Enterprise Authentication Mechanisms
On this page
Overview
In this guide, you can learn how to authenticate with MongoDB using the authentication mechanisms available only in the MongoDB Enterprise Edition. Authentication mechanisms are processes by which the driver and server confirm the identity of a client to ensure security before connecting.
You can use the following authentication mechanisms with the latest version of MongoDB Enterprise Edition.
To authenticate using another mechanism, see the Authentication Mechanisms fundamentals page. For more information on establishing a connection to your MongoDB cluster, see the Connection Guide.
You can specify your authentication mechanism and credentials when connecting to MongoDB using either of the following methods:
A connection string, also known as a connection URI, which is a string that tells the driver how to connect to a MongoDB deployment and how to behave while connected.
A factory method for the supported authentication mechanism, contained in the
MongoCredential
class.
Authenticate with GSSAPI/Kerberos
The Generic Security Services API (GSSAPI) authentication mechanism allows the user to authenticate to a Kerberos service using the user's principal name.
The following examples specify the authentication mechanism using the following placeholders:
<username>
: Your URL-encoded principal name; for example "username%40REALM.ME"<password>
: Your Kerberos user's password<hostname>
: The network address of your MongoDB server, accessible by your client
Select the Connection String or MongoCredential tab to see the corresponding syntax for specifying the GSSAPI/Kerberos authentication mechanism:
var mongoClient = new MongoClient("mongodb://<username>:<password>@<hostname>/?authMechanism=GSSAPI");
var credential = MongoCredential.CreateGssapiCredential("<username>", "<password>"); var settings = MongoClientSettings.FromConnectionString("<connection string>"); settings.Credential = credential; var mongoClient = new MongoClient(settings);
Tip
Omitting the Password
You can omit the password if one of the following are true:
On Windows, the process owner running the application is the same as the user needing authentication.
On Linux, the user has initialized their keytab via
kinit username@REALM.COM
.
Additional Properties
You can specify additional properties with your authentication
mechanism using the connection string or a factory method in the MongoCredential
class.
Fully Qualified Domain Name
The following example shows how to use the DNS server to retrieve the fully qualified domain name of the host:
var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOSTNAME:true");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_passwordpassword>"); credential = credential.WithMechanismProperty("CANONICALIZE_HOST_NAME", "true"); var settings = MongoClientSettings.FromConnectionString("<connection string>"); settings.Credential = credential; var mongoClient = new MongoClient(settings);
Realm
The following example shows how to specify the user's realm when it is different from the service's realm:
var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_REALM:<user's realm>");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_password>"); credential = credential.WithMechanismProperty("SERVICE_REALM", "<user's realm>"); var settings = MongoClientSettings.FromConnectionString("<connection string>"); settings.Credential = credential; var mongoClient = new MongoClient(settings);
Service name
The following example shows how to specify the service name when it is not the
default mongodb
:
var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:<service name>");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_password>"); credential = credential.WithMechanismProperty("SERVICE_NAME", "<service name>"); var settings = MongoClientSettings.FromConnectionString("<connection string>"); settings.Credential = credential; var mongoClient = new MongoClient(settings);
Multiple properties
The following example shows how to specify multiple authentication mechanism properties:
var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:<service name>,SERVICE_REALM:<user's realm>");
var credential = MongoCredential.CreateGssapiCredential("<db_username>", "<db_password>"); credential = credential.WithMechanismProperty("SERVICE_REALM", "<user's realm>") .WithMechanismProperty("SERVICE_NAME", "<service name>"); var settings = MongoClientSettings.FromConnectionString("<connection string>"); settings.Credential = credential; var mongoClient = new MongoClient(settings);
Authenticate with LDAP (PLAIN)
You can authenticate to a Lightweight Directory Access Protocol (LDAP) server using your directory-server username and password.
The following examples specify the authentication mechanism using the following placeholders:
<username>
: Your LDAP username<password>
: Your LDAP password<hostname>
: The network address of your MongoDB server, accessible by your client<authenticationDb>
: The MongoDB database that contains your user's authentication
Select the Connection String or MongoCredential tab to see the corresponding syntax for specifying the LDAP authentication mechanism:
var mongoClient = new MongoClient("mongodb://<username>:<password>@<hostname>/?authSource=<authenticationDb>&authMechanism=PLAIN");
var credential = MongoCredential.CreatePlainCredential("<authenticationDb>", "<username>", "<password>"); var settings = MongoClientSettings.FromConnectionString("<connection string>"); settings.Credential = credential; var mongoClient = new MongoClient(settings);
Tip
The method refers to PLAIN instead of LDAP since it authenticates using the PLAIN Simple Authentication and Security Layer (SASL) defined in RFC-4616.
API Documentation
To learn more about any of the methods or types discussed in this guide, see the following API Documentation: