Enterprise Authentication Mechanisms
Overview
In this guide, you can learn how to authenticate to MongoDB using the authentication mechanisms available in the MongoDB Enterprise Edition. When you connect to MongoDB, you can use an authentication mechanism to establish trust between the driver and the server.
The Rust driver supports authenticating to a Lightweight Directory Access Protocol (LDAP) server by using the LDAP (PLAIN) enterprise authentication mechanism.
Note
GSSAPI/Kerberos Authentication
The driver does not support the GSSAPI/Kerberos authentication mechanism, but you can use other methods to authenticate this way. To learn more about these methods, see Kerberos Authentication in the Server manual.
Tip
See also:
To authenticate to MongoDB by using mechanisms available in the MongoDB Community Edition, see the guide on Authentication Mechanisms.
To learn more about connecting to a MongoDB deployment, see the Connection Guide.
To select a specific authentication mechanism, specify the
mechanism, your credentials, and other necessary information
in the options of your connection string or in a Credential
struct.
Authenticate to LDAP (PLAIN)
You can authenticate to a Lightweight Directory Access Protocol (LDAP) server by using your directory server username and password.
The name of the authentication mechanism is PLAIN
instead of LDAP
because the mechanism uses the PLAIN Simple Authentication and
Security Layer (SASL) defined in RFC-4616.
Warning
This authentication mechanism sends your password to the server in plaintext. Use this mechanism only after enabling TLS on your connection to improve security and reduce vulnerabilities in your application.
To learn more, see TLS/SSL (Transport Encryption) in the Server manual.
Example
To specify the PLAIN
authentication mechanism, set the
mechanism
field of your Credential
struct to
AuthMechanism::Plain
. This example specifies the
authentication mechanism by using the following placeholders:
username
: Your LDAP usernamepassword
: Your LDAP password
let plain_cred = Credential::builder() .username("<username>".to_string()) .password("<password>".to_string()) .mechanism(AuthMechanism::Plain) .source("$external".to_string()) .build(); client_options.credential = Some(plain_cred); let client = Client::with_options(client_options)?;
Note
Authentication Database
Because your credentials are stored outside of MongoDB, you must use the
$external
database for authentication. The source
field of
the Credential
struct defaults to $external
, so you can omit
this field.
Alternatively, you can authenticate by using a connection string URI by
setting the value of the authMechanism
connection string option to PLAIN
.
This example shows how to specify the PLAIN
authentication mechanism in
a connection string URI by using the following placeholders:
username
: Your LDAP usernamepassword
: Your LDAP passwordhostname
: The network address of your MongoDB server
let uri = "mongodb://<username>:<password>@<hostname>/?authSource=$external&authMechanism=PLAIN";
Additional Information
To learn more about the concepts in this guide, see the following documentation:
MongoDB Server Support for LDAP Proxy Authentication in the Server manual
Connection Options guide
Connection Strings in the Server manual
API Documentation
To learn more about the methods and types mentioned in this guide, see the following API documentation: