Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-25082

It should not be required to specify user/subject when authenticating with x509

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor - P4
    • Resolution: Fixed
    • 3.2.7
    • 3.3.12
    • Security, Shell
    • None
    • Fully Compatible
    • Security 19 (08/29/16)

    Description

      At present with x509 enabled it is required that a user has to explicitly authenticate by specifying the subject:

      db.getSiblingDB("$external").auth(
        {
          mechanism: "MONGODB-X509",
          user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"
        }
      )
      

      That feels redundant and inconvenient as the user must have already supplied the certificate in order to connect to the server.

      I could understand the necessity of doing this if there was a way to supply a certificate for authentication different from the certificate used for connection, but it does not seem to be possible (please correct me if I am wrong).

      With x509 it would be nice to have a way to authenticate implicitly (given the user is already connected) or at least without specifying the subject.

      For example, we could authenticate the user automatically whenever mongo shell is started with "–authenticationMechanism MONGODB-X509" and with "--sslPEMKeyFile", e.g.:

      mongo –ssl –host server.com –sslPEMKeyFile client.pem –sslCAFile CA.pem –authenticationDatabase \$external –authenticationMechanism MONGODB-X509

      Attachments

        Issue Links

          Activity

            People

              haikinh.hoang@mongodb.com Kinh Hoang
              dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: