At present with x509 enabled it is required that a user has to explicitly authenticate by specifying the subject:
db.getSiblingDB("$external").auth( { mechanism: "MONGODB-X509", user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry" } )
That feels redundant and inconvenient as the user must have already supplied the certificate in order to connect to the server.
I could understand the necessity of doing this if there was a way to supply a certificate for authentication different from the certificate used for connection, but it does not seem to be possible (please correct me if I am wrong).
With x509 it would be nice to have a way to authenticate implicitly (given the user is already connected) or at least without specifying the subject.
For example, we could authenticate the user automatically whenever mongo shell is started with "–authenticationMechanism MONGODB-X509" and with "--sslPEMKeyFile", e.g.:
mongo –ssl –host server.com –sslPEMKeyFile client.pem –sslCAFile CA.pem –authenticationDatabase \$external –authenticationMechanism MONGODB-X509
- is related to
-
SERVER-10322 The mongo shell should require a username when using MONGODB-X509 for authentication.
- Closed