User authentication with the wire listener
When connecting to the wire listener, you can authenticate users directly with the database server or through the wire listener with MongoDB SCRAM-SHA-256 authentication.
You can use the following types of authentication methods with the wire listener:
- SCRAM-SHA-256 two-step authentication
- The wire listener authenticates users with the MongoDB SCRAM-SHA-256 authentication method outside of the HCL OneDB™ database server environment. You create users with the MongoDB API create user commands. User information and privileges are stored in the system.users collection in the admin database. Clients connect to the wire listener as MongoDB users and the wire listener authenticates the users. The wire listener connects to the database server as the user that is specified by the url parameter in the wire listener configuration file. The database server cannot access MongoDB user account information.
- Database server authentication with a PAM (UNIX, Linux)
- The PAM implements the MONGODB-CR challenge-response method. The wire listener connects to the database server using the user and password that is provided by clients and the database server authenticates the user through PAM. The database server controls all user accounts and privileges. You can audit user activities and configure fine-grained access control.
Which type of authentication that you can use depends on the type of client and the mongo.api.version specified in your wire listener configuration file.
MongoDB clients
| Authentication type | Supported | Details |
|---|---|---|
| SCRAM-SHA-256 | Yes | Follow the instructions for configuring MongoDB authentication. |
| HCL OneDB user password | No | Database server authentication with a user and password is not supported for MongoDB clients because of the way MongoDB drivers hash the password. |
| PAM (MONGODB-CR) | Yes | Follow the instructions for configuring database server authentication with PAM. |