Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-25082

It should not be required to specify user/subject when authenticating with x509

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • 3.3.12
    • Affects Version/s: 3.2.7
    • Component/s: Security, Shell
    • Labels:
    • Fully Compatible
    • Security 19 (08/29/16)

      At present with x509 enabled it is required that a user has to explicitly authenticate by specifying the subject:

          mechanism: "MONGODB-X509",
          user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"

      That feels redundant and inconvenient as the user must have already supplied the certificate in order to connect to the server.

      I could understand the necessity of doing this if there was a way to supply a certificate for authentication different from the certificate used for connection, but it does not seem to be possible (please correct me if I am wrong).

      With x509 it would be nice to have a way to authenticate implicitly (given the user is already connected) or at least without specifying the subject.

      For example, we could authenticate the user automatically whenever mongo shell is started with "–authenticationMechanism MONGODB-X509" and with "--sslPEMKeyFile", e.g.:

      mongo –ssl –host server.com –sslPEMKeyFile client.pem –sslCAFile CA.pem –authenticationDatabase \$external –authenticationMechanism MONGODB-X509

            haikinh.hoang@mongodb.com Kinh Hoang
            dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
            1 Vote for this issue
            12 Start watching this issue