[DRIVERS-1889] Ability to use different Service Name on the driver for Kerberos Authentication Created: 25/Mar/13  Updated: 23/May/22  Resolved: 23/May/22

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Barrie Segal Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB 2.4.1


Issue Links:
Depends
depends on NODE-45 Ability to use different SPN on the d... Closed
depends on JAVA-845 Ability to use different SPN on the d... Closed
depends on RUBY-530 Implement GSSAPI (Kerberos) Authentic... Closed
depends on PYTHON-524 Support configurable service name for... Closed
depends on CDRIVER-220 Ability to use different SPN on the d... Closed
depends on CSHARP-749 Ability to use different ServiceName ... Closed
depends on SERVER-8479 Let system administrator specify the ... Closed
is depended on by DOCS-1272 Remove saslServiceName from documenta... Closed
Related
related to DOCS-2911 Missing Connection URI options Closed
Server Compat: 2.4
Driver Compliance:
Key Status/Resolution FixVersion
NODE-45 Done
PYTHON-524 Done 2.6
PERL-236 Done 0.702.1
PHP-845 Done 1.5.0, 1.5.0alpha1
CSHARP-749 Done 1.9
JAVA-845 Done 2.12.0, 3.0.0
CDRIVER-220 Done 0.92.0
RUBY-530 Done 1.10.0, 1.11.0

 Description   

It is desirable for the drivers to support the capability to use an alternative Service Name. This is frequently a requirement of role segregation as mandated by regulation such as Sarbanes-Oxley.

Kerberos has the notion of a Service Principal Name, or SPN. The SPN consists of a Service Name and a fully qualified domain name (FQDN). So, an example SPN is mongodb/localhost:8920. In this example, the FQDN is localhost:8920 and the Service Name is mongodb.

The need identified in this ticket is to support an alternative Service Name. In the above example, for instance, it would be to change "mongodb" to "fluffy".

The Drivers Authentication spec has this detailed out here: https://wiki.10gen.com/display/10GEN/Driver+Authentication.

The two places you'll need to make changes are:

  1. In section 5.1 where we need a map for additional mechanism parameters.
    • in particular, the additional mechanism parameter necessary would be for the service name.
  2. In section 6.1 where we need a way to provide the service on the connection string. It will take the form of "gssapiServiceName" with the value being the service name to use.

Generated at Thu Feb 08 08:24:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.