User authentication with the wire listener
When connecting to the wire listener, you can authenticate users directly with the database server or through the wire listener with MongoDB SCRAM-SHA-1 authentication.
You can use the following types of authentication methods with the wire listener:
- SCRAM-SHA-1 two-step authentication
- The wire listener authenticates users with the SCRAM-SHA-1 authentication method outside of the database server environment. You create users with the MongoDB API create user commands. User information and privileges are stored in the system.users collection in the admin database. Clients connect to the wire listener as MongoDB users and the wire listener authenticates the users. The wire listener connects to the database server as the user that is specified by the url parameter in the wire listener configuration file. The database server cannot access MongoDB user account information.
- Database server authentication with a user and password
-
The wire listener connects to the database server using the user and password that is provided by clients and the database server authenticates the user. The database server controls all user accounts and privileges. You can audit user activities and configure fine-grained access control.Important: You can use database server user password authentication only with the REST API and MQTT protocol.
- Database server authentication with a PAM (UNIX, Linux)
- The PAM implements the MONGODB-CR challenge-response method. The wire listener connects to the database server using the user and password that is provided by clients and the database server authenticates the user through PAM. The database server controls all user accounts and privileges. You can audit user activities and configure fine-grained access control.
Which type of authentication that you can use depends on the type of client and the mongo.api.version specified in your wire listener configuration file.
MongoDB clients
Authentication type | Supported | Details |
---|---|---|
SCRAM-SHA-1 | Yes | Follow the instructions for configuring MongoDB authentication. |
HCL OneDB™ user password | No | Database server authentication with a user and password is not supported for MongoDB clients because of the way MongoDB drivers hash the password. |
PAM (MONGODB-CR) | Yes | Follow the instructions for configuring database server authentication with PAM. |
REST API clients
Authentication type | Supported | Details |
---|---|---|
SCRAM-SHA-1 | No | SCRAM is not supported through REST. |
HCL OneDB user password | Yes | Set db.authentication=onedb-password in your listener properties file. HTTP clients authenticate using the HTTP basic authentication method. |
PAM (MONGODB-CR) | Yes | Follow the instructions for configuring database server authentication with PAM. HTTP clients authenticate using the HTTP basic authentication method. |
MQTT clients
Authentication type | Supported | Details |
---|---|---|
SCRAM-SHA-1 | No | SCRAM is not supported through MQTT. |
OneDB user password | Yes | Set db.authentication=onedb-password in your listener properties file. The MQTT CONNECT packet must include the database name as a prefix of the user name, in the following format: "database_name.user_name". |
PAM (MONGODB-CR) | Yes | Follow the instructions for
configuring database server authentication with PAM. The MQTT
CONNECT packet must include the database name as a prefix of the
user name, in the following format:
"database_name.user_name" . |