Overview
MongoDB Enterprise Edition includes authentication mechanisms that aren't available in MongoDB Community Edition. In this guide, you can learn how to authenticate to MongoDB by using these authentication mechanisms. To learn about the other authentication mechanisms available in MongoDB, see Authentication Mechanisms.
Kerberos
The Generic Security Services API (GSSAPI) provides an interface for Kerberos authentication.
Note
To authenticate with GSSAPI, you must build the MongoDB C driver with SASL support.
If you are building the driver from source, you can enable SASL support with
the ENABLE_SASL cmake option.
Complete the following steps to authenticate with GSSAPI:
Obtain a Ticket-Granting Ticket
On Unix environments, you must first run the kinit command to obtain and cache
an initial ticket-granting ticket. If you're running a Windows environment,
you can skip ahead to the next step.
The following example uses the
kinit command to obtain a ticket-granting ticket for the principal
[email protected]. It then uses the klist
command to display the principal and ticket in the credentials cache.
kinit [email protected] [email protected]'s Password: klist Credentials cache: FILE:/tmp/krb5cc_1000         Principal: [email protected] Issued                Expires               Principal Feb  9 13:48:51 2013  Feb  9 23:48:51 2013  krbtgt/[email protected] 
Set the Connection Options
Next, set the following connection options:
- Kerberos principal: The Kerberos principal to authenticate.
- authMechanism: Set to- "GSSAPI".
- authMechanismProperties: Optional. By default, MongoDB uses- mongodbas the authentication service name. To specify a different service name, set this option to- "SERVICE_NAME:<authentication service name>".
You can set these options through parameters in your connection URI, as shown in the following example:
auto uri = mongocxx::uri("mongodb://<Kerberos principal>@<hostname>:<port>/?"                          "authMechanism=GSSAPI"                          "&authMechanismProperties=SERVICE_NAME:<authentication service name>"); auto client = mongocxx::client(uri); 
Note
You must replace the @ symbol in the principal with %40, as shown
in the preceding example.
PLAIN SASL
The PLAIN Simple Authentication and Security Layer (SASL), as defined by RFC 4616, is a username-password authentication mechanism often used with TLS or another encryption layer.
Important
PLAIN SASL is a clear-text authentication mechanism. We strongly recommend that you use TLS/SSL with certificate validation when using PLAIN SASL to authenticate to MongoDB.
To learn more about how to enable TLS for your connection, see Configure Transport Layer Security (TLS).
To authenticate with SASL, set the authMechanism connection option to PLAIN.
You can set this option through a parameter in your connection string, as shown
in the following example:
auto uri = mongocxx::uri("mongodb://<db_username>:<db_password>@<hostname>:<port>/?"                          "authMechanism=PLAIN&tls=true"); auto client = mongocxx::client(uri); 
API Documentation
To learn more about creating a mongocxx::client object in C++ driver,
see the following API documentation: