[DOCS-8909] It should not be required to specify user/subject when authenticating with x509 Created: 28/Sep/16  Updated: 13/Nov/23  Resolved: 03/Oct/18

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: None
Fix Version/s: 3.4.0, 3.6, 4.0.0, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Minor - P4
Reporter: Emily Hall Assignee: Kay Kim (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-25082 It should not be required to specify ... Closed
Participants:
Days since reply: 5 years, 19 weeks ago

 Description   

At present with x509 enabled it is required that a user has to explicitly authenticate by specifying the subject:

db.getSiblingDB("$external").auth(
  {
    mechanism: "MONGODB-X509",
    user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"
  }
)

That feels redundant and inconvenient as the user must have already supplied the certificate in order to connect to the server.

I could understand the necessity of doing this if there was a way to supply a certificate for authentication different from the certificate used for connection, but it does not seem to be possible (please correct me if I am wrong).

With x509 it would be nice to have a way to authenticate implicitly (given the user is already connected) or at least without specifying the subject.

For example, we could authenticate the user automatically whenever mongo shell is started with "–authenticationMechanism MONGODB-X509" and with "--sslPEMKeyFile", e.g.:

mongo –ssl –host server.com –sslPEMKeyFile client.pem –sslCAFile CA.pem –authenticationDatabase \$external –authenticationMechanism MONGODB-X509



 Comments   
Comment by Githook User [ 03/Oct/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-8909: remove user in db.auth() example
Branch: v3.4
https://github.com/mongodb/docs/commit/66fea327d701c9e306e2bb4deddf7fc945d3de2a

Comment by Githook User [ 03/Oct/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-8909: remove user in db.auth() example
Branch: master
https://github.com/mongodb/docs/commit/ec35317095fc600ebfdf66d735906c65e5e651f7

Comment by Githook User [ 03/Oct/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-8909: remove user in db.auth() example
Branch: v3.6
https://github.com/mongodb/docs/commit/300dad9fe55651529fc961cd29850fa8687b97a2

Comment by Githook User [ 03/Oct/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-8909: x509 auth from command line
Branch: v3.4
https://github.com/mongodb/docs/commit/0ef2367a683321e83cd784728f41dc36ba06229f

Comment by Githook User [ 03/Oct/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-8909: x509 auth from command line
Branch: v3.6
https://github.com/mongodb/docs/commit/6e224abe9df9fcc2636c45ae1756d2102226e1a9

Comment by Githook User [ 03/Oct/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-8909: x509 auth from command line
Branch: master
https://github.com/mongodb/docs/commit/21a7f857865d22ae1e6984512782e9e5212d1f64

Generated at Thu Feb 08 07:57:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.