Docs Menu

Docs HomeDevelop ApplicationsMongoDB DriversGo Driver

Enterprise Authentication Mechanisms

On this page

  • Overview
  • Authenticate to GSSAPI/Kerberos
  • Example
  • Set Custom SERVICE_NAME and SERVICE_REALM Fields
  • Authenticate to LDAP (PLAIN)
  • Example
  • Additional Information
  • API Documentation

Overview

In this guide, you can learn how to authenticate in MongoDB using the authentication mechanisms available in the MongoDB Enterprise Edition. Authentication mechanisms are processes by which the driver and server confirm the identity of a client to ensure security before connecting.

You can use the following authentication mechanisms with the latest version of the MongoDB Enterprise Edition:

  • GSSAPI/Kerberos

  • LDAP (Plain)

To authenticate using another mechanism, see the Authentication Mechanisms fundamentals page. To learn more about establishing a connection to your MongoDB cluster, see the Connection Guide.

You can specify your authentication mechanism and credentials when connecting to MongoDB through the following methods:

  • Using a connection string URI. To learn more about using a connection string URI for enterprise authentication, see the Server manual entry on connection string URIs.

  • Specifying credentials and an authentication mechanism in the Credential type.

Authenticate to GSSAPI/Kerberos

The Generic Security Services API (GSSAPI) authentication mechanism allows the user to authenticate to a Kerberos service using the user's principal.

You must use the gssapi build tag and specify cgo support during compilation to use Kerberos authentication. cgo support is enabled by default unless you previously set environment variables to cross-compile to a different platform. To use the gssapi build tag, compile your code with the following command:

go build -tags gssapi

Example

This example specifies the authentication mechanism using the following placeholders:

  • username: Your Kerberos principal. A sample username is myuser@KERBEROS.EXAMPLE.COM.

  • password: Your Kerberos user's password. You can also store your password in a keytab file to avoid exposing your password in your code.

  • connection uri: Your connection string URI.

The following code shows how you can define a Credential struct to authenticate to Kerberos and create a client with your authentication preferences:

credential := options.Credential{
        AuthMechanism: "GSSAPI",
        Username:      "<username>",
        Password:      "<password>",
        PasswordSet:   true,
}
uri := "<connection uri>"
clientOpts := options.Client().ApplyURI(uri).SetAuth(credential)
client, err := mongo.Connect(context.TODO(), clientOpts)

You don't need to define a password or the PasswordSet field in your Credential struct if you store authentication keys in keytab files. You can initialize a credential cache for authenticating the Kerberos principal using the kinit binary. To learn more about the kinit binary, see the Oracle documentation.

The following command shows how you can invoke a credential cache for a sample username:

kinit myuser@KERBEROS.EXAMPLE.COM

You can alternatively authenticate using a connection string URI, specifying your URL-encoded Kerberos principal, password, and hostname, the network address of your MongoDB server:

uri := "mongodb://<username>:<password>@<hostname>/?authMechanism=GSSAPI"

Set Custom SERVICE_NAME and SERVICE_REALM Fields

You can specify additional properties with your authentication mechanism using the AuthMechanismProperties field in the Credential struct. The default service name for Kerberos is "mongodb". The following code shows how you can set custom values for the SERVICE_NAME and SERVICE_REALM fields when defining a Credential struct:

credential := options.Credential{
        AuthMechanism: "GSSAPI",
        Username:      "<username>",
        Password:      "<password>",
        AuthMechanismProperties: map[string]string{
                "SERVICE_REALM": "<Kerberos service realm>",
                "SERVICE_NAME":  "<service name>",
        },
}

For additional properties, see the Server manual entry on authentication properties.

Authenticate to LDAP (PLAIN)

You can authenticate to a Lightweight Directory Access Protocol (LDAP) server using your directory server username and password.

Warning

This authentication mechanism sends the password to the server in plaintext, so use this mechanism only with TLS connections.

Example

This example specifies the authentication mechanism using the following placeholders:

  • username: Your LDAP username

  • password: Your LDAP password

  • connection uri: Your connection string URI

The following code shows how you can define a Credential struct to authenticate to LDAP and create a client with your authentication preferences:

credential := options.Credential{
        AuthMechanism: "PLAIN",
        Username:      "<username>",
        Password:      "<password>",
     }
uri := "<connection uri>"
clientOpts := options.Client().ApplyURI(uri).SetAuth(credential)
client, err := mongo.Connect(context.TODO(), clientOpts)

You can alternatively authenticate using a connection string URI, specifying your LDAP username, password, and hostname, the network address of your MongoDB server:

uri := "mongodb://<username>:<password>@<hostname>/?authMechanism=PLAIN"

Note

The method refers to PLAIN instead of LDAP since it authenticates using the PLAIN Simple Authentication and Security Layer (SASL) defined in RFC-4616.

Additional Information

To learn more about the concepts in this guide, see the following documentation:

API Documentation

←  Authentication MechanismsWork with BSON →

On this page