Enterprise Authentication Mechanisms企业身份验证机制

On this page

In this guide, you can find sample code for connection to MongoDB with each authentication mechanism available in the MongoDB Enterprise Edition: Kerberos (GSSAPI/SSPI) and LDAP (PLAIN).在本指南中,您可以找到连接MongoDB的示例代码,其中包含MongoDB企业版中提供的每种身份验证机制:Kerberos (GSSAPI/SSPI)LDAP (PLAIN)

Kerberos (GSSAPI/SSPI)

Note

The Node.js driver supports Kerberos on UNIX using the MIT Kerberos library and on Windows using the SSPI API.Node.js驱动程序在UNIX上使用MIT Kerberos库支持Kerberos,在Windows上使用SSPI API支持Kerberos。

The GSSAPI authentication mechanism uses your user principal to authenticate to a Kerberos service.GSSAPI身份验证机制使用用户主体对Kerberos服务进行身份验证。

You can specify this authentication mechanism by setting the following parameters of the connection string:您可以通过设置连接字符串的以下参数来指定此身份验证机制:

  • Set the authMechanism parameter to GSSAPIauthMechanism参数设置为GSSAPI
  • Set the SERVICE_NAME value in the authMechanismProperties parameter if using a value other than mongodb如果使用非mongodb的值,请在authMechanismProperties参数中设置服务名称值
  • Specify a SERVICE_REALM value in the authMechanismProperties parameter if a custom service realm is required.如果需要自定义SERVICE_REALM,请在authMechanismProperties参数中指定服务领域值。
Important

The gssapiServiceName parameter is deprecated and may be removed in future versions of the driver. gssapiServiceName参数已弃用,可能会在驱动程序的未来版本中删除。Use authMechanismProperties=SERVICE_NAME:<your service name> in the connection URI instead. 请改页在连接URI中使用authMechanismProperties=SERVICE_NAME:<your service name>See the authMechanismProperties parameter documentation for more information.有关详细信息,请参阅authMechanismProperties参数文档。

The following code sample authenticates to Kerberos for UNIX using GSSAPI.下面的代码示例使用GSSAPI对Kerberos for UNIX进行身份验证。

Important

Always URI encode the principal using the encodeURIComponent method to ensure it is correctly parsed.始终使用encodeURIComponent方法对主体进行URI编码,以确保正确解析主体。

const { MongoClient } = require("mongodb");


// specify the placeholder values for your environment in the following lines在以下行中为您的环境指定占位符值
const clusterUrl = "<MongoDB cluster URL>";
const principal = encodeURIComponent("<Kerberos principal and realm>");
const serviceRealm = "<Kerberos service realm>";
const authMechanismProperties = `SERVICE_REALM:${serviceRealm}`;


const authMechanism = "GSSAPI";


// Connection URI
const uri = `mongodb+srv://${principal}@${clusterUrl}/?authMechanism=${authMechanism}&authMechanismProperties=${authMechanismProperties}`;


const client = new MongoClient(uri);


// Function to connect to the server函数连接到服务器
async function run(){
  try {
    // Connect the client to the server将客户端连接到服务器
    await client.connect();


    // Establish and verify connection建立并验证连接
    await client.db("admin").command({ ping: 1 });
    console.log("Connected successfully to server");
  } finally {
    // Ensures that the client will close when you finish/error确保完成/出错时客户端将关闭
    await client.close();
  }
}
run().catch(console.dir);
Note

The method refers to the GSSAPI authentication mechanism instead of Kerberos because the driver authenticates via GSSAPI RFC-4652 the SASL mechanism.该方法引用GSSAPI身份验证机制而不是Kerberos,因为驱动程序通过GSSAPI RFC-4652 SASL机制进行身份验证。

LDAP (PLAIN)

The PLAIN authentication mechanism uses your username and password to authenticate to a Lightweight Directory Access Protocol (LDAP) server.

You can specify this authentication mechanism by setting the authMechanism parameter to PLAIN and including your LDAP username and password in the connection string as shown in the following sample code.

const { MongoClient } = require("mongodb");


// specify the placeholder values for your environment in the following lines
const clusterUrl = "<MongoDB cluster URL>";
const ldapUsername = "<LDAP username>";
const ldapPassword = "<LDAP password>";
const authMechanism = "PLAIN";


// Connection URI
const uri = `mongodb+srv://${ldapUsername}:${ldapPassword}@${clusterUrl}/?authMechanism=${authMechanism}`;


const client = new MongoClient(uri);


// Function to connect to the server
async function run(){
  try {
    // Connect the client to the server
    await client.connect();


    // Establish and verify connection
    await client.db("admin").command({ ping: 1 });
    console.log("Connected successfully to server");
  } finally {
    // Ensures that the client will close when you finish/error
    await client.close();
  }
}
run().catch(console.dir);
Note

The authentication mechanism is named PLAIN instead of LDAP since it authenticates using the PLAIN Simple Authentication and Security Layer (SASL) defined in RFC-4616.