Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-1889

Ability to use different Service Name on the driver for Kerberos Authentication

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: None
    • None
    • Environment:
      MongoDB 2.4.1

      It is desirable for the drivers to support the capability to use an alternative Service Name. This is frequently a requirement of role segregation as mandated by regulation such as Sarbanes-Oxley.

      Kerberos has the notion of a Service Principal Name, or SPN. The SPN consists of a Service Name and a fully qualified domain name (FQDN). So, an example SPN is mongodb/localhost:8920. In this example, the FQDN is localhost:8920 and the Service Name is mongodb.

      The need identified in this ticket is to support an alternative Service Name. In the above example, for instance, it would be to change "mongodb" to "fluffy".

      The Drivers Authentication spec has this detailed out here: https://wiki.10gen.com/display/10GEN/Driver+Authentication.

      The two places you'll need to make changes are:

      1. In section 5.1 where we need a map for additional mechanism parameters.
        • in particular, the additional mechanism parameter necessary would be for the service name.
      2. In section 6.1 where we need a way to provide the service on the connection string. It will take the form of "gssapiServiceName" with the value being the service name to use.

            Assignee:
            Unassigned Unassigned
            Reporter:
            barrie Barrie Segal
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: