Authentication

Basic Authentication

The MongoDB C driver supports challenge response authentication (sometimes known as MONGODB-CR) through the use of MongoDB connection URIs. Simply provide the username and password as you would with an HTTP URL as well as the database to authenticate against via authSource.

mongoc_client_t *client = mongoc_client_new ("mongodb://user:password@localhost/?authSource=mydb");

For more information on connection string URIs, see Connection String URI.

GSSAPI (Kerberos) Authentication

GSSAPI (Kerberos) authentication is available in the Enterprise Edition of MongoDB, version 2.4 and newer. To authenticate using GSSAPI you must first install the MongoDB C driver with SASL support. Make sure you run kinit before using the following authentication methods:

$ kinit mongodbuser@EXAMPLE.COM
mongodbuser@EXAMPLE.COM's Password:
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: mongodbuser@EXAMPLE.COM

  Issued                Expires               Principal
Feb  9 13:48:51 2013  Feb  9 23:48:51 2013  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Now authenticate using the MongoDB URI. GSSAPI authenticates against the $external virtual database so you do not have to specify a database in the URI:

mongoc_client_t *client;

client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@example.com/?authMechanism=GSSAPI");

The kerberos principal must be url encoded.

The default service name used by MongoDB and the MongoDB C driver is mongodb. You can specify a custom service name with the gssapiServiceName option:

mongoc_client_t *client;

client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@example.com/?authMechanism=GSSAPI&gssapiServiceName=myservicename");

Kerberos support is only provided in environments supported by the cyrus-sasl kerberos implementation. This currently limits support to UNIX-like environments.

If you see an error such as Invalid net address, you might be behind a NAT (Network Address Translation) firewall. In this case, you might need to create a ticket that uses forwardable and addressless Kerberos tickets. This can be done by passing -f -A to kinit.

$ kinit -f -A mongodbuser@EXAMPLE.COM

SASL Plain Authentication

MongoDB Enterprise Edition versions 2.5.0 and newer support the SASL PLAIN authentication mechanism, initially intended for delegating authentication to an LDAP server. Using the SASL PLAIN mechanism is very similar to MONGODB-CR. These examples use the $external virtual database for LDAP support:

SASL PLAIN is a clear-text authentication mechanism. We strongly recommend that you connect to MongoDB using SSL with certificate validation when using the PLAIN mechanism:

mongoc_client_t *client;

client = mongoc_client_new ("mongodb://user:password@example.com/?authMechanism=PLAIN&authSource=$external");

You must build MongoDB C driver with SASL support to use SASL PLAIN authentication.

X.509 Certificate Authentication

The MONGODB-X509 mechanism authenticates a username derived from the distinguished subject name of the X.509 certificate presented by the driver during SSL negotiation. This authentication method requires the use of SSL connections with certificate validation and is available in MongoDB 2.5.1 and newer:

mongoc_client_t *client;
mongoc_ssl_opt_t ssl_opts = { 0 };

ssl_opts.pem_file = "mycert.pem";
ssl_opts.pem_pwd = "mycertpassword";
ssl_opts.ca_file = "myca.pem";
ssl_opts.ca_dir = "trust_dir";
ssl_opts.weak_cert_validation = false;

client = mongoc_client_new ("mongodb://x509_derived_username@localhost/?authMechanism=MONGODB-X509");
mongoc_client_set_ssl_opts (client, &ssl_opts);

MONGODB-X509 authenticates against the $external database, so specifying a database is not required.

You must build MongoDB C driver with SSL support for X.509 authentication support.