--- title: MongoDB connector description: The MongoDB connector is an implementation of the Scripted Groovy Connector. This connector lets you interact with a MongoDB document database using Groovy scripts for the ICF operations. component: openicf page_id: openicf:connector-reference:mongodb canonical_url: https://docs.pingidentity.com/openicf/connector-reference/mongodb.html section_ids: mongodb-before-you-start: Before you start install_the_mongodb_connector: Install the MongoDB connector configuring-mongodb-connector: Configure the MongoDB connector mongodb_connector_bundled_scripts: MongoDB connector bundled scripts test_the_mongodb_connector: Test the MongoDB connector mongodb_remote_connector: MongoDB remote connector config-connection-pooling-mongodb: Configure connection pooling implemented-interfaces-org-forgerock-openicf-connectors-mongodb-MongoDBConnector-1.5.20.33: OpenICF Interfaces Implemented by the MongoDB Connector config-properties-org-forgerock-openicf-connectors-mongodb-MongoDBConnector-1.5.20.33: MongoDB Connector Configuration basic-configuration-properties-org-forgerock-openicf-connectors-mongodb-MongoDBConnector-1.5.20.33: Basic Configuration Properties connection-configuration-properties-org-forgerock-openicf-connectors-mongodb-MongoDBConnector-1.5.20.33: Connection Configuration Properties groovy-engine-configuration-org-forgerock-openicf-connectors-mongodb-MongoDBConnector-1.5.20.33: Groovy Engine configuration operation-script-files-org-forgerock-openicf-connectors-mongodb-MongoDBConnector-1.5.20.33: Operation Script Files --- # MongoDB connector The MongoDB connector is an implementation of the Scripted Groovy Connector. This connector lets you interact with a MongoDB document database using Groovy scripts for the ICF operations. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The MongoDB connector uses the following Java MongoDB driver version:Connector version Driver version 1.5.20.21 and earlier v4.5.1 1.5.20.22 - 1.5.20.25 v4.11.2 1.5.20.26 and later v4.11.4For MongoDB version compatibility information, refer to [Compatibility](https://www.mongodb.com/docs/drivers/java/sync/v4.11/compatibility/) in the MongoDB Documentation. | ## Before you start In a production environment, enable access control on your MongoDB database. If your connector will manage MongoDB users and roles, you must create an administrative user in the `admin` database. If your connector will manage collections in a database, this administrative user must create a specific user and role for the connector for the target database. Learn more about enabling access control in MongoDB in the [MongoDB documentation](https://docs.mongodb.com/manual/tutorial/enable-authentication/). The commands in this chapter assume an administrative user named `myUserAdmin` with password `Passw0rd` who has the `readWrite` role on the `test` database. ## Install the MongoDB connector | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To check for an Advanced Identity Cloud application for this connector, refer to:- [Application management](https://docs.pingidentity.com/pingoneaic/latest/app-management/applications.html) - [App catalog](https://docs.pingidentity.com/pingoneaic/latest/app-management/app-catalog.html) | You can download any connector from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors), but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration. **Connector included in default deployment** | Connector | IDM | RCS | | ----------------------- | ------------------------ | ------------------------ | | [MongoDB](mongodb.html) | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | Download the connector .jar file from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors). * If you're running the connector locally, place it in the `/path/to/openidm/connectors` directory, for example: ``` mv ~/Downloads/mongodb-connector-1.5.20.33.jar /path/to/openidm/connectors/ ``` * If you're using a remote connector server (RCS), place it in the `/path/to/openicf/connectors` directory on the RCS. ## Configure the MongoDB connector Create a connector configuration using the IDM admin UI: 1. From the navigation bar, click Configure > Connectors. 2. On the Connectors page, click New Connector. 3. On the New Connector page, type a Connector Name. 4. From the Connector Type list, select MongoDB Connector - 1.5.20.33. 5. Complete the Base Connector Details and any applicable Additional Options. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | For a list of all configuration properties, refer to [MongoDB Connector Configuration](#mongodb-config-prop-ezLink). | 6. Click Save. When your connector is configured correctly, the connector displays as Active in the admin UI. Refer to [this procedure](configure-connector.html#connector-wiz-REST) to create a connector configuration over REST. Alternatively, configure the connector with a configuration file. A sample connector configuration file (`provisioner.openicf-mongodb.json`) is provided in the `/path/to/openidm/samples/example-configurations/provisioners` directory in IDM. Copy the sample connector configuration to your project's `conf/` directory, and adjust the `configurationProperties` to match your MongoDB instance: ```json "configurationProperties" : { "connectionURI" : "mongodb://localhost:27017", "host" : "localhost", "port" : "27017", "user" : "myUserAdmin", "password" : "Passw0rd", "userDatabase" : "admin", "database" : "test", ... } ``` Set `"enabled" : true` to enable the connector. ### MongoDB connector bundled scripts The connector bundles two sets of sample Groovy scripts: MongoDB management example scripts * `CreateMongoDB.groovy` * `DeleteMongoDB.groovy` * `SchemaMongoDB.groovy` * `SearchMongoDB.groovy` * `TestMongoDB.groovy` * `UpdateMongoDB.groovy` MongoDB user and role system management example scripts * `usersRoles/Create.groovy` * `usersRoles/Delete.groovy` * `usersRoles/Schema.groovy` * `usersRoles/Search.groovy` * `usersRoles/Test.groovy` * `usersRoles/Update.groovy` You can customize these scripts to suit your deployment by extracting them from the connector JAR and updating the connector configuration to point to the new file path. ### Test the MongoDB connector When your connector is configured correctly, you can test its status by running the following command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system/mongodb?_action=test" [ { "name": "mongodb", "enabled": true, "config": "config/provisioner.openicf/mongodb", "connectorRef": { "bundleVersion": "[1.5.0.0,1.6.0.0)", "bundleName": "org.forgerock.openicf.connectors.mongodb-connector", "connectorName": "org.forgerock.openicf.connectors.mongodb.MongoDBConnector" }, "displayName": "MongoDB Connector", "objectTypes": [ "__ALL__", "account", "role" ], "ok": true } ] ``` A status of `"ok": true` indicates that the MongoDB connector can connect to the database. ### MongoDB remote connector If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the MongoDB connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM. You can download the MongoDB connector [from here](https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors). Refer to [Remote connectors](remote-connector.html) for configuring the MongoDB remote connector. ### Configure connection pooling The MongoDB connector supports [HTTP pooling](pooling.html#http-pooling), which can substantially improve the performance of the connector. Learn more about the basic connection pooling configuration and different pooling mechanisms described in [Connection pooling configuration](pooling.html). ## OpenICF Interfaces Implemented by the MongoDB Connector The MongoDB Connector implements the following OpenICF interfaces. For additional details, see [ICF interfaces](interfaces.html): * Authenticate Provides simple authentication with two parameters, presumed to be a user name and password. * Create Creates an object and its `uid`. * Delete Deletes an object, referenced by its `uid`. * Resolve Username Resolves an object by its username and returns the `uid` of the object. * Schema Describes the object types, operations, and options that the connector supports. * Script on Connector Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics: * The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access. * The script has access to a `connector` variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. * The script has access to any script arguments passed in by the application. * Script on Resource Runs a script on the target resource that is managed by this connector. * Search Searches the target resource for all objects that match the specified object class and filter. * Sync Polls the target resource for synchronization events, that is, native changes to objects on the target resource. * Test Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid. This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out). You can invoke the test operation before a connector configuration has been validated. * Update Updates (modifies or replaces) objects on a target resource. []() ## MongoDB Connector Configuration The MongoDB Connector has the following configurable properties: ### Basic Configuration Properties | Property | Type | Default | Encrypted(1) | Required(2) | | ------------------------------------------------------------------------------------------------------------------ | --------------- | -------------------------- | ------------------------ | ------------------------ | | `connectionURI` | `String` | `null` | | [icon: times, set=fas]No | | The MongoDB client connection URI, for example `mongodb://localhost:27017`. Overrides other connection parameters. | | | | | | `host` | `String` | `localhost` | | [icon: times, set=fas]No | | The MongoDB server host name. | | | | | | `port` | `int` | `27017` | | [icon: times, set=fas]No | | The MongoDB server port number. | | | | | | `user` | `String` | `null` | | [icon: times, set=fas]No | | The MongoDB username. | | | | | | `password` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | The password used to connect to MongoDB. | | | | | | `userDatabase` | `String` | `null` | | [icon: times, set=fas]No | | The name of the database in which the MongoDB user is defined. | | | | | | `clusterAddresses` | `String[]` | `null` | | [icon: times, set=fas]No | | A list of additional mongodbDB servers when connecting to a MongoDB cluster (\[`host1:27017`,`host2:27017`,…​]). | | | | | | `dateAttributes` | `String[]` | `[]` | | [icon: times, set=fas]No | | Defines the list of attributes to convert to MongoDB BSON Date type on create/update. | | | | | | `database` | `String` | `null` | | [icon: times, set=fas]No | | The database to use. | | | | | | `arrayAttributes` | `String[]` | `[]` | | [icon: times, set=fas]No | | Defines the list of attributes that should be considered as BSON Arrays. | | | | | | `includeNullValue` | `boolean` | `false` | | [icon: times, set=fas]No | | If set to true, retains null values in the target MongoDB document. | | | | | | `includeEmptyList` | `boolean` | `false` | | [icon: times, set=fas]No | | If set to true, retains null values in the target MongoDB document. | | | | | | `dateFormat` | `String` | `yyyy-MM-dd'T'HH:mm:ss'Z'` | | [icon: times, set=fas]No | | Defines the date format to use for MongoDB Date attributes. | | | | | | `timeZone` | `String` | `UTC` | | [icon: times, set=fas]No | | Defines the timezone to use for MongoDB Date attributes. | | | | | | `ICFName` | `String` | `name` | | [icon: times, set=fas]No | | Defines the name to use in the target MongoDB document for the ICF `NAME` attribute. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations. ### Connection Configuration Properties | Property | Type | Default | Encrypted(1) | Required(2) | | ----------------------------------------------------------------------- | --------- | ------- | ------------ | ------------------------ | | `sslEnabled` | `boolean` | `true` | | [icon: times, set=fas]No | | Use secure socket layer to connect to MongoDB. | | | | | | `sslHostNameValidation` | `boolean` | `true` | | [icon: times, set=fas]No | | Defines if host name should be validated when SSL is enabled. | | | | | | `maxConnectionIdleTime` | `int` | `0` | | [icon: times, set=fas]No | | The maximum idle time for a pooled connection in ms (0 means no limit). | | | | | | `maxConnectionLifeTime` | `int` | `0` | | [icon: times, set=fas]No | | The maximum lifetime for a pooled connection in ms (0 means no limit). | | | | | | `minConnectionsPerHost` | `int` | `0` | | [icon: times, set=fas]No | | The minimum number of connections per host (must be >= 0). | | | | | | `maxConnectionsPerHost` | `int` | `5` | | [icon: times, set=fas]No | | The maximum number of connections per host (must be > 0). | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations. ### Groovy Engine configuration | Property | Type | Default | Encrypted(1) | Required(2) | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ------------------------ | ------------------------ | ------------------------- | | `scriptRoots` | `String[]` | `['!/scripts/mongodb/']` | | [icon: check, set=fas]Yes | | The root folder to load the scripts from. If the value is null or empty the classpath value is used. | | | | | | `classpath` | `String[]` | `[]` | | [icon: times, set=fas]No | | Classpath for use during compilation. | | | | | | `debug` | `boolean` | `false` | | [icon: times, set=fas]No | | If true, debugging code should be activated. | | | | | | `disabledGlobalASTTransformations` | `String[]` | `null` | | [icon: times, set=fas]No | | Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. | | | | | | `minimumRecompilationInterval` | `int` | `100` | | [icon: times, set=fas]No | | Sets the minimum of time after a script can be recompiled. | | | | | | `recompileGroovySource` | `boolean` | `false` | | [icon: times, set=fas]No | | If set to true recompilation is enabled. | | | | | | `scriptBaseClass` | `String` | `null` | | [icon: times, set=fas]No | | Base class name for scripts (must derive from Script). | | | | | | `scriptExtensions` | `String[]` | `['groovy']` | | [icon: times, set=fas]No | | Gets the extensions used to find groovy files. | | | | | | `sourceEncoding` | `String` | `UTF-8` | | [icon: times, set=fas]No | | Encoding for source files. | | | | | | `targetDirectory` | `File` | `null` | | [icon: times, set=fas]No | | Directory into which to write classes. | | | | | | `tolerance` | `int` | `10` | | [icon: times, set=fas]No | | The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted. | | | | | | `verbose` | `boolean` | `false` | | [icon: times, set=fas]No | | If true, the compiler should produce action information. | | | | | | `warningLevel` | `int` | `1` | | [icon: times, set=fas]No | | Warning Level of the compiler. | | | | | | `customConfiguration` | `String` | `null` | | [icon: times, set=fas]No | | Custom Configuration script for Groovy ConfigSlurper. | | | | | | `customSensitiveConfiguration` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Custom Sensitive Configuration script for Groovy ConfigSlurper. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations. ### Operation Script Files | Property | Type | Default | Encrypted(1) | Required(2) | | ----------------------------------------------------------------------------------------------------- | -------- | -------------------------- | ------------ | ----------------------------------------------------------------------------------------------- | | `authenticateScriptFileName` | `String` | `null` | | * [Authenticate](interfaces.html#interface-AuthenticationApiOp) | | The name of the file used to perform the AUTHENTICATE operation. | | | | | | `createScriptFileName` | `String` | `usersRoles/Create.groovy` | | - [Create](interfaces.html#interface-CreateApiOp) | | The name of the file used to perform the CREATE operation. | | | | | | `customizerScriptFileName` | `String` | `null` | | [icon: times, set=fas]No | | The script used to customize some function of the connector. Read the documentation for more details. | | | | | | `deleteScriptFileName` | `String` | `usersRoles/Delete.groovy` | | * [Delete](interfaces.html#interface-DeleteApiOp) | | The name of the file used to perform the DELETE operation. | | | | | | `resolveUsernameScriptFileName` | `String` | `null` | | - [Resolve Username](interfaces.html#interface-ResolveUsernameApiOp) | | The name of the file used to perform the RESOLVE\_USERNAME operation. | | | | | | `schemaScriptFileName` | `String` | `usersRoles/Schema.groovy` | | * [Schema](interfaces.html#interface-SchemaApiOp) | | The name of the file used to perform the SCHEMA operation. | | | | | | `scriptOnResourceScriptFileName` | `String` | `null` | | - [Script on Resource](interfaces.html#interface-ScriptOnResourceApiOp) | | The name of the file used to perform the RUNSCRIPTONRESOURCE operation. | | | | | | `searchScriptFileName` | `String` | `usersRoles/Search.groovy` | | * [Read](interfaces.html#interface-GetApiOp) * [Search](interfaces.html#interface-SearchApiOp) | | The name of the file used to perform the SEARCH operation. | | | | | | `syncScriptFileName` | `String` | `null` | | - [Sync](interfaces.html#interface-SyncApiOp) | | The name of the file used to perform the SYNC operation. | | | | | | `testScriptFileName` | `String` | `usersRoles/Test.groovy` | | * [Test](interfaces.html#interface-TestApiOp) | | The name of the file used to perform the TEST operation. | | | | | | `updateScriptFileName` | `String` | `usersRoles/Update.groovy` | | - [Update](interfaces.html#interface-UpdateApiOp) | | The name of the file used to perform the UPDATE operation. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations.