Self-Managed Configuration File Options
On this page
- Configuration File
- File Format
- Use the Configuration File
- Core Options
systemLog
OptionsprocessManagement
Optionsnet
Optionssecurity
OptionssetParameter
Optionstorage
OptionsoperationProfiling
Optionsreplication
Optionssharding
OptionsauditLog
Optionsmongos
-only Options- Windows Service Options
- Removed MMAPv1 Options
The following page describes the configuration options available in MongoDB 8.0. For configuration file options for other versions of MongoDB, see the appropriate version of the MongoDB Manual.
Note
If you're using MongoDB Atlas to manage your MongoDB deployments in the cloud, you don't need to create a configuration file. To learn how to configure settings for your MongoDB Atlas deployment, see Configure Additional Settings.
In addition to using the configuration file options, the default configuration for the MongoDB binaries also uses the operating system environment variables.
Configuration File
You can configure mongod
and mongos
instances at
startup using a configuration file. The configuration file contains
settings that are equivalent to the mongod
and
mongos
command-line options. See Self-Managed Configuration File Settings and Command-Line Options Mapping.
Using a configuration file makes managing mongod
and
mongos
options easier, especially for large-scale
deployments. You can also add comments to the configuration file to
explain the server's settings.
If you installed MongoDB with a package manager such as
yum
orapt
on Linux orbrew
on macOS, or with the MSI installer on Windows, a default configuration file has been provided as part of your installation:PlatformMethodConfiguration FileLinux
apt
,yum
, orzypper
Package Manager/etc/mongod.conf
macOS
brew
Package Manager/usr/local/etc/mongod.conf
(on Intel processors), or/opt/homebrew/etc/mongod.conf
(on Apple M1 processors)Windows
MSI Installer
<install directory>\bin\mongod.cfg
If you installed MongoDB through a downloaded
TGZ
orZIP
file, you must create your own configuration file. The basic example configuration is a good place to start.
File Format
MongoDB configuration files use the YAML format [1].
The following sample configuration file contains several mongod
settings that you may adapt to your local configuration:
Note
YAML does not support tab characters for indentation: use spaces instead.
systemLog: destination: file path: "/var/log/mongodb/mongod.log" logAppend: true processManagement: fork: true net: bindIp: 127.0.0.1 port: 27017 setParameter: enableLocalhostAuthBypass: false ...
The Linux package init scripts included in the official MongoDB packages depend
on specific values for systemLog.path
, storage.dbPath
, and
processManagement.fork
or MONGODB_CONFIG_OVERRIDE_NOFORK
system environment variable. If you modify these settings in the default
configuration file, mongod
may not start.
[1] | YAML is a superset of JSON. |
Externally Sourced Values
Note
MongoDB supports using expansion directives in configuration files to load externally sourced values. Expansion directives can load values for specific configuration file options or load the entire configuration file.
The following expansion directives are available:
Expansion Directive | Description |
---|---|
Allows users to specify a If the configuration file includes the | |
Allows users to specify a shell or terminal command as the external source for configuration file options or the full configuration file. If the configuration file includes the |
For complete documentation, see Externally Sourced Configuration File Values for Self-Managed Deployments.
Use the Configuration File
To configure mongod
or mongos
using a config file,
specify the config file with the --config
option or the
-f
option, as in the following examples:
For example, the following uses mongod --config
<configuration file>
mongos --config
<configuration file>
:
mongod --config /etc/mongod.conf mongos --config /etc/mongos.conf
You can also use the -f
alias to specify the configuration
file, as in the following:
mongod -f /etc/mongod.conf mongos -f /etc/mongos.conf
If you installed from a package and have started MongoDB using your system's init script, you are already using a configuration file.
Expansion Directives and --configExpand
If you are using expansion directives
in the configuration file, you must include the
--configExpand
option when starting
the mongod
or mongos
. For example:
mongod --config /etc/mongod.conf --configExpand "rest,exec" mongos --config /etc/mongos.conf --configExpand "rest,exec"
If the configuration file includes an expansion directive and you start
the mongod
/ mongos
without specifying
that directive in the --configExpand
option, the mongod
/ mongos
fails to start.
For complete documentation, see Externally Sourced Configuration File Values for Self-Managed Deployments.
Core Options
systemLog
Options
systemLog: verbosity: <int> quiet: <boolean> traceAllExceptions: <boolean> syslogFacility: <string> path: <string> logAppend: <boolean> logRotate: <string> destination: <string> timeStampFormat: <string> component: accessControl: verbosity: <int> command: verbosity: <int> # COMMENT additional component verbosity settings omitted for brevity
systemLog.verbosity
Type: integer
Default: 0
The default log message verbosity level for components. The verbosity level determines the amount of Informational and Debug messages MongoDB outputs. [2]
The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
To use a different verbosity level for a named component, use the component's verbosity setting. For example, use the
systemLog.component.accessControl.verbosity
to set the verbosity level specifically forACCESS
components.See the
systemLog.component.<name>.verbosity
settings for specific component verbosity settings.For various ways to set the log verbosity level, see Configure Log Verbosity Levels.
[2] Starting in version 4.2, MongoDB includes the Debug verbosity level (1-5) in the log messages. For example, if the verbosity level is 2, MongoDB logs D2
. In previous versions, MongoDB log messages only specifiedD
for Debug level.
systemLog.quiet
Type: boolean
Default: false
Run
mongos
ormongod
in a quiet mode that attempts to limit the amount of output.systemLog.quiet
is not recommended for production systems as it may make tracking problems during particular connections much more difficult.
systemLog.traceAllExceptions
Type: boolean
Default: false
Print verbose information for debugging. Use for additional logging for support-related troubleshooting.
systemLog.syslogFacility
Type: string
Default: user
The facility level used when logging messages to syslog. The value you specify must be supported by your operating system's implementation of syslog. To use this option, you must set
systemLog.destination
tosyslog
.
systemLog.path
Type: string
The path of the log file to which
mongod
ormongos
should send all diagnostic logging information, rather than the standard output or the host's syslog. MongoDB creates the log file at the specified path.The Linux package init scripts do not expect
systemLog.path
to change from the defaults. If you use the Linux packages and changesystemLog.path
, you must use your own init scripts and disable the built-in scripts.
systemLog.logAppend
Type: boolean
Default: false
When
true
,mongos
ormongod
appends new entries to the end of the existing log file when the instance restarts. Without this option,mongod
ormongos
backs up the existing log and create a new file.
systemLog.logRotate
Type: string
Default: rename
Determines the behavior for the
logRotate
command when rotating the server log and/or the audit log. Specify eitherrename
orreopen
:rename
renames the log file.reopen
closes and reopens the log file following the typical Linux/Unix log rotate behavior. Usereopen
when using the Linux/Unix logrotate utility to avoid log loss.If you specify
reopen
, you must also setsystemLog.logAppend
totrue
.
systemLog.destination
Type: string
The destination to which MongoDB sends all log output. Specify either
file
orsyslog
. If you specifyfile
, you must also specifysystemLog.path
.If you do not specify
systemLog.destination
, MongoDB sends all log output to standard output.Warning
The
syslog
daemon generates timestamps when it logs a message, not when MongoDB issues the message. This can lead to misleading timestamps for log entries, especially when the system is under heavy load. We recommend using thefile
option for production systems to ensure accurate timestamps.
systemLog.timeStampFormat
Type: string
Default: iso8601-local
The time format for timestamps in log messages. Specify one of the following values:
ValueDescriptioniso8601-utc
Displays timestamps in Coordinated Universal Time (UTC) in the ISO-8601 format. For example, for New York at the start of the Epoch:
1970-01-01T00:00:00.000Z
iso8601-local
Displays timestamps in local time in the ISO-8601 format. For example, for New York at the start of the Epoch:
1969-12-31T19:00:00.000-05:00
Note
systemLog.timeStampFormat
no longer supportsctime
. An example ofctime
formatted date is:Wed Dec 31 18:17:54.811
.
systemLog.component
Options
systemLog: component: accessControl: verbosity: <int> command: verbosity: <int> # COMMENT some component verbosity settings omitted for brevity replication: verbosity: <int> election: verbosity: <int> heartbeats: verbosity: <int> initialSync: verbosity: <int> rollback: verbosity: <int> storage: verbosity: <int> journal: verbosity: <int> recovery: verbosity: <int> write: verbosity: <int>
Note
Starting in version 4.2, MongoDB includes the Debug verbosity level
(1-5) in the log messages. For example,
if the verbosity level is 2, MongoDB logs D2
. In previous
versions, MongoDB log messages only specified D
for Debug level.
systemLog.component.accessControl.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to access control. See
ACCESS
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.command.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to commands. See
COMMAND
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.control.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to control operations. See
CONTROL
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.ftdc.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to diagnostic data collection operations. See
FTDC
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.geo.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to geospatial parsing operations. See
GEO
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.index.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to indexing operations. See
INDEX
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.network.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to networking operations. See
NETWORK
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.query.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to query operations. See
QUERY
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.queryStats.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to invocations of
$queryStats
. SeeQUERYSTATS
components.The verbosity level can range from
0
to5
:0
is the default log verbosity level, and only includes informational messages. No$queryStats
calls are logged at this level.1
to2
increases the verbosity level to include$queryStats
calls wherealgorithm
is"hmac-sha-256"
. Any HMAC keys are redacted.3
to5
increases the verbosity level to include$queryStats
calls wherealgorithm
is"hmac-sha-256"
, and the corresponding results. Each result is its own entry and there is a final entry with the string"we finished"
.
systemLog.component.replication.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to replication. See
REPL
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.replication.election.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to election. See
ELECTION
components.If
systemLog.component.replication.election.verbosity
is unset,systemLog.component.replication.verbosity
level also applies to election components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.replication.heartbeats.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to heartbeats. See
REPL_HB
components.If
systemLog.component.replication.heartbeats.verbosity
is unset,systemLog.component.replication.verbosity
level also applies to heartbeats components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.replication.initialSync.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to initialSync. See
INITSYNC
components.If
systemLog.component.replication.initialSync.verbosity
is unset,systemLog.component.replication.verbosity
level also applies to initialSync components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.replication.rollback.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to rollback. See
ROLLBACK
components.If
systemLog.component.replication.rollback.verbosity
is unset,systemLog.component.replication.verbosity
level also applies to rollback components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.sharding.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to sharding. See
SHARDING
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to storage. See
STORAGE
components.If
systemLog.component.storage.journal.verbosity
is unset,systemLog.component.storage.verbosity
level also applies to journaling components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.journal.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to journaling. See
JOURNAL
components.If
systemLog.component.storage.journal.verbosity
is unset, the journaling components have the same verbosity level as the parent storage components: i.e. either thesystemLog.component.storage.verbosity
level if set or the default verbosity level.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.recovery.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to recovery. See
RECOVERY
components.If
systemLog.component.storage.recovery.verbosity
is unset,systemLog.component.storage.verbosity
level also applies to recovery components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity level for components related to the WiredTiger storage engine. See
WT
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtBackup.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity level for components related to backup operations performed by the WiredTiger storage engine. See
WTBACKUP
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtCheckpoint.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to checkpoint operations performed by the WiredTiger storage engine. See
WTCHKPT
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtCompact.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to compaction operations performed by the WiredTiger storage engine. See
WTCMPCT
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtEviction.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to eviction operations performed by the WiredTiger storage engine. See
WTEVICT
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtHS.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to history store operations performed by the WiredTiger storage engine. See
WTHS
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtRecovery.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to recovery operations performed by the WiredTiger storage engine. See
WTRECOV
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtRTS.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to rollback to stable (RTS) operations performed by the WiredTiger storage engine. See
WTRTS
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtSalvage.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to salvage operations performed by the WiredTiger storage engine. See
WTSLVG
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtTimestamp.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to timestamps used by the WiredTiger storage engine. See
WTTS
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtTransaction.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to transaction operations performed by the WiredTiger storage engine. See
WTTXN
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtVerify.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to verification operations performed by the WiredTiger storage engine. See
WTVRFY
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.storage.wt.wtWriteLog.verbosity
Type: integer
Default: -1
New in version 5.3.
The log message verbosity for components related to log write operations performed by the WiredTiger storage engine. See
WTWRTLOG
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.transaction.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to transaction. See
TXN
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
systemLog.component.write.verbosity
Type: integer
Default: 0
The log message verbosity level for components related to write operations. See
WRITE
components.The verbosity level can range from
0
to5
:0
is the MongoDB's default log verbosity level, to include Informational messages.1
to5
increases the verbosity level to include Debug messages.
processManagement
Options
processManagement: fork: <boolean> pidFilePath: <string> timeZoneInfo: <string>
processManagement.fork
Type: boolean
Default: false
Enable a daemon mode that runs the
mongos
ormongod
process in the background. By defaultmongos
ormongod
does not run as a daemon. To usemongos
ormongod
as a daemon, setprocessManagement.fork
or use a controlling process that handles the daemonization process (for example,systemd
).The
processManagement.fork
option is not supported on Windows.The Linux package init scripts do not expect
processManagement.fork
to change from the defaults. If you use the Linux packages and changeprocessManagement.fork
, you must use your own init scripts and disable the built-in scripts.
processManagement.pidFilePath
Type: string
Specifies a file location to store the process ID (PID) of the
mongos
ormongod
process. The user running themongod
ormongos
process must be able to write to this path. If theprocessManagement.pidFilePath
option is not specified, the process does not create a PID file. This option is generally only useful in combination with theprocessManagement.fork
setting.Note
Linux
On Linux, PID file management is generally the responsibility of your distro's init system: usually a service file in the
/etc/init.d
directory, or a systemd unit file registered withsystemctl
. Only use theprocessManagement.pidFilePath
option if you are not using one of these init systems. For more information, please see the respective Installation Guide for your operating system.Note
macOS
On macOS, PID file management is generally handled by
brew
. Only use theprocessManagement.pidFilePath
option if you are not usingbrew
on your macOS system. For more information, please see the respective Installation Guide for your operating system.
processManagement.timeZoneInfo
Type: string
The full path from which to load the time zone database. If this option is not provided, then MongoDB uses its built-in time zone database.
The configuration file included with Linux and macOS packages sets the time zone database path to
/usr/share/zoneinfo
by default.The built-in time zone database is a copy of the Olson/IANA time zone database. It is updated along with MongoDB releases, but the time zone database release cycle differs from the MongoDB release cycle. The most recent release of the time zone database is available on our download site.
Warning
MongoDB uses the third party timelib library to provide accurate conversions between timezones. Due to a recent update,
timelib
could create inaccurate time zone conversions in older versions of MongoDB.To explicitly link to the time zone database in versions of MongoDB prior to 5.0, download the time zone database. and use the
timeZoneInfo
parameter.
net
Options
Changed in version 5.0: MongoDB removes the net.serviceExecutor
configuration option and the
corresponding --serviceExecutor
command-line option.
net: port: <int> bindIp: <string> bindIpAll: <boolean> maxIncomingConnections: <int> wireObjectCheck: <boolean> ipv6: <boolean> unixDomainSocket: enabled: <boolean> pathPrefix: <string> filePermissions: <int> tls: certificateSelector: <string> clusterCertificateSelector: <string> mode: <string> certificateKeyFile: <string> certificateKeyFilePassword: <string> clusterFile: <string> clusterPassword: <string> CAFile: <string> clusterCAFile: <string> clusterAuthX509: attributes: <string> extensionValue: <string> CRLFile: <string> allowConnectionsWithoutCertificates: <boolean> allowInvalidCertificates: <boolean> allowInvalidHostnames: <boolean> disabledProtocols: <string> FIPSMode: <boolean> logVersions: <string> compression: compressors: <string>
net.port
Type: integer
Default:
27017 for
mongod
(if not a shard member or a config server member) ormongos
instance27018 if
mongod
is ashard member
27019 if
mongod
is aconfig server member
The TCP port on which the MongoDB instance listens for client connections.
The
net.port
option accepts a range of values between0
and65535
. Setting the port to0
configuresmongos
ormongod
to use an arbitrary port assigned by the operating system.
net.bindIp
Type: string
Default: localhost
The hostnames and/or IP addresses and/or full Unix domain socket paths on which
mongos
ormongod
should listen for client connections. You may attachmongos
ormongod
to any interface. To bind to multiple addresses, enter a list of comma-separated values.Example
localhost,/tmp/mongod.sock
You can specify both IPv4 and IPv6 addresses, or hostnames that resolve to an IPv4 or IPv6 address.
Example
localhost, 2001:0DB8:e132:ba26:0d5c:2774:e7f9:d513
Note
If specifying an IPv6 address or a hostname that resolves to an IPv6 address to
net.bindIp
, you must startmongos
ormongod
withnet.ipv6 : true
to enable IPv6 support. Specifying an IPv6 address tonet.bindIp
does not enable IPv6 support.If specifying a link-local IPv6 address (
fe80::/10
), you must append the zone index to that address (i.e.fe80::<address>%<adapter-name>
).Example
localhost,fe80::a00:27ff:fee0:1fcf%enp0s3
Important
To avoid configuration updates due to IP address changes, use DNS hostnames instead of IP addresses. It is particularly important to use a DNS hostname instead of an IP address when configuring replica set members or sharded cluster members.
Use hostnames instead of IP addresses to configure clusters across a split network horizon. Starting in MongoDB 5.0, nodes that are only configured with an IP address fail startup validation and do not start.
Warning
Before you bind your instance to a publicly-accessible IP address, you must secure your cluster from unauthorized access. For a complete list of security recommendations, see Security Checklist for Self-Managed Deployments. At minimum, consider enabling authentication and hardening network infrastructure.
For more information about IP Binding, refer to the IP Binding in Self-Managed Deployments documentation.
To bind to all IPv4 addresses, enter
0.0.0.0
.To bind to all IPv4 and IPv6 addresses, enter
::,0.0.0.0
or an asterisk"*"
(enclose the asterisk in quotes to distinguish from YAML alias nodes). Alternatively, use thenet.bindIpAll
setting.Note
net.bindIp
andnet.bindIpAll
are mutually exclusive. That is, you can specify one or the other, but not both.The command-line option
--bind_ip
overrides the configuration file settingnet.bindIp
.
To configure cluster nodes for split horizon DNS, use host names instead of IP addresses.
Starting in MongoDB v5.0,
replSetInitiate
andreplSetReconfig
reject configurations that use IP addresses instead of hostnames.Use
disableSplitHorizonIPCheck
to modify nodes that cannot be updated to use host names. The parameter only applies to the configuration commands.mongod
andmongos
do not rely ondisableSplitHorizonIPCheck
for validation at startup. Legacymongod
andmongos
instances that use IP addresses instead of host names can start after an upgrade.Instances that are configured with IP addresses log a warning to use host names instead of IP addresses.
net.bindIpAll
Type: boolean
Default: false
If true, the
mongos
ormongod
instance binds to all IPv4 addresses (i.e.0.0.0.0
). Ifmongos
ormongod
starts withnet.ipv6 : true
,net.bindIpAll
also binds to all IPv6 addresses (i.e.::
).mongos
ormongod
only supports IPv6 if started withnet.ipv6 : true
. Specifyingnet.bindIpAll
alone does not enable IPv6 support.Warning
Before you bind your instance to a publicly-accessible IP address, you must secure your cluster from unauthorized access. For a complete list of security recommendations, see Security Checklist for Self-Managed Deployments. At minimum, consider enabling authentication and hardening network infrastructure.
For more information about IP Binding, refer to the IP Binding in Self-Managed Deployments documentation.
Alternatively, set
net.bindIp
to::,0.0.0.0
or to an asterisk"*"
(enclose the asterisk in quotes to distinguish from YAML alias nodes) to bind to all IP addresses.Note
net.bindIp
andnet.bindIpAll
are mutually exclusive. Specifying both options causesmongos
ormongod
to throw an error and terminate.
net.maxIncomingConnections
Type: integer
Default (Windows): 1,000,000Default (Linux): (RLIMIT_NOFILE) * 0.8The maximum number of simultaneous connections that
mongos
ormongod
accepts. This setting has no effect if it is higher than your operating system's configured maximum connection tracking threshold.Do not assign too low of a value to this option, or you may encounter errors during normal application operation.
This is particularly useful for a
mongos
if you have a client that creates multiple connections and allows them to timeout rather than closing them.In this case, set
maxIncomingConnections
to a value slightly higher than the maximum number of connections that the client creates, or the maximum size of the connection pool.This setting prevents the
mongos
from causing connection spikes on the individual shards. Spikes like these may disrupt the operation and memory allocation of the sharded cluster.
net.wireObjectCheck
Type: boolean
Default: true
When
true
, themongod
ormongos
instance validates all requests from clients upon receipt to prevent clients from inserting malformed or invalid BSON into a MongoDB database.For objects with a high degree of sub-document nesting,
net.wireObjectCheck
can have a small impact on performance.
net.ipv6
Type: boolean
Default: false
Set
net.ipv6
totrue
to enable IPv6 support.mongos
/mongod
disables IPv6 support by default.Setting
net.ipv6
does not direct themongos
/mongod
to listen on any local IPv6 addresses or interfaces. To configure themongos
/mongod
to listen on an IPv6 interface, you must either:Configure
net.bindIp
with one or more IPv6 addresses or hostnames that resolve to IPv6 addresses, orSet
net.bindIpAll
totrue
.
net.unixDomainSocket
Options
net: unixDomainSocket: enabled: <boolean> pathPrefix: <string> filePermissions: <int>
net.unixDomainSocket.enabled
Type: boolean
Default: true
Enable or disable listening on the UNIX domain socket.
net.unixDomainSocket.enabled
applies only to Unix-based systems.When
net.unixDomainSocket.enabled
istrue
,mongos
ormongod
listens on the UNIX socket.The
mongos
ormongod
process always listens on the UNIX socket unless one of the following is true:net.unixDomainSocket.enabled
isfalse
--nounixsocket
is set. The command line option takes precedence over the configuration file setting.net.bindIp
is not setnet.bindIp
does not specifylocalhost
or its associated IP address
mongos
ormongod
installed from official .deb and .rpm packages have thebind_ip
configuration set to127.0.0.1
by default.
net.unixDomainSocket.pathPrefix
Type: string
Default: /tmp
The path for the UNIX socket.
net.unixDomainSocket.pathPrefix
applies only to Unix-based systems.If this option has no value, the
mongos
ormongod
process creates a socket with/tmp
as a prefix. MongoDB creates and listens on a UNIX socket unless one of the following is true:net.unixDomainSocket.enabled
isfalse
--nounixsocket
is setnet.bindIp
is not setnet.bindIp
does not specifylocalhost
or its associated IP address
net.unixDomainSocket.filePermissions
Type: int
Default:
0700
Sets the permission for the UNIX domain socket file.
net.unixDomainSocket.filePermissions
applies only to Unix-based systems.
net.tls
Options
Note
The tls
options provide identical functionality as the
previous ssl
options.
net: tls: mode: <string> certificateKeyFile: <string> certificateKeyFilePassword: <string> certificateSelector: <string> clusterCertificateSelector: <string> clusterFile: <string> clusterPassword: <string> clusterAuthX509: attributes: <string> extensionValue: <string> CAFile: <string> clusterCAFile: <string> CRLFile: <string> allowConnectionsWithoutCertificates: <boolean> allowInvalidCertificates: <boolean> allowInvalidHostnames: <boolean> disabledProtocols: <string> FIPSMode: <boolean> logVersions: <string>
net.tls.mode
Type: string
Enables TLS used for all network connections. The argument to the
net.tls.mode
setting can be one of the following:ValueDescriptiondisabled
The server does not use TLS.
allowTLS
Connections between servers do not use TLS. For incoming connections, the server accepts both TLS and non-TLS.
preferTLS
Connections between servers use TLS. For incoming connections, the server accepts both TLS and non-TLS.
requireTLS
The server uses and accepts only TLS encrypted connections.
If
--tlsCAFile
ortls.CAFile
is not specified and you are not using x.509 authentication, you must set thetlsUseSystemCA
parameter totrue
. This makes MongoDB use the system-wide CA certificate store when connecting to a TLS-enabled server.If using x.509 authentication,
--tlsCAFile
ortls.CAFile
must be specified unless using--tlsCertificateSelector
.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.certificateKeyFile
Type: string
The
.pem
file that contains both the TLS certificate and key.On macOS or Windows, you can use the
net.tls.certificateSelector
setting to specify a certificate from the operating system's secure certificate store instead of a PEM key file.certificateKeyFile
andnet.tls.certificateSelector
are mutually exclusive. You can only specify one.On Linux/BSD, you must specify
net.tls.certificateKeyFile
when TLS is enabled.On Windows or macOS, you must specify either
net.tls.certificateKeyFile
ornet.tls.certificateSelector
when TLS is enabled.Important
For Windows only, MongoDB does not support encrypted PEM files. The
mongod
fails to start if it encounters an encrypted PEM file. To securely store and access a certificate for use with TLS on Windows, usenet.tls.certificateSelector
.
For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.certificateKeyFilePassword
Type: string
The password to de-crypt the certificate-key file (i.e.
certificateKeyFile
). Use thenet.tls.certificateKeyFilePassword
option only if the certificate-key file is encrypted. In all cases, themongos
ormongod
redacts the password from all logging and reporting output.On Linux/BSD, if the private key in the PEM file is encrypted and you do not specify the
net.tls.certificateKeyFilePassword
option, MongoDB prompts for a passphrase.For more information, see TLS/SSL Certificate Passphrase.
On macOS, if the private key in the PEM file is encrypted, you must explicitly specify the
net.tls.certificateKeyFilePassword
option. Alternatively, you can use a certificate from the secure system store (seenet.tls.certificateSelector
) instead of a PEM key file or use an unencrypted PEM file.On Windows, MongoDB does not support encrypted certificates. The
mongod
fails if it encounters an encrypted PEM file. Usenet.tls.certificateSelector
instead.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.certificateSelector
Type: string
Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to use for TLS/SSL. Available on Windows and macOS as an alternative to
net.tls.certificateKeyFile
.net.tls.certificateKeyFile
andnet.tls.certificateSelector
options are mutually exclusive. You can only specify one.net.tls.certificateSelector
accepts an argument of the format<property>=<value>
where the property can be one of the following:PropertyValue typeDescriptionsubject
ASCII string
Subject name or common name on certificate
thumbprint
hex string
A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.
The
thumbprint
is sometimes referred to as afingerprint
.When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates.
The
mongod
searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified TLS certificate. Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the TLS certificate.Warning
If you use
net.tls.certificateSelector
and/ornet.tls.clusterCertificateSelector
, we do not recommend usingnet.tls.CAFile
ornet.tls.clusterFile
to specify the root and intermediate CA certificateFor example, if the TLS certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. If the TLS certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermedia CA certificate and the root CA certificate.
Note
You cannot use the
rotateCertificates
command or thedb.rotateCertificates()
shell method when usingnet.tls.certificateSelector
or--tlsCertificateSelector
set tothumbprint
net.tls.clusterCertificateSelector
Type: string
Specifies a certificate property to select a matching certificate from the operating system's secure certificate store to use for internal x.509 membership authentication.
Available on Windows and macOS as an alternative to
net.tls.clusterFile
.net.tls.clusterFile
andnet.tls.clusterCertificateSelector
options are mutually exclusive. You can only specify one.net.tls.clusterCertificateSelector
accepts an argument of the format<property>=<value>
where the property can be one of the following:PropertyValue typeDescriptionsubject
ASCII string
Subject name or common name on certificate
thumbprint
hex string
A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.
The
thumbprint
is sometimes referred to as afingerprint
.The
mongod
searches the operating system's secure certificate store for the CA certificates required to validate the full certificate chain of the specified cluster certificate. Specifically, the secure certificate store must contain the root CA and any intermediate CA certificates required to build the full certificate chain to the cluster certificate.Warning
If you use
net.tls.certificateSelector
and/ornet.tls.clusterCertificateSelector
, we do not recommend usingnet.tls.CAFile
ornet.tls.clusterCAFile
to specify the root and intermediate CA certificate.For example, if the cluster certificate was signed with a single root CA certificate, the secure certificate store must contain that root CA certificate. If the cluster certificate was signed with an intermediate CA certificate, the secure certificate store must contain the intermediate CA certificate and the root CA certificate.
mongod
/mongos
logs a warning on connection if the presented x.509 certificate expires within30
days of themongod/mongos
host system time.
net.tls.clusterFile
Type: string
The
.pem
file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set.On macOS or Windows, you can use the
net.tls.clusterCertificateSelector
option to specify a certificate from the operating system's secure certificate store instead of a PEM key file.net.tls.clusterFile
andnet.tls.clusterCertificateSelector
options are mutually exclusive. You can only specify one.If
net.tls.clusterFile
does not specify the.pem
file for internal cluster authentication or the alternativenet.tls.clusterCertificateSelector
, the cluster uses the.pem
file specified in thecertificateKeyFile
setting or the certificate returned by thenet.tls.certificateSelector
.If using x.509 authentication,
--tlsCAFile
ortls.CAFile
must be specified unless using--tlsCertificateSelector
.mongod
/mongos
logs a warning on connection if the presented x.509 certificate expires within30
days of themongod/mongos
host system time.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .Important
For Windows only, MongoDB does not support encrypted PEM files. The
mongod
fails to start if it encounters an encrypted PEM file. To securely store and access a certificate for use with membership authentication on Windows, usenet.tls.clusterCertificateSelector
.
net.tls.clusterPassword
Type: string
The password to de-crypt the x.509 certificate-key file specified with
--sslClusterFile
. Use thenet.tls.clusterPassword
option only if the certificate-key file is encrypted. In all cases,mongos
ormongod
redacts the password from all logging and reporting output.On Linux/BSD, if the private key in the x.509 file is encrypted and you do not specify the
net.tls.clusterPassword
option, MongoDB prompts for a passphrase.For more information, see TLS/SSL Certificate Passphrase.
On macOS, if the private key in the x.509 file is encrypted, you must explicitly specify the
net.tls.clusterPassword
option. Alternatively, you can either use a certificate from the secure system store (seenet.tls.clusterCertificateSelector
) instead of a cluster PEM file or use an unencrypted PEM file.On Windows, MongoDB does not support encrypted certificates. The
mongod
fails if it encounters an encrypted PEM file. Usenet.tls.clusterCertificateSelector
.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.clusterAuthX509
New in version 7.0.
net: tls: clusterAuthX509: attributes: <string> extensionValue: <string>
net.tls.clusterAuthX509.attributes
Type: string
New in version 7.0.
Specifies a set of X.509 Distinguished Name (DN) attributes and values that the server expects cluster member nodes to contain in their certificate subject names. This lets you use certificates that don't contain DC, O, and OU values to authenticate cluster members.
When
attributes
is set, MongoDB matches certificates using the DN and ignores extension values.
net.tls.clusterAuthX509.extensionValue
Type: string
New in version 7.0.
Specifies an extension value that corresponds to the MongoDB cluster membership extension OID, 1.3.6.1.4.1.34601.2.1.2, that the server expects cluster member nodes to contain in their certificates. This allows you to use certificates that don't contain DC, O, and OU values to authenticate cluster members.
When
extensionValue
is set, MongoDB matches certificates using certificate extension values and ignores the Distinguished Name (DN).
net.tls.CAFile
Type: string
The
.pem
file that contains the root certificate chain from the Certificate Authority. Specify the file name of the.pem
file using relative or absolute paths.- Windows/macOS Only
- If using
net.tls.certificateSelector
and/ornet.tls.clusterCertificateSelector
, do not usenet.tls.CAFile
to specify the root and intermediate CA certificates. Store all CA certificates required to validate the full trust chain of thenet.tls.certificateSelector
and/ornet.tls.clusterCertificateSelector
certificates in the secure certificate store.
For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.clusterCAFile
Type: string
The
.pem
file that contains the root certificate chain from the Certificate Authority used to validate the certificate presented by a client establishing a connection. Specify the file name of the.pem
file using relative or absolute paths.net.tls.clusterCAFile
requires thatnet.tls.CAFile
is set.If
net.tls.clusterCAFile
does not specify the.pem
file for validating the certificate from a client establishing a connection, the cluster uses the.pem
file specified in thenet.tls.CAFile
option.net.tls.clusterCAFile
lets you use separate Certificate Authorities to verify the client to server and server to client portions of the TLS handshake.Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. See
net.tls.clusterCertificateSelector
. When using the secure store, you do not need to, but can, also specify thenet.tls.clusterCAFile
.- Windows/macOS Only
- If using
net.tls.certificateSelector
and/ornet.tls.clusterCertificateSelector
, do not usenet.tls.clusterCAFile
to specify the root and intermediate CA certificates. Store all CA certificates required to validate the full trust chain of thenet.tls.certificateSelector
and/ornet.tls.clusterCertificateSelector
certificates in the secure certificate store.
For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.CRLFile
Type: string
The
.pem
file that contains the Certificate Revocation List. Specify the file name of the.pem
file using relative or absolute paths.Note
You cannot specify
net.tls.CRLFile
on macOS. Instead, you can use the system SSL certificate store, which uses OCSP (Online Certificate Status Protocol) to validate the revocation status of certificates. Seenet.tls.certificateSelector
to use the system SSL certificate store.To check for certificate revocation, MongoDB
enables
the use of OCSP (Online Certificate Status Protocol) by default as an alternative to specifying a CRL file or using the system SSL certificate store.
For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.allowConnectionsWithoutCertificates
Type: boolean
Default: false
If
false
, all clients must provide client TLS certificates. Iftrue
, clients don't need to provide client certificates, butmongod
ormongos
encrypts the TLS/SSL connection.If a client provides a client certificate, regardless of what value you set for
net.tls.allowConnectionsWithoutCertificates
,mongos
ormongod
performs certificate validation using the root certificate chain specified byCAFile
, or the system CA store iftlsUseSystemCA
istrue
, and rejects clients with invalid certificates.Use the
net.tls.allowConnectionsWithoutCertificates
option if you have a mixed deployment that includes clients that do not or cannot present certificates to themongos
ormongod
.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
net.tls.allowInvalidCertificates
Type: boolean
Default: false
Enable or disable the validation checks for TLS certificates on other servers in the cluster and allows the use of invalid certificates to connect.
Note
If you specify
--tlsAllowInvalidCertificates
ortls.allowInvalidCertificates: true
when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS connection but is insufficient for authentication.When using the
net.tls.allowInvalidCertificates
setting, MongoDB logs a warning regarding the use of the invalid certificate.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and Self-Managed Internal/Membership Authentication.
net.tls.allowInvalidHostnames
Type: boolean
Default: false
When
net.tls.allowInvalidHostnames
istrue
, MongoDB disables the validation of the hostnames in TLS certificates. This allowsmongod
ormongos
to connect to other MongoDB instances in the cluster, even if the hostname of their certificates does not match the specified hostname.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL.
net.tls.disabledProtocols
Type: string
Prevents a MongoDB server running with TLS from accepting incoming connections that use a specific protocol or protocols. To specify multiple protocols, use a comma separated list of protocols, but do not use spaces after the commas. If you include a space before a protocol name, the server interprets it as an unrecognized protocol and doesn't start.
net.tls.disabledProtocols
recognizes the following protocols:TLS1_0
,TLS1_1
,TLS1_2
, andTLS1_3
.On macOS, you cannot disable
TLS1_1
and leave bothTLS1_0
andTLS1_2
enabled. You must disable at least one of the other two, for example,TLS1_0,TLS1_1
.To list multiple protocols, specify as a comma separated list of protocols without spaces after the commas. For example
TLS1_0,TLS1_1
.Specifying an unrecognized protocol or including a space after a comma prevents the server from starting.
The specified disabled protocols overrides any default disabled protocols.
MongoDB disables the use of TLS 1.0 if TLS 1.1+ is available on the system. To enable TLS 1.0, specify
none
tonet.tls.disabledProtocols
.Members of replica sets and sharded clusters must speak at least one protocol in common.
net.tls.FIPSMode
Type: boolean
Default: false
Enable or disable the use of the FIPS mode of the TLS library for the
mongos
ormongod
. Your system must have a FIPS compliant library to use thenet.tls.FIPSMode
option.Note
FIPS-compatible TLS/SSL is available only in MongoDB Enterprise. See Configure MongoDB for FIPS for more information.
net.tls.logVersions
Type: string
Instructs
mongos
ormongod
to log a message when a client connects using a specified TLS version.Specify either a single TLS version or a comma-separated list of multiple TLS versions.
Example
To instruct
mongos
ormongod
to log a message when a client connects using either TLS 1.2 or TLS 1.3, setnet.tls.logVersions
to"TLS1_2,TLS1_3"
.
net.compression
Option
net: compression: compressors: <string>
net.compression.compressors
Default: snappy,zstd,zlib
Specifies the default compressor(s) to use for communication between this
mongod
ormongos
instance and:other members of the deployment if the instance is part of a replica set or a sharded cluster
drivers that support the
OP_COMPRESSED
message format.
MongoDB supports the following compressors:
To disable network compression, set the value to
disabled
.Important
Messages are compressed when both parties enable network compression. Otherwise, messages between the parties are uncompressed.
If you specify multiple compressors, then the order in which you list the compressors matter as well as the communication initiator. For example, if
mongosh
specifies the following network compressorszlib,snappy
and themongod
specifiessnappy,zlib
, messages betweenmongosh
andmongod
useszlib
.If the parties do not share at least one common compressor, messages between the parties are uncompressed. For example, if
mongosh
specifies the network compressorzlib
andmongod
specifiessnappy
, messages betweenmongosh
andmongod
are not compressed.
security
Options
security: keyFile: <string> clusterAuthMode: <string> authorization: <string> transitionToAuth: <boolean> javascriptEnabled: <boolean> redactClientLogData: <boolean> clusterIpSourceAllowlist: - <string> sasl: hostName: <string> serviceName: <string> saslauthdSocketPath: <string> enableEncryption: <boolean> encryptionCipherMode: <string> encryptionKeyFile: <string> kmip: keyIdentifier: <string> rotateMasterKey: <boolean> serverName: <string> port: <string> clientCertificateFile: <string> clientCertificatePassword: <string> clientCertificateSelector: <string> serverCAFile: <string> connectRetries: <int> connectTimeoutMS: <int> ldap: servers: <string> bind: method: <string> saslMechanisms: <string> queryUser: <string> queryPassword: <string | array> useOSDefaults: <boolean> transportSecurity: <string> timeoutMS: <int> userToDNMapping: <string> authz: queryTemplate: <string> validateLDAPServerConfig: <boolean>
security.keyFile
Type: string
The path to a key file that stores the shared secret that MongoDB instances use to authenticate to each other in a sharded cluster or replica set.
keyFile
impliessecurity.authorization
. See Self-Managed Internal/Membership Authentication for more information.Keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile. The YAML format accepts either:
A single key string (same as in earlier versions)
A sequence of key strings
The YAML format is compatible with the existing single-key keyfiles that use the text file format.
security.clusterAuthMode
Type: string
Default: keyFile
The authentication mode used for cluster authentication. If you use internal x.509 authentication, specify so here. This option can have one of the following values:
ValueDescriptionkeyFile
Use a keyfile for authentication. Accept only keyfiles.
sendKeyFile
For rolling upgrade purposes. Send a keyfile for authentication but can accept both keyfiles and x.509 certificates.
sendX509
For rolling upgrade purposes. Send the x.509 certificate for authentication but can accept both keyfiles and x.509 certificates.
x509
Recommended. Send the x.509 certificate for authentication and accept only x.509 certificates.
If
--tlsCAFile
ortls.CAFile
is not specified and you are not using x.509 authentication, you must set thetlsUseSystemCA
parameter totrue
. This makes MongoDB use the system-wide CA certificate store when connecting to a TLS-enabled server.If using x.509 authentication,
--tlsCAFile
ortls.CAFile
must be specified unless using--tlsCertificateSelector
.For more information about TLS and MongoDB, see Configure
mongod
andmongos
for TLS/SSL and TLS/SSL Configuration for Clients .
security.authorization
Type: string
Default: disabled
Enable or disable Role-Based Access Control (RBAC) to govern each user's access to database resources and operations.
Set this option to one of the following:
ValueDescriptionenabled
A user can access only the database resources and actions for which they have been granted privileges.
disabled
A user can access any database and perform any action.
See Role-Based Access Control in Self-Managed Deployments for more information.
