1 assigns the authorized
user a corresponding role on the \fBadmin\f1 database. If a role on the on the
\fBadmin\f1 database exactly matches the DN, \fBmongoldap\f1\f1 grants the user the
roles and privileges assigned to that role. See the
\fBdb.createRole()\f1\f1 method for more information on creating roles.
.PP
This LDAP query returns any groups listed in the LDAP user object\(aqs
\fBmemberOf\f1 attribute.
.PP
.EX
  "{USER}?memberOf?base"
.EE
.PP
Your LDAP configuration may not include the \fBmemberOf\f1 attribute as part
of the user schema, may possess a different attribute for reporting group
membership, or may not track group membership through attributes.
Configure your query with respect to your own unique LDAP configuration.
.PP
If unset, \fBmongoldap\f1\f1 cannot authorize users using LDAP.
.PP
An explanation of RFC4515 (https://tools.ietf.org/html/rfc4515),
RFC4516 (https://tools.ietf.org/html/rfc4516) or LDAP queries is out
of scope for the MongoDB Documentation. Please review the RFC directly or
use your preferred LDAP resource.
.RE