Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10339

MONGODB-X509 user authentication should not require the clusterAuthMode option.

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.5.3
    • Affects Version/s: 2.5.1
    • Component/s: Security
    • Labels:
    • ALL
    • Hide

      Configure mongod without clusterAuthMode:

      $ ./mongod --dbpath /storage/data/db/ --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl.pem --auth

      The shell fails authentication:

      $ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem
MongoDB shell version: 2.5.1
connecting to: test
Server has startup warnings: 
** NOTE: This is a development version (2.5.1) of MongoDB.
**       Not recommended for production.
> use $external
switched to db $external
> db.auth({mechanism: 'MONGODB-X509'})
Error: 18 { code: 18, ok: 0.0, errmsg: "X509 authentication is not allowed for cluster authentication" }
0

      Restart mongod with clusterAuthMode x509:

      $ ./mongod --dbpath /storage/data/db/ --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl.pem --auth --clusterAuthMode x509

      Shell authentication succeeds:

      $ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem
MongoDB shell version: 2.5.1
connecting to: test
Server has startup warnings: 
** NOTE: This is a development version (2.5.1) of MongoDB.
**       Not recommended for production.
> use $external
switched to db $external
> db.auth({mechanism: 'MONGODB-X509'})
1
      Show
      Configure mongod without clusterAuthMode: $ ./mongod --dbpath /storage/data/db/ --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl.pem --auth The shell fails authentication: $ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem MongoDB shell version: 2.5.1 connecting to: test Server has startup warnings: ** NOTE: This is a development version (2.5.1) of MongoDB. ** Not recommended for production. > use $external switched to db $external > db.auth({mechanism: 'MONGODB-X509'}) Error: 18 { code: 18, ok: 0.0, errmsg: "X509 authentication is not allowed for cluster authentication" } 0 Restart mongod with clusterAuthMode x509: $ ./mongod --dbpath /storage/data/db/ --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl.pem --auth --clusterAuthMode x509 Shell authentication succeeds: $ ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem MongoDB shell version: 2.5.1 connecting to: test Server has startup warnings: ** NOTE: This is a development version (2.5.1) of MongoDB. ** Not recommended for production. > use $external switched to db $external > db.auth({mechanism: 'MONGODB-X509'}) 1

      To use the MONGODB-X509 mechanism you currently have to configure mongod with "--clusterAuthMode x509", but that option is for internal (keyFile replacement) authentication, not user auth.

        1. client.pem
          6 kB

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: