Provided by: libmongoc-doc_1.3.1-1_all bug

NAME
       Authentication - None


BASIC AUTHENTICATION
       The  MongoDB  C  driver  supports  challenge  response  authentication (sometimes known as
       MONGODB‐CR ) through the use of MongoDB connection URIs.

       Simply provide the username and password as one would with an HTTP URL , as  well  as  the
       database to authenticate against via authSource \&.

       mongoc_client_t                 *client                 =                mongoc_client_new
       ("mongodb://user:password@localhost/?authSource=mydb");


GSSAPI (KERBEROS) AUTHENTICATION
       NOTE
              Kerberos support is only provided  in  environments  supported  by  the  cyrus‐sasl
              Kerberos implementation. This currently limits support to UNIX‐like environments.

       GSSAPI  (Kerberos)  authentication  is  available  in  the  Enterprise Edition of MongoDB,
       version 2.4 and newer. To authenticate using  GSSAPI  ,  the  MongoDB  C  driver  must  be
       installed   with   SASL  support.  Run  the  kinit  command  before  using  the  following
       authentication methods:

       $ mongodbuser@EXAMPLE.COM's Password: $
       Credentials cache: FILE:/tmp/krb5cc_1000
               Principal: mongodbuser@EXAMPLE.COM

         Issued                Expires               Principal
       Feb  9 13:48:51 2013  Feb  9 23:48:51 2013  krbtgt/EXAMPLE.COM@EXAMPLE.COM

       Now authenticate using the  MongoDB  URI.   GSSAPI  authenticates  against  the  $external
       virtual  database,  so  a database does not need to be specified in the URI. Note that the
       Kerberos principal must be URL‐encoded:

       mongoc_client_t *client;

       client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@example.com/?authMechanism=GSSAPI");

       The default service name used by MongoDB and the MongoDB C driver is mongodb \&. A  custom
       service name can be specified with the gssapiServiceName option:

       mongoc_client_t *client;

       client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@example.com/?authMechanism=GSSAPI&gssapiServiceName=myservicename");

       NOTE
              When  encountering errors such as Invalid net address , check if the application is
              behind a NAT (Network Address Translation) firewall. If so, create  a  ticket  that
              uses  forwardable  and addressless Kerberos tickets. This can be done by passing ‐f
              ‐A to kinit \&.

              $


SSL AUTHENTICATION
       NOTE
              The MongoDB C Driver must be compiled with  the  ‐‐enable‐ssl  option  to  use  SSL
              authentication.

       To  connect  to a MongoDB server enabled with SSL, add the ?ssl=true option in the MongoDB
       URI.

       mongoc_uri_t *uri = mongoc_uri_new ("mongodb://localhost/?ssl=true");

       NOTE
              Connecting to a server that does  not  support  SSL  will  fail  if  the  ?ssl=true
              parameter  is  provided  in  the  URI. This is to prevent unintentional information
              leak.


SASL PLAIN AUTHENTICATION
       NOTE
              The MongoDB C Driver must be compiled with SASL support in order to use SASL  PLAIN
              authentication.

       MongoDB  Enterprise Edition versions 2.5.0 and newer support the SASL PLAIN authentication
       mechanism, initially intended for delegating authentication to an LDAP server.  Using  the
       SASL  PLAIN  mechanism  is very similar to the challenge response mechanism with usernames
       and passwords. These examples use the $external virtual database for LDAP support:

       NOTE
              SASL PLAIN is a clear‐text authentication mechanism. It is strongly recommended  to
              connect  to  MongoDB  using  SSL  with  certificate validation when using the PLAIN
              mechanism.

       mongoc_client_t *client;

       client = mongoc_client_new ("mongodb://user:password@example.com/?authMechanism=PLAIN&authSource=$external");


X.509 CERTIFICATE AUTHENTICATION
       NOTE
              The MongoDB C Driver must be compiled with SSL  support  for  X.509  authentication
              support.

       The MONGODB‐X509 mechanism authenticates a username derived from the distinguished subject
       name of the X.509 certificate  presented  by  the  driver  during  SSL  negotiation.  This
       authentication  method requires the use of SSL connections with certificate validation and
       is available in MongoDB 2.5.1 and newer:

       mongoc_client_t *client;
       mongoc_ssl_opt_t ssl_opts = { 0 };

       ssl_opts.pem_file = "mycert.pem";
       ssl_opts.pem_pwd = "mycertpassword";
       ssl_opts.ca_file = "myca.pem";
       ssl_opts.ca_dir = "trust_dir";
       ssl_opts.weak_cert_validation = false;

       client = mongoc_client_new ("mongodb://x509_derived_username@localhost/?authMechanism=MONGODB‐X509");
       mongoc_client_set_ssl_opts (client, &ssl_opts);

       MONGODB‐X509 authenticates against the $external database, so specifying a database is not
       required.


COLOPHON
       This    page   is   part   of   MongoDB   C   Driver.    Please   report   any   bugs   at
       https://jira.mongodb.org/browse/CDRIVER.