-
Type: Improvement
-
Resolution: Done
-
Priority: Major - P3
-
None
-
Component/s: None
-
None
-
Environment:MongoDB 2.4.1
It is desirable for the drivers to support the capability to use an alternative Service Name. This is frequently a requirement of role segregation as mandated by regulation such as Sarbanes-Oxley.
Kerberos has the notion of a Service Principal Name, or SPN. The SPN consists of a Service Name and a fully qualified domain name (FQDN). So, an example SPN is mongodb/localhost:8920. In this example, the FQDN is localhost:8920 and the Service Name is mongodb.
The need identified in this ticket is to support an alternative Service Name. In the above example, for instance, it would be to change "mongodb" to "fluffy".
The Drivers Authentication spec has this detailed out here: https://wiki.10gen.com/display/10GEN/Driver+Authentication.
The two places you'll need to make changes are:
- In section 5.1 where we need a map for additional mechanism parameters.
- in particular, the additional mechanism parameter necessary would be for the service name.
- In section 6.1 where we need a way to provide the service on the connection string. It will take the form of "gssapiServiceName" with the value being the service name to use.
- depends on
-
NODE-45 Ability to use different SPN on the driver for Kerberos Authentication
- Closed
-
JAVA-845 Ability to use different SPN on the driver for Kerberos Authentication
- Closed
-
RUBY-530 Implement GSSAPI (Kerberos) Authentication Support
- Closed
-
PYTHON-524 Support configurable service name for kerberos
- Closed
-
CDRIVER-220 Ability to use different SPN on the driver for Kerberos Authentication
- Closed
-
CSHARP-749 Ability to use different ServiceName on the driver for Kerberos Authentication
- Closed
-
SERVER-8479 Let system administrator specify the GSSAPI service and host name reported by mongo servers.
- Closed