Using Kerberos

You can configure the connector to use the Kerberos protocol to authenticate the connection.

Kerberos must be installed and configured before you can use this authentication mechanism. For information about how to install and configure Kerberos, see the MIT Kerberos Documentation: http://web.mit.edu/kerberos/krb5-latest/doc/.

You provide the configuration information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure Kerberos authentication:

  1. Connect to the server using a connection URL written in the following format:

    2. jdbc:mongodb://[Principal]@[Host]:[Port]/
    [Database]?AuthMechanism=GSSAPI

    The variables are defined as follows:

    • [Principal] is your Kerberos user principal. The at sign (@) that separates the Kerberos realm from the rest of the principal must be typed as an encoded character (%40).
    • [Host] is the DNS or IP address of the server.
    • [Port] is the number of the TCP port to connect to. Specifying the port number is optional if you are connecting to port 27017.
    • [Database] is the name of the database.
    Important:

    Important:

    If the user principal contains reserved characters, those characters must be encoded using URL encoding (percent encoding). For example, the principal ch@ng would be encoded in the connection URL as ch%40ng.

    For example:

    jdbc:mongodb://jsmith%40simba.com@192.168.1.1:
    47017/TeamRoster?AuthMechanism=GSSAPI

  2. Optionally, set the gssapiServiceName property to the Kerberos service principal of the server.

    3. For example:

    jdbc:mongodb://jsmith%40simba.com@192.168.1.1:
    47017/TeamRoster?AuthMechanism=GSSAPI
    &gssapiServiceName=mongodb

Related topics