Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-25082

It should not be required to specify user/subject when authenticating with x509

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: 3.2.7
    • Fix Version/s: 3.3.12
    • Component/s: Security, Shell
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Sprint:
      Security 19 (08/29/16)

      Description

      At present with x509 enabled it is required that a user has to explicitly authenticate by specifying the subject:

      db.getSiblingDB("$external").auth(
        {
          mechanism: "MONGODB-X509",
          user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"
        }
      )
      

      That feels redundant and inconvenient as the user must have already supplied the certificate in order to connect to the server.

      I could understand the necessity of doing this if there was a way to supply a certificate for authentication different from the certificate used for connection, but it does not seem to be possible (please correct me if I am wrong).

      With x509 it would be nice to have a way to authenticate implicitly (given the user is already connected) or at least without specifying the subject.

      For example, we could authenticate the user automatically whenever mongo shell is started with "–authenticationMechanism MONGODB-X509" and with "--sslPEMKeyFile", e.g.:

      mongo –ssl –host server.com –sslPEMKeyFile client.pem –sslCAFile CA.pem –authenticationDatabase \$external –authenticationMechanism MONGODB-X509

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kinh.hoang Kinh Hoang
              Reporter:
              dmitry.ryabtsev Dmitry Ryabtsev
              Participants:
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: