[SERVER-25082] It should not be required to specify user/subject when authenticating with x509 Created: 15/Jul/16  Updated: 28/Sep/16  Resolved: 17/Aug/16

Status: Closed
Project: Core Server
Component/s: Security, Shell
Affects Version/s: 3.2.7
Fix Version/s: 3.3.12

Type: Improvement Priority: Minor - P4
Reporter: Dmitry Ryabtsev Assignee: Kinh Hoang
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-8909 It should not be required to specify ... Closed
Related
is related to SERVER-10322 The mongo shell should require a user... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 19 (08/29/16)
Participants:

 Description   

At present with x509 enabled it is required that a user has to explicitly authenticate by specifying the subject:

db.getSiblingDB("$external").auth(
  {
    mechanism: "MONGODB-X509",
    user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry"
  }
)

That feels redundant and inconvenient as the user must have already supplied the certificate in order to connect to the server.

I could understand the necessity of doing this if there was a way to supply a certificate for authentication different from the certificate used for connection, but it does not seem to be possible (please correct me if I am wrong).

With x509 it would be nice to have a way to authenticate implicitly (given the user is already connected) or at least without specifying the subject.

For example, we could authenticate the user automatically whenever mongo shell is started with "–authenticationMechanism MONGODB-X509" and with "--sslPEMKeyFile", e.g.:

mongo –ssl –host server.com –sslPEMKeyFile client.pem –sslCAFile CA.pem –authenticationDatabase \$external –authenticationMechanism MONGODB-X509



 Comments   
Comment by Githook User [ 17/Aug/16 ]

Author:

{u'name': u'Hai-Kinh Hoang', u'email': u'haikinh.hoang@mongodb.com'}

Message: SERVER-25082 Allow x509 authentication without user/subject field
Branch: master
https://github.com/mongodb/mongo/commit/c267c7ad3573c82e9b463cc6f918e76bb921b292

Generated at Thu Feb 08 04:08:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.