[CDRIVER-2522] Option to specify GSSAPI hostname Created: 02/Mar/18  Updated: 19/Mar/18  Resolved: 19/Mar/18

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: 1.7.0
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: winnie_quest Assignee: A. Jesse Jiryu Davis
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

mongo-cxx-driver-r3.1.3
mongo-c-driver-1.7.0


Issue Links:
Related
related to SERVER-33981 Support GSSAPI hostname canonicalizat... Closed

 Description   

I see this description in mongoDB officail mannual:
"If you are connecting to a system whose hostname *does not match *the Kerberos name, use --gssapiHostName to specify the Kerberos FQDN that it responds to."

so I run the mongo shell:
administrator@mon:~$ mongo --host 10.154.10.100 --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username user1@KER.COM --gssapiHostName mon.ker.com

and it works.

but when I try to wrote program with mongo c driver(V 1.7.0), I found there's no parameter corresponding to "gssapiHostName".

so my problem is:
how could I specify the "gssapiHostName" in the following connection string?
auto client = mongocxx::client{ mongocxx::uri

{ "mongodb://user1%40KER.COM:123@10.154.10.100/?authMechanism=GSSAPI" }

};



 Comments   
Comment by A. Jesse Jiryu Davis [ 19/Mar/18 ]

CDRIVER-2537 is now complete: CANONICALIZE_HOST_NAME will work on Windows once C Driver 1.10 is released. However, we are not going to do the feature described in this ticket: we will not provide an equivalent to the MongoDB shell's "--gssapiHostName" option. Our Product Management team has decided this is not a valuable feature for drivers right now.

Comment by winnie_quest [ 09/Mar/18 ]

thanks Jesse.

Comment by A. Jesse Jiryu Davis [ 08/Mar/18 ]

Waiting for Product Management to consider this feature request for all drivers.

Comment by A. Jesse Jiryu Davis [ 08/Mar/18 ]

Hi Winnie, please accept my apologies for not realizing this earlier. You're correct, CANONICALIZE_HOST_NAME requires Cyrus SASL, and you're correct that compiling with Cyrus SASL on Windows is difficult. We should implement the feature for Windows's default Kerberos provider, SSPI, so that CANONICALIZE_HOST_NAME is available for you on Windows easily. I've opened CDRIVER-2537 to track the new feature.

Comment by winnie_quest [ 08/Mar/18 ]

ok, thanks, got it.
and if I want to use "CANONICALIZE_HOST_NAME", I must compile with "-DENABLE_SASL=CYRUS", correct?
it seems it's not easy for windows to do so.

Comment by A. Jesse Jiryu Davis [ 08/Mar/18 ]

Hi Winnie. Drivers do not implement the mongo shell's "--gssapiHostName" option. In order to authenticate with Kerberos using a driver, you have two options:

1. Use the same hostname in the URI as the GSSAPI hostname.
2. The result of a reverse DNS lookup of the hostname in the URI must equal the GSSAPI hostname, and you must specify hostname canonicalization in the URI, like this:

mongodb://username@1.2.3.4/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOST_NAME:true

Comment by winnie_quest [ 08/Mar/18 ]

any update?

Comment by winnie_quest [ 05/Mar/18 ]

another question is:
CANONICALIZE_HOST_NAME is to reverse-lookup the IP address, and find the corresponding host name, am I correct?

If so, for the case "If you are connecting to a system whose hostname does not match the Kerberos name", the hostname is not the same as Kerberos name ,I still have the question: where to specify kerberos name?

Comment by winnie_quest [ 05/Mar/18 ]

hi, my program is working on windows 7 as a connector which connects to MONGODB server using mongo cxx driver,my mongodb server is on ubuntu.
mongo c driver(windows) is compiled with :
cmake -G "Visual Studio 14 2015 Win64" "-DENABLE_SSL=OPENSSL" "-DENABLE_SASL=SSPI" "-DCMAKE_INSTALL_PREFIX=C:\mongo-c-driver" "-DCMAKE_PREFIX_PATH=C:\mongo-c-driver" "-DCMAKE_BUILD_TYPE=Release"

currently, in my test environment, my hostname and Kerberos name are the same.

with mongo shell on ubuntu, all three cases works:
use FQDN: mongo --host mon.ker.com --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username user1@KER.COM
use ip: mongo --host 10.154.10.100 --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username user1@KER.COM --gssapiHostName mon.ker.com
use FQDN:mongo --host mon.ker.com --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username user1@KER.COM --gssapiHostName mon.ker.com

so I think as long as the gssapiHostName is specified, user should be able to connect to mongodb server with both ip and FQDN.

according to your suggestion, I tried "authMechanismProperties=CANONICALIZE_HOST_NAME:true" , but it doesn't work, I can't connect to the server with this parameter.

now my question is, is it possible for the user to connect to the server using both IP and FQDN with mongo cxx driver(WINDOWS)?

Comment by A. Jesse Jiryu Davis [ 02/Mar/18 ]

Does "CANONICALIZE_HOST_NAME" meet your need?:

http://mongoc.org/libmongoc/current/authentication.html#gssapi-kerberos-authentication

If you connect like:

mongodb://user1%40KER.COM:123@10.154.10.100/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOST_NAME:true

... then the driver will attempt to reverse-lookup the IP address.

What OS are you using?

Generated at Wed Feb 07 21:15:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.