@@ -552,6 +552,10 @@ description: |
552552 - :setting:`spec.security.authentication.internalCluster` ``: "X509"``
553553 - :setting:`spec.security.tls.enabled` ``: true``
554554
555+ If you provide more than one value for
556+ :setting:`spec.security.authentication.modes`, you must also specify a
557+ value for :setting:`spec.security.authentication.agent.mode`.
558+
555559
556560program : _shared
557561name : spec.security.authentication.enabled
@@ -686,6 +690,133 @@ description: |
686690 the password.
687691
688692program : _shared
693+ name : spec.security.authentication.ldap.authzQueryTemplate
694+ type : string
695+ directive : setting
696+ description : |
697+
698+ *Required for LDAP authorization.*
699+
700+ An `RFC4515 <https://tools.ietf.org/html/rfc4515>`_ and `RFC4516
701+ <https://tools.ietf.org/html/rfc4516>`_ LDAP-formatted query URL
702+ template executed by MongoDB to obtain the LDAP groups that the user
703+ belongs to. The query is relative to the host or hosts
704+ specified in :setting:`spec.security.authentication.ldap.servers`.
705+ You can use the following tokens in the template:
706+
707+ - ``{USER}``
708+ Substitutes the authenticated username, or the
709+ :setting:`transformed <security.ldap.userToDNMapping>`
710+ username, into the LDAP query.
711+ - ``{PROVIDED_USER}``
712+ Substitutes the supplied username, before either
713+ authentication or LDAP transformation, into the LDAP query.
714+ (*Available starting in MongoDB version 4.2*)
715+
716+ .. seealso:: :manual:`LDAP Query Templates </core/security-ldap-external/#ldap-query-template>` in the MongoDB Manual
717+
718+ program : _shared
719+ name : spec.security.authentication.ldap.userToDNMapping
720+ type : string
721+ directive : setting
722+ description : |
723+ Maps the username provided to :binary:`~bin.mongod` or
724+ :binary:`~bin.mongos` for authentication to a LDAP Distinguished Name
725+ (DN).
726+
727+ .. seealso:: :manual:`security.ldap.userToDNMapping </reference/configuration-options/#security.ldap.userToDNMapping>` in the MongoDB Manual
728+
729+ program : _shared
730+ name : spec.security.authentication.agents
731+ type : collection
732+ directive : setting
733+ description : |
734+
735+ {+mdbagent+} authentication configuration for the |com| project.
736+
737+
738+ program : _shared
739+ name : spec.security.authentication.agents.mode
740+ type : string
741+ directive : setting
742+ description : |
743+
744+ The authentication mechanism that the {+mdbagent+}s for
745+ your MongoDB deployment use. Valid values are ``SCRAM``, ``X509``, and
746+ ``LDAP``. The value you specify must also be present in
747+ :setting:`spec.security.authentication.modes`.
748+
749+ This setting is required if you specified more than one value for
750+ :setting:`spec.security.authentication.modes`.
751+
752+ program : _shared
753+ name : spec.security.authentication.agents.automationUserName
754+ type : string
755+ directive : setting
756+ description : |
757+
758+ Name of the user the that {+mdbagent+}s use to interact with your
759+ MongoDB deployment. The username is mapped to an LDAP Distinguished
760+ Name (DN) according to
761+ :setting:`spec.security.authentication.ldap.userToDNMapping`. The
762+ resulting DN must already exist in your LDAP deployment.
763+
764+ This setting is required if
765+ :setting:`spec.security.authentication.agents.mode` is ``LDAP``.
766+
767+ program : _shared
768+ name : spec.security.authentication.agents.automationPasswordSecretRef
769+ type : collection
770+ directive : setting
771+ description : |
772+
773+ Details of the |k8s-secret| that contains the password for the
774+ :setting:`spec.security.authentication.agents.automationUserName`
775+ user.
776+
777+ This setting is required if
778+ :setting:`spec.security.authentication.agents.mode` is ``LDAP``.
779+
780+ program : _shared
781+ name : spec.security.authentication.agents.automationPasswordSecretRef.name
782+ type : string
783+ directive : setting
784+ description : |
785+
786+ Name of the |k8s-secret| that contains the password for the
787+ :setting:`spec.security.authentication.agents.automationUserName`
788+ user. You must create this secret in the same namespace to which you
789+ deploy the |k8s-op-short|:
790+
791+ .. code-block:: sh
792+
793+ kubectl create secret generic ldap-agent-user \
794+ --from-literal="password=<password>" -n <namespace>
795+
796+ This secret must contain one key, the value of which matches the
797+ password of the
798+ :setting:`spec.security.authentication.agents.automationUserName` user
799+ in your LDAP deployment.
800+
801+ This setting is required if
802+ :setting:`spec.security.authentication.agents.mode` is ``LDAP``.
803+
804+ program : _shared
805+ name : spec.security.authentication.agents.automationPasswordSecretRef.key
806+ type : string
807+ directive : setting
808+ description : |
809+
810+ Key in the
811+ :setting:`spec.security.authentication.agents.automationPasswordSecretRef.name`
812+ |k8s-secret| that contains the password for the user in
813+ :setting:`spec.security.authentication.agents.automationUserName`.
814+
815+ This setting is required if
816+ :setting:`spec.security.authentication.agents.mode` is
817+ ``LDAP``.
818+
819+ program : _shared
689820name : spec.additionalMongodConfig.net.ssl.mode
690821type : string
691822directive : setting
0 commit comments