The
security.authorization
setting is available only formongod
.
security.transitionToAuth
Type: boolean
Default: false
Allows the
mongod
ormongos
to accept and create authenticated and non-authenticated connections to and from othermongod
andmongos
instances in the deployment. Used for performing rolling transition of replica sets or sharded clusters from a no-auth configuration to internal authentication. Requires specifying a internal authentication mechanism such assecurity.keyFile
.For example, if using keyfiles for internal authentication, the
mongod
ormongos
creates an authenticated connection with anymongod
ormongos
in the deployment using a matching keyfile. If the security mechanisms do not match, themongod
ormongos
utilizes a non-authenticated connection instead.A
mongod
ormongos
running withsecurity.transitionToAuth
does not enforce user access controls. Users may connect to your deployment without any access control checks and perform read, write, and administrative operations.Note
A
mongod
ormongos
running with internal authentication and withoutsecurity.transitionToAuth
requires clients to connect using user access controls. Update clients to connect to themongod
ormongos
using the appropriate user prior to restartingmongod
ormongos
withoutsecurity.transitionToAuth
.
security.javascriptEnabled
Type: boolean
Default: true
Important
Server-side JavaScript Deprecated
Starting in MongoDB 8.0, server-side JavaScript functions (
$accumulator
,$function
,$where
) are deprecated. MongoDB logs a warning when you run these functions.Map-reduce is deprecated starting in MongoDB 5.0.
Enables or disables server-side JavaScript execution. When disabled, you cannot use operations that perform server-side execution of JavaScript code, such as the
$where
query operator,mapReduce
command,$accumulator
, and$function
.If you do not use these operations, disable server-side scripting.
The
security.javascriptEnabled
is available for bothmongod
andmongos
. In earlier versions, the setting is only available formongod
.
security.redactClientLogData
Type: boolean
Available in MongoDB Enterprise only.
A
mongod
ormongos
running withsecurity.redactClientLogData
redacts any message accompanying a given log event before logging. This prevents themongod
ormongos
from writing potentially sensitive data stored on the database to the diagnostic log. Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs.Use
security.redactClientLogData
in conjunction with Encryption at Rest and TLS/SSL (Transport Encryption) to assist compliance with regulatory requirements.For example, a MongoDB deployment might store Personally Identifiable Information (PII) in one or more collections. The
mongod
ormongos
logs events such as those related to CRUD operations, sharding metadata, etc. It is possible that themongod
ormongos
may expose PII as a part of these logging operations. Amongod
ormongos
running withsecurity.redactClientLogData
removes any message accompanying these events before being output to the log, effectively removing the PII.Diagnostics on a
mongod
ormongos
running withsecurity.redactClientLogData
may be more difficult due to the lack of data related to a log event. See the process logging manual page for an example of the effect ofsecurity.redactClientLogData
on log output.On a running
mongod
ormongos
, usesetParameter
with theredactClientLogData
parameter to configure this setting.
security.clusterIpSourceAllowlist
Type: list
New in version 5.0.
Changed in version 5.2.
A list of IP addresses/CIDR (Classless Inter-Domain Routing) ranges against which the
mongod
validates authentication requests from other members of the replica set and, if part of a sharded cluster, themongos
instances. Themongod
verifies that the originating IP is either explicitly in the list or belongs to a CIDR range in the list. If the IP address is not present, the server does not authenticate themongod
ormongos
.security.clusterIpSourceAllowlist
has no effect on amongod
started without authentication.Starting in MongoDB 5.2, you can configure
security.clusterIpSourceAllowlist
on a runningmongod
ormongos
usingsetParameter
.This example updates
security.clusterIpSourceAllowlist
during runtime to include the IP addresses"1.1.1.1/24"
,"2.2.2.2/16"
, and"3.3.3.3"
.db.adminCommand( { setParameter: 1, "clusterIpSourceAllowlist": ["1.1.1.1/24", "2.2.2.2/16", "3.3.3.3"] } ); This example updates
security.clusterIpSourceAllowlist
during runtime to exclude all IP addresses:db.adminCommand( { setParameter: 1, "clusterIpSourceAllowlist": null } ); security.clusterIpSourceAllowlist
has no effect on amongod
started without authentication.security.clusterIpSourceAllowlist
requires specifying each IPv4/6 address or Classless Inter-Domain Routing (CIDR) range as a YAML list:security: clusterIpSourceAllowlist: - 192.0.2.0/24 - 127.0.0.1 - ::1 Important
Ensure
security.clusterIpSourceAllowlist
includes the IP address or CIDR ranges that include the IP address of each replica set member ormongos
in the deployment to ensure healthy communication between cluster components.
security.clusterIpSourceWhitelist
Type: list
Deprecated in version 5.0: Use
security.clusterIpSourceAllowlist
instead.A list of IP addresses/CIDR (Classless Inter-Domain Routing) ranges against which the
mongod
validates authentication requests from other members of the replica set and, if part of a sharded cluster, themongos
instances. Themongod
verifies that the originating IP is either explicitly in the list or belongs to a CIDR range in the list. If the IP address is not present, the server does not authenticate themongod
ormongos
.security.clusterIpSourceWhitelist
has no effect on amongod
started without authentication.security.clusterIpSourceWhitelist
requires specifying each IPv4/6 address or Classless Inter-Domain Routing (CIDR) range as a YAML list:security: clusterIpSourceWhitelist: - 192.0.2.0/24 - 127.0.0.1 - ::1 Important
Ensure
security.clusterIpSourceWhitelist
includes the IP address or CIDR ranges that include the IP address of each replica set member ormongos
in the deployment to ensure healthy communication between cluster components.
Key Management Configuration Options
security: enableEncryption: <boolean> encryptionCipherMode: <string> encryptionKeyFile: <string> kmip: keyIdentifier: <string> rotateMasterKey: <boolean> serverName: <string> port: <string> clientCertificateFile: <string> clientCertificatePassword: <string> clientCertificateSelector: <string> serverCAFile: <string> connectRetries: <int> connectTimeoutMS: <int> activateKeys: <boolean> keyStatePollingSeconds: <int>
security.enableEncryption
Type: boolean
Default: false
Enables encryption for the WiredTiger storage engine. You must set to
true
to pass in encryption keys and configurations.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.encryptionCipherMode
Type: string
Default:
AES256-CBC
The cipher mode to use for encryption at rest:
ModeDescriptionAES256-CBC
256-bit Advanced Encryption Standard in Cipher Block Chaining Mode
AES256-GCM
256-bit Advanced Encryption Standard in Galois/Counter Mode
Available only on Linux.
MongoDB Enterprise on Windows no longer supports
AES256-GCM
as a block cipher for encryption at rest. This usage is only supported on Linux.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.encryptionKeyFile
Type: string
The path to the local keyfile when managing keys through a process other than KMIP. Only set when managing keys through a process other than KMIP. If data is already encrypted using KMIP, MongoDB throws an error.
Requires
security.enableEncryption
to betrue
.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.keyIdentifier
Type: string
Unique KMIP identifier for an existing key within the KMIP server. Include to use the key associated with the identifier as the system key. You can only use the setting the first time you enable encryption for the
mongod
instance. Requiressecurity.enableEncryption
to be true.If unspecified, MongoDB requests that the KMIP server create a new key to utilize as the system key.
If the KMIP server cannot locate a key with the specified identifier or the data is already encrypted with a key, MongoDB throws an error.
Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.rotateMasterKey
Type: boolean
Default: false
If true, rotate the master key and re-encrypt the internal keystore.
Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.serverName
Type: string
Hostname or IP address of the KMIP server to connect to. Requires
security.enableEncryption
to be true.You can specify multiple KMIP servers as a comma-separated list, for example
server1.example.com,server2.example.com
. On startup, themongod
attempts to establish a connection to each server in the order listed, and selects the first server to which it can successfully establish a connection. KMIP server selection occurs only at startup.mongod
verifies the connection to the KMIP server on startup.The server name specified in
--kmipServerName
must match either the Subject Alternative NameSAN
or the Common NameCN
on the certificate presented by the KMIP server.SAN
can be a system name or an IP address.If
SAN
is present,mongod
does not try to match againstCN
.If the hostname or IP address of the KMIP server does does not match either
SAN
orCN
,mongod
does not start.Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, MongoDB only supports comparisons of DNS names.
Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.port
Type: string
Default: 5696
Port number to use to communicate with the KMIP server. Requires
security.kmip.serverName
. Requiressecurity.enableEncryption
to be true.If specifying multiple KMIP servers with
security.kmip.serverName
, themongod
uses the port specified withsecurity.kmip.port
for all provided KMIP servers.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.clientCertificateFile
Type: string
Path to the
.pem
file used to authenticate MongoDB to the KMIP server. The specified.pem
file must contain both the TLS/SSL certificate and key.To use this setting, you must also specify the
security.kmip.serverName
setting.Important
Enabling encryption using a KMIP server on Windows fails when using
security.kmip.clientCertificateFile
and the KMIP server enforces TLS 1.2.To enable encryption at rest with KMIP on Windows, you must:
Import the client certificate into the Windows Certificate Store.
Use the
security.kmip.clientCertificateSelector
option.
Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.clientCertificatePassword
Type: string
The password to decrypt the Private Key of the Client Certificate that connects to the KMIP server. This option authenticates MongoDB to the KMIP server and requires that you provide a
--kmipClientCertificateFile
.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.clientCertificateSelector
Type: string
New in version 5.0: Available on Windows and macOS as an alternative to
security.kmip.clientCertificateFile
.security.kmip.clientCertificateFile
andsecurity.kmip.clientCertificateSelector
options are mutually exclusive. You can only specify one.Specifies a certificate property in order to select a matching certificate from the operating system's certificate store to authenticate MongoDB to the KMIP server.
security.kmip.clientCertificateSelector
accepts an argument of the format<property>=<value>
where the property can be one of the following:PropertyValue typeDescriptionsubject
ASCII string
Subject name or common name on certificate
thumbprint
hex string
A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.
The
thumbprint
is sometimes referred to as afingerprint
.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.serverCAFile
Type: string
Path to CA File. Used for validating secure client connection to KMIP server.
Note
Starting in 4.0, on macOS or Windows, you can use a certificate from the operating system's secure store instead of a PEM key file. See
security.kmip.clientCertificateSelector
. When using the secure store, you do not need to, but can, also specify thesecurity.kmip.serverCAFile
.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.connectRetries
Type: int
Default: 0
How many times to retry the initial connection to the KMIP server. Use together with
connectTimeoutMS
to control how long themongod
waits for a response between each retry.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.connectTimeoutMS
Type: int
Default: 5000
Timeout in milliseconds to wait for a response from the KMIP server. If the
connectRetries
setting is specified, themongod
waits up to the value specified withconnectTimeoutMS
for each retry.Value must be
1000
or greater.Note
Enterprise Feature
Available in MongoDB Enterprise only.
security.kmip.activateKeys
Type: boolean
Default: true
New in version 5.3.
Activates all newly created KMIP keys upon creation and then periodically checks those keys are in an active state.
When
security.kmip.activateKeys
istrue
and you have existing keys on a KMIP server, the key must be activated first or themongod
node fails to start.If the key being used by the mongod transitions into a non-active state, the
mongod
node shuts down unlesskmipActivateKeys
is false. To ensure you have an active key, rotate the KMIP master key by usingsecurity.kmip.rotateMasterKey
.
security.kmip.keyStatePollingSeconds
Type: int
Default: 900 seconds
New in version 5.3.
Frequency in seconds at which mongod polls the KMIP server for active keys.
To disable disable polling, set the value to
-1
.
security.kmip.useLegacyProtocol
Type: boolean
Default: false
New in version 7.0: (and 6.0.6)
When
true
,mongod
uses KMIP protocol version 1.0 or 1.1 instead of the default version. The default KMIP protocol is version 1.2.To use audit log encryption with KMIP version 1.0 or 1.1, you must specify
auditEncryptKeyWithKMIPGet
at startup.To use KMIP protocol version 1.0 or 1.1, substitute your local values and add an entry like this to your
mongod
configuration file:security: enableEncryption: true kmip: serverName: "mdbhost.somecompany.com" serverCAFile: "security/libs/trusted-ca.pem" clientCertificateFile: "security/libs/trusted-client.pem" useLegacyProtocol: true
security.sasl
Options
security: sasl: hostName: <string> serviceName: <string> saslauthdSocketPath: <string>
security.sasl.hostName
Type: string
A fully qualified server domain name for the purpose of configuring SASL and Kerberos authentication. The SASL hostname overrides the hostname only for the configuration of SASL and Kerberos.
security.sasl.serviceName
Type: string
Registered name of the service using SASL. This option allows you to override the default Kerberos service name component of the Kerberos principal name, on a per-instance basis. If unspecified, the default value is
mongodb
.MongoDB permits setting this option only at startup. The
setParameter
can not change this setting.This option is available only in MongoDB Enterprise.
Important
Ensure that your driver supports alternate service names. For
mongosh
and other MongoDB tools to connect to the newserviceName
, see thegssapiServiceName
option.
security.ldap
Options
Note
Starting in MongoDB 8.0, LDAP authentication and authorization is deprecated. LDAP is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.
For details, see LDAP Deprecation.
security: ldap: servers: <string> bind: method: <string> saslMechanisms: <string> queryUser: <string> queryPassword: <string | array> useOSDefaults: <boolean> transportSecurity: <string> timeoutMS: <int> retryCount: <int> userToDNMapping: <string> authz: queryTemplate: <string> validateLDAPServerConfig: <boolean>
security.ldap.servers
Type: string
Available in MongoDB Enterprise only.
The LDAP server against which the
mongod
ormongos
authenticates users or determines what actions a user is authorized to perform on a given database. If the LDAP server specified has any replicated instances, you may specify the host and port of each replicated server in a comma-delimited list.If your LDAP infrastructure partitions the LDAP directory over multiple LDAP servers, specify one LDAP server or any of its replicated instances to
security.ldap.servers
. MongoDB supports following LDAP referrals as defined in RFC 4511 4.1.10. Do not usesecurity.ldap.servers
for listing every LDAP server in your infrastructure.You can prefix LDAP servers with
srv:
andsrv_raw:
.If your connection string specifies
"srv:<DNS_NAME>"
,mongod
verifies that"_ldap._tcp.gc._msdcs.<DNS_NAME>"
exists for SRV to support Active Directory. If not found,mongod
verifies that"_ldap._tcp.<DNS_NAME>"
exists for SRV. If an SRV record cannot be found,mongod
warns you to use"srv_raw:<DNS_NAME>"
instead.If your connection string specifies
"srv_raw:<DNS_NAME>"
,mongod
performs an SRV record lookup for"<DNS NAME>"
.This setting can be configured on a running
mongod
ormongos
usingsetParameter
.If unset,
mongod
ormongos
cannot use LDAP authentication or authorization.
security.ldap.bind.queryUser
Type: string
Available in MongoDB Enterprise only.
The identity with which
mongod
ormongos
binds as, when connecting to or performing queries on an LDAP server.Only required if any of the following are true:
Using LDAP authorization.
Using an LDAP query for
security.ldap.userToDNMapping
.The LDAP server disallows anonymous binds
You must use
queryUser
withqueryPassword
.If unset,
mongod
ormongos
does not attempt to bind to the LDAP server.This setting can be configured on a running
mongod
ormongos
usingsetParameter
.Note
Windows MongoDB deployments can use
useOSDefaults
instead ofqueryUser
andqueryPassword
. You cannot specify bothqueryUser
anduseOSDefaults
at the same time.
security.ldap.bind.queryPassword
Type: string or array
Available in MongoDB Enterprise only.
The password used to bind to an LDAP server when using
queryUser
. You must usequeryPassword
withqueryUser
.If not set,
mongod
ormongos
does not attempt to bind to the LDAP server.You can configure this setting on a running
mongod
ormongos
usingsetParameter
.The
ldapQueryPassword
setParameter
command accepts either a string or an array of strings. IfldapQueryPassword
is set to an array, MongoDB tries each password in order until one succeeds. Use a password array to roll over the LDAP account password without downtime.Note
Windows MongoDB deployments can use
useOSDefaults
instead ofqueryUser
andqueryPassword
. You cannot specify bothqueryPassword
anduseOSDefaults
at the same time.
security.ldap.bind.useOSDefaults
Type: boolean
Default: false
Available in MongoDB Enterprise for the Windows platform only.
Allows
mongod
ormongos
to authenticate, or bind, using your Windows login credentials when connecting to the LDAP server.Only required if:
Using LDAP authorization.
Using an LDAP query for
username transformation
.The LDAP server disallows anonymous binds
Use
useOSDefaults
to replacequeryUser
andqueryPassword
.
security.ldap.bind.method
Type: string
Default: simple
Available in MongoDB Enterprise only.
The method
mongod
ormongos
uses to authenticate to an LDAP server. Use withqueryUser
andqueryPassword
to connect to the LDAP server.method
supports the following values:If you specify
sasl
, you can configure the available SASL mechanisms usingsecurity.ldap.bind.saslMechanisms
.mongod
ormongos
defaults to usingDIGEST-MD5
mechanism.
security.ldap.bind.saslMechanisms
Type: string
Default: DIGEST-MD5
Available in MongoDB Enterprise only.
A comma-separated list of SASL mechanisms
mongod
ormongos
can use when authenticating to the LDAP server. Themongod
ormongos
and the LDAP server must agree on at least one mechanism. Themongod
ormongos
dynamically loads any SASL mechanism libraries installed on the host machine at runtime.Install and configure the appropriate libraries for the selected SASL mechanism(s) on both the
mongod
ormongos
host and the remote LDAP server host. Your operating system may include certain SASL libraries by default. Defer to the documentation associated with each SASL mechanism for guidance on installation and configuration.If using the
GSSAPI
SASL mechanism for use with Kerberos Authentication on Self-Managed Deployments, verify the following for themongod
ormongos
host machine:Linux
The
KRB5_CLIENT_KTNAME
environment variable resolves to the name of the client Linux Keytab Files for the host machine. For more on Kerberos environment variables, please defer to the Kerberos documentation.The client keytab includes a User Principal for the
mongod
ormongos
to use when connecting to the LDAP server and execute LDAP queries.
Windows
- If connecting to an Active Directory server, the Windows
Kerberos configuration automatically generates a
Ticket-Granting-Ticket
when the user logs onto the system. Set
useOSDefaults
totrue
to allowmongod
ormongos
to use the generated credentials when connecting to the Active Directory server and execute queries.
Set
method
tosasl
to use this option.Note
For a complete list of SASL mechanisms see the IANA listing. Defer to the documentation for your LDAP or Active Directory service for identifying the SASL mechanisms compatible with the service.
MongoDB is not a source of SASL mechanism libraries, nor is the MongoDB documentation a definitive source for installing or configuring any given SASL mechanism. For documentation and support, defer to the SASL mechanism library vendor or owner.
For more information on SASL, defer to the following resources:
For Linux, please see the Cyrus SASL documentation.
For Windows, please see the Windows SASL documentation.
security.ldap.transportSecurity
Type: string
Default: tls
Available in MongoDB Enterprise only.
By default,
mongod
ormongos
creates a TLS/SSL secured connection to the LDAP server.For Linux deployments, you must configure the appropriate TLS Options in
/etc/openldap/ldap.conf
file. Your operating system's package manager creates this file as part of the MongoDB Enterprise installation, through thelibldap
dependency. See the documentation forTLS Options
in the ldap.conf OpenLDAP documentation for more complete instructions.For Windows deployment, you must add the LDAP server CA certificates to the Windows certificate management tool. The exact name and functionality of the tool may vary depending on operating system version. Please see the documentation for your version of Windows for more information on certificate management.
Set
transportSecurity
tonone
to disable TLS/SSL betweenmongod
ormongos
and the LDAP server.Warning
Setting
transportSecurity
tonone
transmits plaintext information and possibly credentials betweenmongod
ormongos
and the LDAP server.
security.ldap.timeoutMS
Type: int
Default: 10000
Available in MongoDB Enterprise only.
The amount of time in milliseconds
mongod
ormongos
should wait for an LDAP server to respond to a request.Increasing the value of
timeoutMS
may prevent connection failure between the MongoDB server and the LDAP server, if the source of the failure is a connection timeout. Decreasing the value oftimeoutMS
reduces the time MongoDB waits for a response from the LDAP server.This setting can be configured on a running
mongod
ormongos
usingsetParameter
.
security.ldap.retryCount
New in version 6.1.
Type: int
Default: 0
Available in MongoDB Enterprise only.
Number of operation retries by the server LDAP manager after a network error.
This setting can be configured on a running
mongod
ormongos
usingsetParameter
.
security.ldap.userToDNMapping
Type: string
Available in MongoDB Enterprise only.
Maps the username provided to
mongod
ormongos
for authentication to a LDAP Distinguished Name (DN). You may need to useuserToDNMapping
to transform a username into an LDAP DN in the following scenarios:Performing LDAP authentication with simple LDAP binding, where users authenticate to MongoDB with usernames that are not full LDAP DNs.
Using an
LDAP authorization query template
that requires a DN.Transforming the usernames of clients authenticating to Mongo DB using different authentication mechanisms (for example, x.509, kerberos) to a full LDAP DN for authorization.
userToDNMapping
expects a quote-enclosed JSON-string representing an ordered array of documents. Each document contains a regular expressionmatch
and either asubstitution
orldapQuery
template used for transforming the incoming username.Each document in the array has the following form:
{ match: "<regex>" substitution: "<LDAP DN>" | ldapQuery: "<LDAP Query>" } FieldDescriptionExamplematch
An ECMAScript-formatted regular expression (regex) to match against a provided username. Each parenthesis-enclosed section represents a regex capture group used by
substitution
orldapQuery
."(.+)ENGINEERING"
"(.+)DBA"
substitution
An LDAP distinguished name (DN) formatting template that converts the authentication name matched by the
match
regex into a LDAP DN. Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username through thematch
regex.The result of the substitution must be an RFC4514 escaped string.
"cn={0},ou=engineering, dc=example,dc=com"
ldapQuery
A LDAP query formatting template that inserts the authentication name matched by the
match
regex into an LDAP query URI encoded respecting RFC4515 and RFC4516. Each curly bracket-enclosed numeric value is replaced by the corresponding regex capture group extracted from the authentication username through thematch
expression.mongod
ormongos
executes the query against the LDAP server to retrieve the LDAP DN for the authenticated user.mongod
ormongos
requires exactly one returned result for the transformation to be successful, ormongod
ormongos
skips this transformation."ou=engineering,dc=example, dc=com??one?(user={0})"
Note
For each document in the array, you must use either
substitution
orldapQuery
. You cannot specify both in the same document.When performing authentication or authorization,
mongod
ormongos
steps through each document in the array in the given order, checking the authentication username against thematch
filter. If a match is found,mongod
ormongos
applies the transformation and uses the output for authenticating the user.mongod
ormongos
does not check the remaining documents in the array.If the given document does not match the provided authentication name,
mongod
ormongos
continues through the list of documents to find additional matches. If no matches are found in any document, or the transformation the document describes fails,mongod
ormongos
returns an error.mongod
ormongos
also returns an error if one of the transformations cannot be evaluated due to networking or authentication failures to the LDAP server.mongod
ormongos
rejects the connection request and does not check the remaining documents in the array.Starting in MongoDB 5.0,
userToDNMapping
accepts an empty string""
or empty array[ ]
in place of a mapping document. If providing an empty string or empty array touserToDNMapping
, MongoDB maps the authenticated username as the LDAP DN. Previously, providing an empty mapping document would cause mapping to fail.Example
The following shows two transformation documents. The first document matches against any string ending in
@ENGINEERING
, placing anything preceding the suffix into a regex capture group. The second document matches against any string ending in@DBA
, placing anything preceding the suffix into a regex capture group.Important
You must pass the array to userToDNMapping as a string.
"[ { match: "(.+)@ENGINEERING.EXAMPLE.COM", substitution: "cn={0},ou=engineering,dc=example,dc=com" }, { match: "(.+)@DBA.EXAMPLE.COM", ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})" } ]" A user with username
alice@ENGINEERING.EXAMPLE.COM
matches the first document. The regex capture group{0}
corresponds to the stringalice
. The resulting output is the DN"cn=alice,ou=engineering,dc=example,dc=com"
.A user with username
bob@DBA.EXAMPLE.COM
matches the second document. The regex capture group{0}
corresponds to the stringbob
. The resulting output is the LDAP query"ou=dba,dc=example,dc=com??one?(user=bob)"
.mongod
ormongos
executes this query against the LDAP server, returning the result"cn=bob,ou=dba,dc=example,dc=com"
.If
userToDNMapping
is unset,mongod
ormongos
applies no transformations to the username when attempting to authenticate or authorize a user against the LDAP server.This setting can be configured on a running
mongod
ormongos
using thesetParameter
database command.
security.ldap.authz.queryTemplate
Type: string
Available in MongoDB Enterprise only.
A relative LDAP query URL formatted conforming to RFC4515 and RFC4516 that
mongod
executes to obtain the LDAP groups to which the authenticated user belongs to. The query is relative to the host or hosts specified insecurity.ldap.servers
.Note
For better performance, consider placing the LDAP groups used for MongoDB authorization into their own Organizational Unit (
OU
).In the URL, you can use the following substitution tokens:
Substitution TokenDescription{USER}
Substitutes the authenticated username, or the
transformed
username if auserToDNMapping
is specified.{PROVIDED_USER}
Substitutes the supplied username, i.e. before either authentication or
LDAP transformation
.When constructing the query URL, ensure that the order of LDAP parameters respects RFC4516:
[ dn [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ] If your query includes an attribute,
mongod
assumes that the query retrieves a list of the DNs which this entity is a member of.If your query does not include an attribute,
mongod
assumes the query retrieves all entities which the user is member of.For each LDAP DN returned by the query,
mongod
assigns the authorized user a corresponding role on theadmin
database. If a role on the on theadmin
database exactly matches the DN,mongod
grants the user the roles and privileges assigned to that role. See thedb.createRole()
method for more information on creating roles.Example
This LDAP query returns any groups listed in the LDAP user object's
memberOf
attribute."{USER}?memberOf?base" Your LDAP configuration may not include the
memberOf
attribute as part of the user schema, may possess a different attribute for reporting group membership, or may not track group membership through attributes. Configure your query with respect to your own unique LDAP configuration.If unset,
mongod
cannot authorize users using LDAP.This setting can be configured on a running
mongod
using thesetParameter
database command.
security.ldap.validateLDAPServerConfig
Type: boolean
Default: true
Available in MongoDB Enterprise
A flag that determines if the
mongod
ormongos
instance checks the availability of theLDAP server(s)
as part of its startup:
setParameter
Option
setParameter
Set MongoDB parameter or parameters described in MongoDB Server Parameters for a Self-Managed Deployment
To set parameters in the YAML configuration file, use the following format:
setParameter: <parameter1>: <value1> <parameter2>: <value2> For example, to specify the
enableLocalhostAuthBypass
in the configuration file:setParameter: enableLocalhostAuthBypass: false
LDAP Parameters
setParameter.ldapUserCacheInvalidationInterval
Type: int
Default: 30
For use with
mongod
servers using LDAP Authorization on Self-Managed Deployments.The interval (in seconds)
mongod
waits between external user cache flushes. Aftermongod
flushes the external user cache, MongoDB reacquires authorization data from the LDAP server the next time an LDAP-authorized user issues an operation.Increasing the value specified increases the amount of time
mongod
and the LDAP server can be out of sync, but reduces the load on the LDAP server. Conversely, decreasing the value specified decreases the timemongod
and the LDAP server can be out of sync while increasing the load on the LDAP server.
setParameter: ldapUserCacheInvalidationInterval: <int>
storage
Options
Changed in version 6.1:
MongoDB always enables journaling. As a result, MongoDB removes the
storage.journal.enabled
option and the corresponding--journal
and--nojournal
command-line options.
storage: dbPath: <string> journal: commitIntervalMs: <num> directoryPerDB: <boolean> syncPeriodSecs: <int> engine: <string> wiredTiger: engineConfig: cacheSizeGB: <number> journalCompressor: <string> directoryForIndexes: <boolean> maxCacheOverflowFileSizeGB: <number> collectionConfig: blockCompressor: <string> indexConfig: prefixCompression: <boolean> inMemory: engineConfig: inMemorySizeGB: <number> oplogMinRetentionHours: <double>
storage.dbPath
Type: string
Default:
/data/db
on Linux and macOS\data\db
on Windows
The directory where the
mongod
instance stores its data.The
storage.dbPath
setting is available only formongod
.Note
Configuration Files
The default
mongod.conf
configuration file included with package manager installations uses the following platform-specific default values forstorage.dbPath
:PlatformPackage ManagerDefaultstorage.dbPath
RHEL / CentOS and Amazon
yum
/var/lib/mongo
SUSE
zypper
/var/lib/mongo
Ubuntu and Debian
apt
/var/lib/mongodb
macOS
brew
/usr/local/var/mongodb
The Linux package init scripts do not expect
storage.dbPath
to change from the defaults. If you use the Linux packages and changestorage.dbPath
, you must use your own init scripts and disable the built-in scripts.
storage.journal.commitIntervalMs
Type: number
Default: 100
The maximum amount of time in milliseconds that the
mongod
process allows between journal operations. Values can range from 1 to 500 milliseconds. Lower values increase the durability of the journal, at the expense of disk performance.On WiredTiger, the default journal commit interval is 100 milliseconds. Additionally, a write that includes or implies
j:true
causes an immediate sync of the journal. For details or additional conditions that affect the frequency of the sync, see Journaling Process.The
storage.journal.commitIntervalMs
setting is available only formongod
.Not available for
mongod
instances that use the in-memory storage engine.
storage.directoryPerDB
Type: boolean
Default: false
When
true
, MongoDB uses a separate directory to store data for each database. The directories are under thestorage.dbPath
directory, and each subdirectory name corresponds to the database name.The
storage.directoryPerDB
setting is available only formongod
.Not available for
mongod
instances that use the in-memory storage engine.Starting in MongoDB 5.0, dropping the final collection in a database (or dropping the database itself) when
storage.directoryPerDB
is enabled deletes the newly empty subdirectory for that database.To change the
storage.directoryPerDB
option for existing deployments:For standalone instances:
Use
mongodump
on the existingmongod
instance to generate a backup.Stop the
mongod
instance.Add the
storage.directoryPerDB
value and configure a new data directoryRestart the
mongod
instance.Use
mongorestore
to populate the new data directory.
For replica sets:
Stop a secondary member.
Add the
storage.directoryPerDB
value and configure a new data directory to that secondary member.Restart that secondary.
Use initial sync to populate the new data directory.
Update remaining secondaries in the same fashion.
Step down the primary, and update the stepped-down member in the same fashion.
storage.syncPeriodSecs
Type: number
Default: 60
The amount of time that can pass before MongoDB flushes data to the data files.
Do not set this value on production systems. In almost every situation, you should use the default setting.
