For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Local AAA provides simple MongoDB-based authentication for development and testing environments. User credentials are stored locally in a MongoDB collection, eliminating the need for external authentication services.
Local AAA is recommended for development and testing only. For production environments, use LDAP or SAML SSO authentication.
Before you begin
MongoDB installed and accessible
Administrative access to Itential Platform
MongoDB credentials (if authentication is enabled)
How Local AAA works
Local AAA authenticates users against a MongoDB collection that stores:
Usernames
Bcrypt-hashed passwords
Group memberships
User profile information
Unlike external authentication providers, Local AAA maintains complete control over user data within your deployment.
Use bcrypt with at least 10 salt rounds for password hashing
Enable MongoDB authentication in all environments
Store MongoDB credentials in HashiCorp Vault or CyberArk
Use SSL/TLS for MongoDB connections
Limit MongoDB user permissions to minimum required
User management
Create separate MongoDB users for Platform and Local AAA
Assign users to appropriate groups before first login
Configure groups in Platform before creating user accounts
Use email addresses as usernames for consistency
Development workflow
Use Local AAA for isolated development environments
Test authentication changes before applying to production
Maintain separate user databases for each environment
Document custom user accounts and groups
Troubleshooting
Authentication failures
Verify MongoDB is running: sudo systemctl status mongod
Check database name matches adapter configuration
Confirm user document exists in correct database
Verify password hash is correct
Database connection errors
Test MongoDB connectivity: mongosh mongodb://localhost:27017
Check MongoDB authentication is properly configured
Verify credentials in adapter configuration
Review MongoDB logs: sudo journalctl -u mongod
Group assignment issues
Confirm group documents exist in groups collection
Verify group names in user document match group documents
Check group configuration in Admin Essentials
Ensure user has logged out and back in after group changes
Invalid credentials
If you are receiving invalid credentials errors, the Local AAA user has not been set up properly, or the credentials or parameters in your properties file for the Local AAA adapter are incorrect.
Check whether the Local AAA user and password are valid:
$
mongo -u localaaa_user -p pronghorn LocalAAA
$
$
show users....
If you are logged in and can see the configured users, check the Local AAA adapter properties to verify they are set correctly.
The same check applies to pronghorn if Itential Platform does not start — verify the pronghorn user and password are valid in the properties.json file and in the adapter properties for MongoDB.
User cannot log in
Use the following checklist when you encounter login problems:
Itential Platform can only configure one AAA adapter at a time. If using LDAP or Azure, users may not be able to log in with the default credentials.
If using LDAP or Azure, check the connection between Itential Platform and the AD server.
Verify that software dependencies are up and running.
Check OS and browser compatibility.
Check user and group role and privilege access.
Review sign-in error logs.
If unable to determine the login failure reason, contact the Product Support Team for additional troubleshooting help.
title: Configure local AAA authentication
sidebar-title: Local AAA
description: Set up local authentication for development and testing environments
slug: auth/aaa/configure-local-aaa-authentication
Local AAA provides simple MongoDB-based authentication for development and testing environments. User credentials are stored locally in a MongoDB collection, eliminating the need for external authentication services.
Local AAA is recommended for development and testing only. For production environments, use LDAP or SAML SSO authentication.
Before you begin
MongoDB installed and accessible
Administrative access to Itential Platform
MongoDB credentials (if authentication is enabled)
How Local AAA works
Local AAA authenticates users against a MongoDB collection that stores:
Usernames
Bcrypt-hashed passwords
Group memberships
User profile information
Unlike external authentication providers, Local AAA maintains complete control over user data within your deployment.
Use bcrypt with at least 10 salt rounds for password hashing
Enable MongoDB authentication in all environments
Store MongoDB credentials in HashiCorp Vault or CyberArk
Use SSL/TLS for MongoDB connections
Limit MongoDB user permissions to minimum required
User management
Create separate MongoDB users for Platform and Local AAA
Assign users to appropriate groups before first login
Configure groups in Platform before creating user accounts
Use email addresses as usernames for consistency
Development workflow
Use Local AAA for isolated development environments
Test authentication changes before applying to production
Maintain separate user databases for each environment
Document custom user accounts and groups
Troubleshooting
Authentication failures
Verify MongoDB is running: sudo systemctl status mongod
Check database name matches adapter configuration
Confirm user document exists in correct database
Verify password hash is correct
Database connection errors
Test MongoDB connectivity: mongosh mongodb://localhost:27017
Check MongoDB authentication is properly configured
Verify credentials in adapter configuration
Review MongoDB logs: sudo journalctl -u mongod
Group assignment issues
Confirm group documents exist in groups collection
Verify group names in user document match group documents
Check group configuration in Admin Essentials
Ensure user has logged out and back in after group changes
Invalid credentials
If you are receiving invalid credentials errors, the Local AAA user has not been set up properly, or the credentials or parameters in your properties file for the Local AAA adapter are incorrect.
Check whether the Local AAA user and password are valid:
$
mongo -u localaaa_user -p pronghorn LocalAAA
$
$
show users....
If you are logged in and can see the configured users, check the Local AAA adapter properties to verify they are set correctly.
The same check applies to pronghorn if Itential Platform does not start — verify the pronghorn user and password are valid in the properties.json file and in the adapter properties for MongoDB.
User cannot log in
Use the following checklist when you encounter login problems:
Itential Platform can only configure one AAA adapter at a time. If using LDAP or Azure, users may not be able to log in with the default credentials.
If using LDAP or Azure, check the connection between Itential Platform and the AD server.
Verify that software dependencies are up and running.
Check OS and browser compatibility.
Check user and group role and privilege access.
Review sign-in error logs.
If unable to determine the login failure reason, contact the Product Support Team for additional troubleshooting help.
