Docs Menu

Enterprise Authentication Mechanisms

MongoDB Enterprise Edition includes authentication mechanisms that aren't available in MongoDB Community Edition. In this guide, you can learn how to authenticate to MongoDB by using these authentication mechanisms. To learn about the other authentication mechanisms available in MongoDB, see Authentication Mechanisms.

The Generic Security Services API (GSSAPI) provides an interface for Kerberos authentication.

Note

To authenticate with GSSAPI, you must build the MongoDB C driver with SASL support. If you are building the driver from source, you can enable SASL support with the ENABLE_SASL cmake option.

Complete the following steps to authenticate with GSSAPI:

1

On Unix environments, you must first run the kinit command to obtain and cache an initial ticket-granting ticket. If you're running a Windows environment, you can skip ahead to the next step.

The following example uses the kinit command to obtain a ticket-granting ticket for the principal mongodbuser@EXAMPLE.COM. It then uses the klist command to display the principal and ticket in the credentials cache.

$ kinit mongodbuser@EXAMPLE.COM
mongodbuser@EXAMPLE.COM's Password:
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: mongodbuser@EXAMPLE.COM
Issued Expires Principal
Feb 9 13:48:51 2013 Feb 9 23:48:51 2013 krbtgt/mongodbuser@EXAMPLE.COM
2

Next, set the following connection options:

  • Kerberos principal: The Kerberos principal to authenticate.

  • authMechanism: Set to "GSSAPI".

  • authMechanismProperties: Optional. By default, MongoDB uses mongodb as the authentication service name. To specify a different service name, set this option to "SERVICE_NAME:<authentication service name>".

You can set these options through parameters in your connection URI, as shown in the following example:

auto uri = mongocxx::uri("mongodb://<Kerberos principal>@<hostname>:<port>/?"
"authMechanism=GSSAPI"
"&authMechanismProperties=SERVICE_NAME:<authentication service name>");
auto client = mongocxx::client(uri);

Note

You must replace the @ symbol in the principal with %40, as shown in the preceding example.

The PLAIN Simple Authentication and Security Layer (SASL), as defined by RFC 4616, is a username-password authentication mechanism often used with TLS or another encryption layer.

Important

PLAIN SASL is a clear-text authentication mechanism. We strongly recommend that you use TLS/SSL with certificate validation when using PLAIN SASL to authenticate to MongoDB.

To learn more about how to enable TLS for your connection, see Configure Transport Layer Security (TLS).

To authenticate with SASL, set the authMechanism connection option to PLAIN. You can set this option through a parameter in your connection string, as shown in the following example:

auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"
"authMechanism=PLAIN&tls=true");
auto client = mongocxx::client(uri);

To learn more about creating a mongocxx::client object in C++ driver, see the following API documentation: