Enterprise Authentication Mechanisms
On this page
Overview
MongoDB Enterprise Edition includes authentication mechanisms that aren't available in MongoDB Community Edition. In this guide, you can learn how to authenticate to MongoDB by using these authentication mechanisms. To learn about the other authentication mechanisms available in MongoDB, see Authentication Mechanisms.
Kerberos
The Generic Security Services API (GSSAPI) provides an interface for Kerberos authentication.
Note
To authenticate with GSSAPI, you must build the MongoDB C driver with SASL support.
If you are building the driver from source, you can enable SASL support with
the ENABLE_SASL
cmake
option.
Complete the following steps to authenticate with GSSAPI:
Obtain a Ticket-Granting Ticket
On Unix environments, you must first run the kinit
command to obtain and cache
an initial ticket-granting ticket. If you're running a Windows environment,
you can skip ahead to the next step.
The following example uses the
kinit
command to obtain a ticket-granting ticket for the principal
mongodbuser@EXAMPLE.COM
. It then uses the klist
command to display the principal and ticket in the credentials cache.
kinit mongodbuser@EXAMPLE.COM mongodbuser@EXAMPLE.COM's Password: klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: mongodbuser@EXAMPLE.COM Issued Expires Principal Feb 9 13:48:51 2013 Feb 9 23:48:51 2013 krbtgt/mongodbuser@EXAMPLE.COM
Set the Connection Options
Next, set the following connection options:
username
: The Kerbos principal to authenticate.authMechanism
: Set to"GSSAPI"
.authMechanismProperties
: Optional. By default, MongoDB usesmongodb
as the authentication service name. To specify a different service name, set this option to"SERVICE_NAME:<authentication service name>"
.
You can set these options through parameters in your connection URI, as shown in the following example:
const char *uri = "mongodb://mongodbuser%40EXAMPLE.COM@<hostname>:<port>/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:<authentication service name>"); mongoc_client_t *client = mongoc_client_new(uri);
Note
You must replace the @
symbol in the principal with %40
, as shown
in the preceding example.
PLAIN SASL
The PLAIN Simple Authentication and Security Layer (SASL), as defined by RFC 4616, is a username-password authentication mechanism often used with TLS or another encryption layer. You must compile the C driver with SASL support to use PLAIN SASL authentication.
Important
PLAIN SASL is a clear-text authentication mechanism. We strongly recommend that you use TLS/SSL with certificate validation when using PLAIN SASL to authenticate to MongoDB.
To authenticate with SASL, set the authMechanism
connection option to PLAIN
.
You can set this option through a parameter in your connection string, as shown
in the following example:
const char *uri = "mongodb://<username>:<password>@<hostname>:<port>/?authMechanism=PLAIN"); mongoc_client_t *client = mongoc_client_new(uri);
API Documentation
To learn more about authenticating your application in the C driver, see the following API documentation: