Action items post discussion:

• Update x.509 documentation to say that a username does not need to be specified
• Update x.509 documentation to say that if a username is specified, it is sent verbatim
• Update x.509 documentation to say that if a password is specified, it will be ignored
• Remove "derived from" from docs since the exact input is sent, there is no derivation

If necessary add test cases for:

• Username specified and is the same as certificate's distinguished name
• Username specified and is different from DN (auth fails)
• Password is specified (auth succeeds)

Feedback from a customer using X509 auth w/ the Ruby driver (+mongoid) — when configuring the connection properties, the customer used the cert subject without the CN= prefix, since that’s how the Atlas UI renders it (see screenshot below)

However, the Ruby driver apparently requires the qualified name (see screenshot). FWIW, the sample in the driver doc does not include a user property at all (is this a doc issue?)

The customer found the experience to be confusing and suggested both a doc update and a UI enhancement for us to consider, i.e., displaying X509 users using the fully qualified name, similar to how LDAP users are listed in the Atlas Access Manager.