The
mongod
process writes data very quickly to the journal and lazily to the data files.storage.syncPeriodSecs
has no effect on Journaling, but ifstorage.syncPeriodSecs
is set to0
the journal eventually consumes all available disk space.The
storage.syncPeriodSecs
setting is available only formongod
.Not available for
mongod
instances that use the in-memory storage engine.To provide durable data, WiredTiger uses checkpoints. For more details, see Journaling and the WiredTiger Storage Engine.
storage.engine
Default:
wiredTiger
The storage engine for the
mongod
database. Available values include:ValueDescriptionwiredTiger
To specify the WiredTiger Storage Engine.
inMemory
To specify the In-Memory Storage Engine for Self-Managed Deployments.
Available in MongoDB Enterprise only.
If you attempt to start a
mongod
with astorage.dbPath
that contains data files produced by a storage engine other than the one specified bystorage.engine
,mongod
refuses to start.
storage.oplogMinRetentionHours
Type: double
Specifies the minimum number of hours to preserve an oplog entry, where the decimal values represent the fractions of an hour. For example, a value of
1.5
represents one hour and thirty minutes.The value must be greater than or equal to
0
. A value of0
indicates that themongod
should truncate the oplog starting with the oldest entries to maintain the configured maximum oplog size.Defaults to
0
.A
mongod
started withoplogMinRetentionHours
only removes an oplog entry if:The oplog has reached the maximum configured oplog size and
The oplog entry is older than the configured number of hours based on the host system clock.
The
mongod
has the following behavior when configured with a minimum oplog retention period:The oplog can grow without constraint so as to retain oplog entries for the configured number of hours. This may result in reduction or exhaustion of system disk space due to a combination of high write volume and large retention period.
If the oplog grows beyond its maximum size, the
mongod
may continue to hold that disk space even if the oplog returns to its maximum size or is configured for a smaller maximum size. See Reducing Oplog Size Does Not Immediately Return Disk Space.The
mongod
compares the system wall clock to an oplog entries creation wall clock time when enforcing oplog entry retention. Clock drift between cluster components may result in unexpected oplog retention behavior. See Clock Synchronization for more information on clock synchronization across cluster members.
To change the minimum oplog retention period after starting the
mongod
, usereplSetResizeOplog
.replSetResizeOplog
enables you to resize the oplog dynamically without restarting themongod
process. To persist the changes made usingreplSetResizeOplog
through a restart, update the value ofoplogMinRetentionHours
.
storage.wiredTiger
Options
storage: wiredTiger: engineConfig: cacheSizeGB: <number> journalCompressor: <string> directoryForIndexes: <boolean> maxCacheOverflowFileSizeGB: <number> collectionConfig: blockCompressor: <string> indexConfig: prefixCompression: <boolean>
storage.wiredTiger.engineConfig.cacheSizeGB
Type: float
Defines the maximum size of the internal cache that WiredTiger uses for all data. The memory consumed by an index build (see
maxIndexBuildMemoryUsageMegabytes
) is separate from the WiredTiger cache memory.Values can range from
0.25
GB to10000
GB.The default WiredTiger internal cache size is the larger of either:
50% of (RAM - 1 GB), or
256 MB.
For example, on a system with a total of 4GB of RAM the WiredTiger cache uses 1.5GB of RAM (
0.5 * (4 GB - 1 GB) = 1.5 GB
). Conversely, on a system with a total of 1.25 GB of RAM WiredTiger allocates 256 MB to the WiredTiger cache because that is more than half of the total RAM minus one gigabyte (0.5 * (1.25 GB - 1 GB) = 128 MB < 256 MB
).Note
In some instances, such as when running in a container, the database can have memory constraints that are lower than the total system memory. In such instances, this memory limit, rather than the total system memory, is used as the maximum RAM available.
To see the memory limit, see
hostInfo.system.memLimitMB
.Avoid increasing the WiredTiger internal cache size above its default value.
With WiredTiger, MongoDB utilizes both the WiredTiger internal cache and the filesystem cache.
With the filesystem cache, MongoDB automatically uses all free memory that is not used by the WiredTiger cache or by other processes.
Note
The
storage.wiredTiger.engineConfig.cacheSizeGB
limits the size of the WiredTiger internal cache. The operating system uses the available free memory for filesystem cache, which allows the compressed MongoDB data files to stay in memory. In addition, the operating system uses any free RAM to buffer file system blocks and file system cache.To accommodate the additional consumers of RAM, you may have to decrease WiredTiger internal cache size.
The default WiredTiger internal cache size value assumes that there is a single
mongod
instance per machine. If a single machine contains multiple MongoDB instances, then you should decrease the setting to accommodate the othermongod
instances.If you run
mongod
in a container (for example,lxc
,cgroups
, Docker, etc.) that does not have access to all of the RAM available in a system, you must setstorage.wiredTiger.engineConfig.cacheSizeGB
to a value less than the amount of RAM available in the container. The exact amount depends on the other processes running in the container. SeememLimitMB
.
storage.wiredTiger.engineConfig.journalCompressor
Default: snappy
Specifies the type of compression to use to compress WiredTiger journal data.
Available compressors are:
storage.wiredTiger.engineConfig.directoryForIndexes
Type: boolean
Default: false
When
storage.wiredTiger.engineConfig.directoryForIndexes
istrue
,mongod
stores indexes and collections in separate subdirectories under the data (i.e.storage.dbPath
) directory. Specifically,mongod
stores the indexes in a subdirectory namedindex
and the collection data in a subdirectory namedcollection
.By using a symbolic link, you can specify a different location for the indexes. Specifically, when
mongod
instance is not running, move theindex
subdirectory to the destination and create a symbolic link namedindex
under the data directory to the new destination.
storage.wiredTiger.engineConfig.zstdCompressionLevel
Type: integer
Default: 6
Specifies the level of compression applied when using the zstd compressor.
Values can range from 1 to 22.
The higher the specified value for
zstdCompressionLevel
the higher the compression which is applied.Only applicable when
blockCompressor
is set tozstd
.Available starting in MongoDB 5.0
storage.wiredTiger.collectionConfig.blockCompressor
Default: snappy
Specifies the default compression for collection data. You can override this on a per-collection basis when creating collections.
Available compressors are:
storage.wiredTiger.collectionConfig.blockCompressor
affects all collections created. If you change the value ofstorage.wiredTiger.collectionConfig.blockCompressor
on an existing MongoDB deployment, all new collections uses the specified compressor. Existing collections continue to use the compressor specified when they were created, or the default compressor at that time.
storage.wiredTiger.indexConfig.prefixCompression
Default: true
Enables or disables prefix compression for index data.
Specify
true
forstorage.wiredTiger.indexConfig.prefixCompression
to enable prefix compression for index data, orfalse
to disable prefix compression for index data.The
storage.wiredTiger.indexConfig.prefixCompression
setting affects all indexes created. If you change the value ofstorage.wiredTiger.indexConfig.prefixCompression
on an existing MongoDB deployment, all new indexes uses prefix compression. Existing indexes are not affected.
storage.inmemory
Options
storage: inMemory: engineConfig: inMemorySizeGB: <number>
storage.inMemory.engineConfig.inMemorySizeGB
Type: float
Default: 50% of physical RAM less 1 GB
Values can range from 256MB to 10TB and can be a float.
Maximum amount of memory to allocate for in-memory storage engine data, including indexes, oplog if the
mongod
is part of replica set, replica set or sharded cluster metadata, etc.By default, the in-memory storage engine uses 50% of physical RAM minus 1 GB.
Note
Enterprise Feature
Available in MongoDB Enterprise only.
operationProfiling
Options
operationProfiling: mode: <string> slowOpThresholdMs: <int> slowOpSampleRate: <double> filter: <string>
operationProfiling.mode
Type: string
Default:
off
Specifies which operations should be profiled. The following profiler levels are available:
LevelDescriptionoff
The profiler is off and does not collect any data. This is the default profiler level.
slowOp
The profiler collects data for operations that take longer than the value of
slowms
.all
The profiler collects data for all operations.
Warning
Profiling can degrade performance and expose unencrypted query data in the system log. Carefully consider any performance and security implications before configuring and enabling the profiler on a production deployment.
See Profiler Overhead for more information on potential performance degradation.
operationProfiling.slowOpThresholdMs
Type: integer
Default: 100
The slow operation time threshold, in milliseconds. Operations that run for longer than this threshold are considered slow.
Slow operations are logged based on
workingMillis
, which is the amount of time that MongoDB spends working on that operation. This means that factors such as waiting for locks and flow control do not affect whether an operation exceeds the slow operation threshold.When
logLevel
is set to0
, MongoDB records slow operations to the diagnostic log at a rate determined byslowOpSampleRate
.At higher
logLevel
settings, all operations appear in the diagnostic log regardless of their latency with the following exception: the logging of slow oplog entry messages by the secondaries. The secondaries log only the slow oplog entries; increasing thelogLevel
does not log all oplog entries.
operationProfiling.slowOpSampleRate
Type: double
Default: 1.0
The fraction of slow operations that should be profiled or logged.
operationProfiling.slowOpSampleRate
accepts values between 0 and 1, inclusive.The
slowOpSampleRate
setting is available formongod
andmongos
.
operationProfiling.filter
Type: string representation of a query document
A filter expression that controls which operations are profiled and logged.
When
filter
is set,slowOpThresholdMs
andslowOpSampleRate
are not used for profiling and slow-query log lines.When you set a profile filter in the configuration file, the filter applies to all databases in the deployment. To set a profile filter for a specific database, use the
db.setProfilingLevel()
method.The option takes a string representation of a query document of the form:
{ <field1>: <expression1>, ... } The
<field>
can be any field in the profiler output. The<expression>
is a query condition expression.To specify a profiling filter in a configuration file, you must:
Enclose the filter document in single quotes to pass the document as a string.
Use the YAML format of the configuration file.
For example, the following
filter
configures the profiler to logquery
operations that take longer than 2 seconds:operationProfiling: mode: all filter: '{ op: "query", millis: { $gt: 2000 } }'
replication
Options
replication: oplogSizeMB: <int> replSetName: <string> enableMajorityReadConcern: <boolean>
replication.oplogSizeMB
Type: integer
The maximum size in megabytes for the oplog. The
oplogSizeMB
setting configures the uncompressed size of the oplog, not the size on disk.Note
The oplog can grow past its configured size limit to avoid deleting the
majority commit point
.By default, the
mongod
process creates an oplog based on the maximum amount of space available. For 64-bit systems, the oplog is typically 5% of available disk space.