Provided by: libmongoc-doc_1.3.1-1_all bug

NAME
       Authentication - None


BASIC AUTHENTICATION
       The  MongoDB C driver supports challenge response authentication (sometimes known as MONGODB‐CR ) through
       the use of MongoDB connection URIs.

       Simply provide the username and password as one would with an HTTP URL ,  as  well  as  the  database  to
       authenticate against via authSource \&.

       mongoc_client_t *client = mongoc_client_new ("mongodb://user:password@localhost/?authSource=mydb");


GSSAPI (KERBEROS) AUTHENTICATION
       NOTE
              Kerberos   support  is  only  provided  in  environments  supported  by  the  cyrus‐sasl  Kerberos
              implementation. This currently limits support to UNIX‐like environments.

       GSSAPI (Kerberos) authentication is available in the Enterprise  Edition  of  MongoDB,  version  2.4  and
       newer.  To  authenticate using GSSAPI , the MongoDB C driver must be installed with SASL support. Run the
       kinit command before using the following authentication methods:

       $ mongodbuser@EXAMPLE.COM's Password: $
       Credentials cache: FILE:/tmp/krb5cc_1000
               Principal: mongodbuser@EXAMPLE.COM

         Issued                Expires               Principal
       Feb  9 13:48:51 2013  Feb  9 23:48:51 2013  krbtgt/EXAMPLE.COM@EXAMPLE.COM

       Now authenticate using the MongoDB URI.  GSSAPI authenticates against the $external virtual database,  so
       a  database  does  not  need  to  be  specified in the URI. Note that the Kerberos principal must be URL‐
       encoded:

       mongoc_client_t *client;

       client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@example.com/?authMechanism=GSSAPI");

       The default service name used by MongoDB and the MongoDB C driver is mongodb \&. A  custom  service  name
       can be specified with the gssapiServiceName option:

       mongoc_client_t *client;

       client = mongoc_client_new ("mongodb://mongodbuser%40EXAMPLE.COM@example.com/?authMechanism=GSSAPI&gssapiServiceName=myservicename");

       NOTE
              When  encountering  errors  such as Invalid net address , check if the application is behind a NAT
              (Network Address Translation)  firewall.  If  so,  create  a  ticket  that  uses  forwardable  and
              addressless Kerberos tickets. This can be done by passing ‐f ‐A to kinit \&.

              $


SSL AUTHENTICATION
       NOTE
              The MongoDB C Driver must be compiled with the ‐‐enable‐ssl option to use SSL authentication.

       To connect to a MongoDB server enabled with SSL, add the ?ssl=true option in the MongoDB URI.

       mongoc_uri_t *uri = mongoc_uri_new ("mongodb://localhost/?ssl=true");

       NOTE
              Connecting  to a server that does not support SSL will fail if the ?ssl=true parameter is provided
              in the URI. This is to prevent unintentional information leak.


SASL PLAIN AUTHENTICATION
       NOTE
              The MongoDB C Driver must be compiled with SASL support in order to use SASL PLAIN authentication.

       MongoDB Enterprise Edition versions 2.5.0 and newer support  the  SASL  PLAIN  authentication  mechanism,
       initially  intended  for  delegating  authentication to an LDAP server. Using the SASL PLAIN mechanism is
       very similar to the challenge response mechanism with usernames and passwords.  These  examples  use  the
       $external virtual database for LDAP support:

       NOTE
              SASL  PLAIN  is  a  clear‐text  authentication mechanism. It is strongly recommended to connect to
              MongoDB using SSL with certificate validation when using the PLAIN mechanism.

       mongoc_client_t *client;

       client = mongoc_client_new ("mongodb://user:password@example.com/?authMechanism=PLAIN&authSource=$external");


X.509 CERTIFICATE AUTHENTICATION
       NOTE
              The MongoDB C Driver must be compiled with SSL support for X.509 authentication support.

       The MONGODB‐X509 mechanism authenticates a username derived from the distinguished subject  name  of  the
       X.509 certificate presented by the driver during SSL negotiation. This authentication method requires the
       use of SSL connections with certificate validation and is available in MongoDB 2.5.1 and newer:

       mongoc_client_t *client;
       mongoc_ssl_opt_t ssl_opts = { 0 };

       ssl_opts.pem_file = "mycert.pem";
       ssl_opts.pem_pwd = "mycertpassword";
       ssl_opts.ca_file = "myca.pem";
       ssl_opts.ca_dir = "trust_dir";
       ssl_opts.weak_cert_validation = false;

       client = mongoc_client_new ("mongodb://x509_derived_username@localhost/?authMechanism=MONGODB‐X509");
       mongoc_client_set_ssl_opts (client, &ssl_opts);

       MONGODB‐X509 authenticates against the $external database, so specifying a database is not required.


COLOPHON
       This     page     is     part     of    MongoDB    C    Driver.     Please    report    any    bugs    at
       https://jira.mongodb.org/browse/CDRIVER.

MongoDB C Driver                                   2016‐01‐18                                  AUTHENTICATION(3)