Kerberos authentication

MongoDB Enterprise Edition also offers Kerberos authentication. Kerberos, named after the character Kerberos (or Cerberus) from Greek mythology—which is the ferocious three-headed guard-dog of the god of the underworld, Hades—focuses on mutual authentication between client and server, protecting against eavesdropping and replay attacks.

Kerberos is widely used in Windows systems through integration with Microsoft's Active Directory. To install Kerberos, we need to start mongod without Kerberos set up, then connect to the $external database (not the admin that we normally use for admin authorization), and create a user with a Kerberos role and permissions:

use $external
db.createUser(
  {
    user: "[email protected]",
    roles: [ { role: "read", db: "mongo_book" } ]
  }
)

In the preceding example, we authorize the [email protected] user to read our mongo_book database, just like we would do with a user using our admin system.

After that, we need to start our server with Kerberos support by passing in the authenticationMechanisms parameter, as follows:

--setParameter authenticationMechanisms=GSSAPI

Now we can connect from our server or command line, as follows:

$ mongo.exe --host <mongoserver> --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username [email protected]
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset