mongodb · TimSlavinMongoDB · May 1, 2014
diff --git a/source/includes/admonition-mongodb-enterprise-windows-ldap.rst b/source/includes/admonition-mongodb-enterprise-windows-ldap.rst
diff --git a/source/includes/admonition-saslauthd-ldap-considerations.rst b/source/includes/admonition-saslauthd-ldap-considerations.rst
@@ -0,0 +1,14 @@
+MongoDB Enterprise for Windows does **not** include LDAP support for
+authentication.
+
+MongoDB does **not** support LDAP authentication in mixed sharded
+cluster deployments that contain both version 2.4 and version 2.6
+shards. See :doc:`/release-notes/2.6-upgrade` for upgrade instructions.
+
+.. _ldap-password-in-plaintext:
+
+Use secure encrypted or trusted connections between clients and the server,
+as well as between ``saslauthd`` and the LDAP server. The LDAP server uses
+the ``SASL PLAIN`` mechanism, sending and receiving data in **plain text**. 
+You should use only a trusted channel such as a VPN, a connection encrypted 
+with SSL, or a trusted wired network.
diff --git a/source/includes/steps-configure-ldap-mongodb.yaml b/source/includes/steps-configure-ldap-mongodb.yaml
@@ -40,6 +40,9 @@ pre: |
   :doc:`--setParameter </reference/parameters>` or the
   :doc:`configuration file </reference/configuration-options>`. Specify
   additional configurations as appropriate for your configuration.
+
+  If you use the :setting:`~security.authorization` option to enforce
+  authentication, you will need privileges to create a user.
 action:
   - heading: Use specific ``saslauthd`` socket path.
     pre: |

diff --git a/...ludes/steps-configure-ldap-saslauthd.yaml → ...s-configure-ldap-saslauthd-activedir.yaml b/...ludes/steps-configure-ldap-saslauthd.yaml → ...s-configure-ldap-saslauthd-activedir.yaml
@@ -34,7 +34,7 @@ action:
     the `-t option <http://www.linuxcommand.org/man_pages/saslauthd8.html>`_ of
     ``saslauthd``.
 ---
-title: Configure with LDAP Options.
+title: Configure LDAP Options with ActiveDirectory.
 stepnum: 3
 ref: ldap-options
 pre: |
@@ -44,7 +44,6 @@ pre: |
   `-O option <http://www.linuxcommand.org/man_pages/saslauthd8.html>`_ of
   ``saslauthd``.
 action:
-  - heading: Configure for Use with ActiveDirectory
     pre: |
       To use with ActiveDirectory, start ``saslauthd`` with the following
       configuration options set in the ``saslauthd.conf`` file:
@@ -57,44 +56,6 @@ action:
     post: |
       For the ``<ldap uri>``, specify the uri of the ldap server. For
       example, ``ldap_servers: ldaps://ad.example.net``.
-  - heading: Configure for Use with OpenLDAP
-    pre: |
-      To connect to an OpenLDAP server, update the ``saslauthd.conf``
-      file with the following configuration options:
-    language: none
-    code: |
-      ldap_servers: <ldap uri>
-      ldap_search_base: <search base>
-      ldap_filter: <filter>
-    post: |
-      The ``ldap_servers`` specifies the uri of the LDAP server used
-      for authentication. In general, for OpenLDAP installed on the
-      local machine, you can specify the value ``ldap://localhost:389``
-      or if using LDAP over SSL, you can specify the value
-      ``ldaps://localhost:636``.
-
-      The ``ldap_search_base`` specifies distinguished name to which
-      the search is relative. The search includes the base or objects
-      below.
-
-      The ``ldap_filter`` specifies the search filter.
-
-      The values for these configuration options should correspond to the
-      values specific for your test. For example, to filter on email, specify
-      ``ldap_filter: (mail=%n)`` instead.
-  - heading: Example
-    pre: |
-       A sample ``saslauthd.conf`` file for OpenLDAP includes the following content:
-    language: none
-    code: |
-       ldap_servers: ldaps://ad.example.net
-       ldap_search_base: ou=Users,dc=example,dc=com
-       ldap_filter: (uid=%u)
-    post: |
-      To use this sample OpenLDAP configuration, create users with a ``uid``
-      attribute (login name) and place under the ``Users`` organizational
-      unit (``ou``) under the domain components (``dc``) ``example`` and
-      ``com``.
 
       For more information on ``saslauthd`` configuration, see
       `<http://www.openldap.org/doc/admin24/guide.html#Configuring saslauthd>`_.

diff --git a/source/includes/steps-configure-ldap-saslauthd-openldap.yaml b/source/includes/steps-configure-ldap-saslauthd-openldap.yaml
@@ -0,0 +1,66 @@
+stepnum: 1
+source:
+  ref:  specify-mechanism
+  file: steps-configure-ldap-saslauthd-activedir.yaml
+---
+stepnum: 2
+source:
+  ref:  caching-behavior
+  file: steps-configure-ldap-saslauthd-activedir.yaml
+---
+title: Configure LDAP Options with OpenLDAP.
+stepnum: 3
+ref: ldap-options
+pre: |
+  If the ``saslauthd.conf`` file does not exist, create it.
+  The ``saslauthd.conf`` file usually resides in the ``/etc``
+  folder. If specifying a different file path, see the
+  `-O option <http://www.linuxcommand.org/man_pages/saslauthd8.html>`_ of
+  ``saslauthd``.
+action:
+  - pre: |
+      To connect to an OpenLDAP server, update the ``saslauthd.conf``
+      file with the following configuration options:
+    language: none
+    code: |
+      ldap_servers: <ldap uri>
+      ldap_search_base: <search base>
+      ldap_filter: <filter>
+    post: |
+      The ``ldap_servers`` specifies the uri of the LDAP server used
+      for authentication. In general, for OpenLDAP installed on the
+      local machine, you can specify the value ``ldap://localhost:389``
+      or if using LDAP over SSL, you can specify the value
+      ``ldaps://localhost:636``.
+
+      The ``ldap_search_base`` specifies distinguished name to which
+      the search is relative. The search includes the base or objects
+      below.
+
+      The ``ldap_filter`` specifies the search filter.
+
+      The values for these configuration options should correspond to the
+      values specific for your test. For example, to filter on email, specify
+      ``ldap_filter: (mail=%n)`` instead.
+  - heading: OpenLDAP Example
+    pre: |
+       A sample ``saslauthd.conf`` file for OpenLDAP includes the following content:
+    language: none
+    code: |
+       ldap_servers: ldaps://ad.example.net
+       ldap_search_base: ou=Users,dc=example,dc=com
+       ldap_filter: (uid=%u)
+    post: |
+      To use this sample OpenLDAP configuration, create users with a ``uid``
+      attribute (login name) and place under the ``Users`` organizational
+      unit (``ou``) under the domain components (``dc``) ``example`` and
+      ``com``.
+
+      For more information on ``saslauthd`` configuration, see
+      `<http://www.openldap.org/doc/admin24/guide.html#Configuring saslauthd>`_.
+---
+stepnum: 4
+source:
+  ref:  test-saslauthd-conf
+  file: steps-configure-ldap-saslauthd-activedir.yaml
+...
diff --git a/source/includes/toc-security-tutorials-access-control.yaml b/source/includes/toc-security-tutorials-access-control.yaml
@@ -17,9 +17,13 @@ file: /tutorial/configure-x509
 description: |
   Use x.509 for client authentication and internal member authentication.
 ---
-file: /tutorial/configure-ldap-sasl-authentication
+file: /tutorial/configure-ldap-sasl-activedirectory
 description: |
-  Describes the process for authentication with SASL/LDAP.
+  Describes the process for authentication using SASL/LDAP with ActiveDirectory.
+---
+file: /tutorial/configure-ldap-sasl-openldap
+description: |
+  Describes the process for authentication using SASL/LDAP with OpenLDAP.
 ---
 file: /tutorial/control-access-to-mongodb-with-kerberos-authentication
 description: |

diff --git a/source/tutorial/configure-ldap-sasl-activedirectory.txt b/source/tutorial/configure-ldap-sasl-activedirectory.txt
@@ -0,0 +1,28 @@
+=====================================================
+Authenticate Using SASL and LDAP with ActiveDirectory
+=====================================================
+
+.. default-domain:: mongodb
+
+MongoDB Enterprise provides support for proxy authentication of users.
+This allows administrators to configure a MongoDB cluster to
+authenticate users by proxying authentication requests to a specified
+Lightweight Directory Access Protocol (LDAP) service.
+
+Considerations
+--------------
+
+.. include:: /includes/admonition-saslauthd-ldap-considerations.rst
+
+Configure ``saslauthd``
+-----------------------
+
+LDAP support for user authentication requires proper configuration of
+the ``saslauthd`` daemon process as well as the MongoDB server.
+
+.. include:: /includes/steps/configure-ldap-saslauthd-activedir.rst
+
+Configure MongoDB
+-----------------
+
+.. include:: /includes/steps/configure-ldap-mongodb.rst
diff --git a/source/tutorial/configure-ldap-sasl-authentication.txt b/source/tutorial/configure-ldap-sasl-authentication.txt
diff --git a/source/tutorial/configure-ldap-sasl-openldap.txt b/source/tutorial/configure-ldap-sasl-openldap.txt
@@ -0,0 +1,28 @@
+==============================================
+Authenticate Using SASL and LDAP with OpenLDAP
+==============================================
+
+.. default-domain:: mongodb
+
+MongoDB Enterprise provides support for proxy authentication of users.
+This allows administrators to configure a MongoDB cluster to
+authenticate users by proxying authentication requests to a specified
+Lightweight Directory Access Protocol (LDAP) service.
+
+Considerations
+--------------
+
+.. include:: /includes/admonition-saslauthd-ldap-considerations.rst
+
+Configure ``saslauthd``
+-----------------------
+
+LDAP support for user authentication requires proper configuration of
+the ``saslauthd`` daemon process as well as the MongoDB server.
+
+.. include:: /includes/steps/configure-ldap-saslauthd-openldap.rst
+
+Configure MongoDB
+-----------------
+
+.. include:: /includes/steps/configure-ldap-mongodb.rst