1MONGOC_AUTHENTICATION(3) libmongoc MONGOC_AUTHENTICATION(3)
2
3
4
6 mongoc_authentication - Authentication
7
8 This guide covers the use of authentication options with the MongoDB C
9 Driver. Ensure that the MongoDB server is also properly configured for
10 authentication before making a connection. For more information, see
11 the MongoDB security documentation.
12
13 The MongoDB C driver supports several authentication mechanisms through
14 the use of MongoDB connection URIs.
15
16 By default, if a username and password are provided as part of the con‐
17 nection string (and an optional authentication database), they are used
18 to connect via the default authentication mechanism of the server.
19
20 To select a specific authentication mechanism other than the default,
21 see the list of supported mechanism below.
22
23 mongoc_client_t *client = mongoc_client_new ("mongodb://user:password@localhost/?authSource=mydb");
24
25 Currently supported values for the authMechanism connection string op‐
26 tion are:
27
28 • SCRAM-SHA-1
29
30 • MONGODB-CR (deprecated)
31
32 • GSSAPI
33
34 • PLAIN
35
36 • X509
37
38 • MONGODB-AWS
39
41 MongoDB 4.0 introduces support for authenticating using the SCRAM pro‐
42 tocol with the more secure SHA-256 hash described in RFC 7677. Using
43 this authentication mechanism means that the password is never actually
44 sent over the wire when authenticating, but rather a computed proof
45 that the client password is the same as the password the server knows.
46 In MongoDB 4.0, the C driver can determine the correct default authen‐
47 tication mechanism for users with stored SCRAM-SHA-1 and SCRAM-SHA-256
48 credentials:
49
50 mongoc_client_t *client = mongoc_client_new ("mongodb://user:password@localhost/?authSource=mydb");
51 /* the correct authMechanism is negotiated between the driver and server. */
52
53 Alternatively, SCRAM-SHA-256 can be explicitly specified as an auth‐
54 Mechanism.
55
56 mongoc_client_t *client = mongoc_client_new ("mongodb://user:password@localhost/?authMechanism=SCRAM-SHA-256&authSource=mydb");
57
58 Passwords for SCRAM-SHA-256 undergo the preprocessing step known as
59 SASLPrep specified in RFC 4013. SASLPrep will only be performed for
60 passwords containing non-ASCII characters. SASLPrep requires libicu.
61 If libicu is not available, attempting to authenticate over
62 SCRAM-SHA-256 with non-ASCII passwords will result in error.
63
64 Usernames never undergo SASLPrep.
65
66 By default, when building the C driver libicu is linked if available.
67 This can be changed with the ENABLE_ICU cmake option. To specify an in‐
68 stallation path of libicu, specify ICU_ROOT as a cmake option. See the
69 FindICU documentation for more information.
70
72 The default authentication mechanism before MongoDB 4.0 is SCRAM-SHA-1
73 (RFC 5802). Using this authentication mechanism means that the password
74 is never actually sent over the wire when authenticating, but rather a
75 computed proof that the client password is the same as the password the
76 server knows.
77
78 mongoc_client_t *client = mongoc_client_new ("mongodb://user:password@localhost/?authMechanism=SCRAM-SHA-1&authSource=mydb");
79
80 NOTE:
81 SCRAM-SHA-1 authenticates against the admin database by default. If
82 the user is created in another database, then specifying the auth‐
83 Source is required.
84
86 The MONGODB-CR authMechanism is deprecated and will no longer function
87 in MongoDB 4.0. Instead, specify no authMechanism and the driver will
88 use an authentication mechanism compatible with your server.
89
91 NOTE:
92 Kerberos support requires compiling the driver against cyrus-sasl on
93 UNIX-like environments. On Windows, configure the driver to build
94 against the Windows Native SSPI.
95
96 GSSAPI (Kerberos) authentication is available in the Enterprise Edition
97 of MongoDB. To authenticate using GSSAPI, the MongoDB C driver must be
98 installed with SASL support.
99
100 On UNIX-like environments, run the kinit command before using the fol‐
101 lowing authentication methods:
102
103 $ kinit mongodbuser@EXAMPLE.COM
104 mongodbuser@EXAMPLE.COM's Password:
105 $ klistCredentials cache: FILE:/tmp/krb5cc_1000
106 Principal: mongodbuser@EXAMPLE.COM
107
108 Issued Expires Principal
109 Feb 9 13:48:51 2013 Feb 9 23:48:51 2013 krbtgt/EXAMPLE.COM@EXAMPLE.COM
110
111 Now authenticate using the MongoDB URI. GSSAPI authenticates against
112 the $external virtual database, so a database does not need to be spec‐
113 ified in the URI. Note that the Kerberos principal must be URL-encoded:
114
115 mongoc_client_t *client;
116
117 client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@mongo-server.example.com/?authMechanism=GSSAPI");
118
119 NOTE:
120 GSSAPI authenticates against the $external database, so specifying
121 the authSource database is not required.
122
123 The driver supports these GSSAPI properties:
124
125 • CANONICALIZE_HOST_NAME: This might be required with Cyrus-SASL when
126 the hosts report different hostnames than what is used in the Ker‐
127 beros database. The default is "false".
128
129 • SERVICE_NAME: Use a different service name than the default, "mon‐
130 godb".
131
132 Set properties in the URL:
133
134 mongoc_client_t *client;
135
136 client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@mongo-server.example.com/?authMechanism=GSSAPI&"
137 "authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true");
138
139 If you encounter errors such as Invalid net address, check if the ap‐
140 plication is behind a NAT (Network Address Translation) firewall. If
141 so, create a ticket that uses forwardable and addressless Kerberos
142 tickets. This can be done by passing -f -A to kinit.
143
144 $ kinit -f -A mongodbuser@EXAMPLE.COM
145
147 NOTE:
148 The MongoDB C Driver must be compiled with SASL support in order to
149 use SASL PLAIN authentication.
150
151 MongoDB Enterprise Edition supports the SASL PLAIN authentication mech‐
152 anism, initially intended for delegating authentication to an LDAP
153 server. Using the SASL PLAIN mechanism is very similar to the challenge
154 response mechanism with usernames and passwords. This authentication
155 mechanism uses the $external virtual database for LDAP support:
156
157 NOTE:
158 SASL PLAIN is a clear-text authentication mechanism. It is strongly
159 recommended to connect to MongoDB using TLS with certificate valida‐
160 tion when using the PLAIN mechanism.
161
162 mongoc_client_t *client;
163
164 client = mongoc_client_new ("mongodb://user:password@example.com/?authMechanism=PLAIN");
165
166 PLAIN authenticates against the $external database, so specifying the
167 authSource database is not required.
168
170 NOTE:
171 The MongoDB C Driver must be compiled with TLS support for X.509 au‐
172 thentication support. Once this is done, start a server with the
173 following options:
174
175 $ mongod --tlsMode requireTLS --tlsCertificateKeyFile server.pem --tlsCAFile ca.pem
176
177 The MONGODB-X509 mechanism authenticates a username derived from the
178 distinguished subject name of the X.509 certificate presented by the
179 driver during TLS negotiation. This authentication method requires the
180 use of TLS connections with certificate validation.
181
182 mongoc_client_t *client;
183 mongoc_ssl_opt_t ssl_opts = { 0 };
184
185 ssl_opts.pem_file = "mycert.pem";
186 ssl_opts.pem_pwd = "mycertpassword";
187 ssl_opts.ca_file = "myca.pem";
188 ssl_opts.ca_dir = "trust_dir";
189 ssl_opts.weak_cert_validation = false;
190
191 client = mongoc_client_new ("mongodb://x509_derived_username@localhost/?authMechanism=MONGODB-X509");
192 mongoc_client_set_ssl_opts (client, &ssl_opts);
193
194 MONGODB-X509 authenticates against the $external database, so specify‐
195 ing the authSource database is not required. For more information on
196 the x509_derived_username, see the MongoDB server x.509 tutorial.
197
198 NOTE:
199 The MongoDB C Driver will attempt to determine the x509 derived
200 username when none is provided, and as of MongoDB 3.4 providing the
201 username is not required at all.
202
204 The MONGODB-AWS mechanism authenticates to MongoDB servers with creden‐
205 tials provided by AWS Identity and Access Management (IAM).
206
207 To authenticate, create a user with an associated Amazon Resource Name
208 (ARN) on the $external database, and specify the MONGODB-AWS authMecha‐
209 nism in the URI.
210
211 mongoc_uri_t *uri = mongoc_uri_new ("mongodb://localhost/?authMechanism=MONGODB-AWS");
212
213 Since MONGODB-AWS always authenticates against the $external database,
214 so specifying the authSource database is not required.
215
216 Credentials include the access key id, secret access key, and optional
217 session token. They may be obtained from the following ways.
218
219 AWS credentials via URI
220 Credentials may be passed directly in the URI as username/password.
221
222 mongoc_uri_t *uri = mongoc_uri_new ("mongodb://<access key id>:<secret access key>localhost/?authMechanism=MONGODB-AWS");
223
224 This may include a session token passed with authMechanismProperties.
225
226 mongoc_uri_t *uri = mongoc_uri_new ("mongodb://<access key id>:<secret access key>localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<token>");
227
228 AWS credentials via environment
229 If credentials are not passed through the URI, libmongoc will check for
230 the following environment variables.
231
232 • AWS_ACCESS_KEY_ID
233
234 • AWS_SECRET_ACCESS_KEY
235
236 • AWS_SESSION_TOKEN (optional)
237
238 AWS Credentials via ECS
239 If credentials are not passed in the URI or with environment variables,
240 libmongoc will check if the environment variable AWS_CONTAINER_CREDEN‐
241 TIALS_RELATIVE_URI is set, and if so, attempt to retrieve temporary
242 credentials from the ECS task metadata by querying a link local ad‐
243 dress.
244
245 AWS Credentials via EC2
246 If credentials are not passed in the URI or with environment variables,
247 and the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is
248 not set, libmongoc will attempt to retrieve temporary credentials from
249 the EC2 machine metadata by querying link local addresses.
250
252 MongoDB, Inc
253
255 2017-present, MongoDB, Inc
256
257
258
259
2601.17.6 Jun 03, 2021 MONGOC_AUTHENTICATION(3)