BASIC AUTHENTICATION
The MongoDB C driver supports challenge response authentication (sometimes known as MONGODB-CR ) through the use of MongoDB connection URIs.
Simply provide the username and password as one would with an HTTP URL , as well as the database to authenticate against via authSource \&.
mongoc_client_t *client = mongoc_client_new (mongodb://user:password@localhost/?authSource=mydb);
GSSAPI (KERBEROS) AUTHENTICATION
NOTE
- Kerberos support is only provided in environments supported by the cyrus-sasl Kerberos implementation. This currently limits support to UNIX-like environments.
GSSAPI (Kerberos) authentication is available in the Enterprise Edition of MongoDB, version 2.4 and newer. To authenticate using GSSAPI , the MongoDB C driver must be installed with SASL support. Run the kinit command before using the following authentication methods:
$ [email protected]'s Password: $
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [email protected]
Issued Expires Principal
Feb 9 13:48:51 2013 Feb 9 23:48:51 2013 krbtgt/[email protected]
Now authenticate using the MongoDB URI. GSSAPI authenticates against the $external virtual database, so a database does not need to be specified in the URI. Note that the Kerberos principal must be URL-encoded:
mongoc_client_t *client;
client = mongoc_client_new ("mongodb://mongodbuser%[email protected]/?authMechanism=GSSAPI");
The default service name used by MongoDB and the MongoDB C driver is mongodb \&. A custom service name can be specified with the gssapiServiceName option:
mongoc_client_t *client;
client = mongoc_client_new ("mongodb://mongodbuser%[email protected]/?authMechanism=GSSAPI&gssapiServiceName=myservicename");
NOTE
-
When encountering errors such as
Invalid net address
, check if the application is behind a NAT (Network Address Translation) firewall. If so, create a ticket that uses
forwardable
and
addressless
Kerberos tickets. This can be done by passing
-f -A
to
kinit
\&.
$
SSL AUTHENTICATION
NOTE
-
The MongoDB C Driver must be compiled with the
--enable-ssl
option to use SSL authentication.
To connect to a MongoDB server enabled with SSL, add the ?ssl=true option in the MongoDB URI.
mongoc_uri_t *uri = mongoc_uri_new (mongodb://localhost/?ssl=true);
NOTE
-
Connecting to a server that does not support SSL will fail if the
?ssl=true
parameter is provided in the URI. This is to prevent unintentional information leak.
SASL PLAIN AUTHENTICATION
NOTE
-
The MongoDB C Driver must be compiled with SASL support in order to use
SASL PLAIN
authentication.
MongoDB Enterprise Edition versions 2.5.0 and newer support the SASL PLAIN authentication mechanism, initially intended for delegating authentication to an LDAP server. Using the SASL PLAIN mechanism is very similar to the challenge response mechanism with usernames and passwords. These examples use the $external virtual database for LDAP support:
NOTE
- SASL PLAIN is a clear-text authentication mechanism. It is strongly recommended to connect to MongoDB using SSL with certificate validation when using the PLAIN mechanism.
mongoc_client_t *client;
client = mongoc_client_new ("mongodb://user:[email protected]/?authMechanism=PLAIN&authSource=$external");
X.509 CERTIFICATE AUTHENTICATION
NOTE
-
The MongoDB C Driver must be compiled with SSL support for X.509 authentication support.
The MONGODB-X509 mechanism authenticates a username derived from the distinguished subject name of the X.509 certificate presented by the driver during SSL negotiation. This authentication method requires the use of SSL connections with certificate validation and is available in MongoDB 2.5.1 and newer:
mongoc_client_t *client;
mongoc_ssl_opt_t ssl_opts = { 0 };
ssl_opts.pem_file = "mycert.pem";
ssl_opts.pem_pwd = "mycertpassword";
ssl_opts.ca_file = "myca.pem";
ssl_opts.ca_dir = "trust_dir";
ssl_opts.weak_cert_validation = false;
client = mongoc_client_new ("mongodb://x509_derived_username@localhost/?authMechanism=MONGODB-X509");
mongoc_client_set_ssl_opts (client, &ssl_opts);
MONGODB-X509 authenticates against the $external database, so specifying a database is not required.