I'm sorry if this are trivial questions but I just don't know how to do it really good :D
I'm using the official c#-mongodb-driver.
Mongodb is storing the users password in cleartext right? So I have to take care about secure passwords? What is the best way to do it with c#?
Is this ok (found something similar in the obsolete addUser-Method in the driver-source)?
var securePassword = new PasswordEvidence(password).SecurePassword;
var userCommand = new CommandDocument
{
{ "createUser", username },
{ "pwd", securePassword.ToString() },
{ "digestPassword", false },
{ "customData", new BsonDocument()},
{ "roles", new BsonArray()}
};
var result = Database.RunCommand(userCommand);
the c#-driver is using the key "digestPassword" but I could't find any documentation for this. Any ideas what this means and why it is not documented properly?
How can I check if the entered user/password-combination is correct without access to admin-database (no access to db.system.users.find()) ? are there any helper methods? I couldn't find one...
Tobias
Mongodb is storing the users password in cleartext right? So I have to take care about secure passwords?
For the default authentication in MongoDB (aka MONGODB-CR or "challenge-response auth") the passwords are stored internally as the hex encoding of MD5( <username> + ":mongo:" + <password_text> ). They are sent by drivers over the wire in digest form (see answer to your next question, below) rather than in clear text.
You should always care about choosing secure passwords and properly locking down your MongoDB deployment. The MongoDB documentation has a rather comprehensive section on Security including risk management strategies and access control tutorials.
the c#-driver is using the key "digestPassword" but I could't find any documentation for this. Any ideas what this means and why it is not documented properly?
The digestPassword is documented as part of how to Implement Authentication in a Driver and isn't a detail you normally need to be concerned with unless you are implementing a driver.
Drivers use a two step process for authentication:
1) request a hexadecimal nonce to use in subsequent authentication requests
2) authenticate using a message digest that combines the nonce and the password digest
Is this ok (found something similar in the obsolete addUser-Method in the driver-source)?
The addUser method was deprecated in favour of the createUser command which is the newer implementation featuring roles.
I would strongly recommend using the documented C# driver API rather than trying to reimplement the lower level driver commands.
How can I check if the entered user/password-combination is correct without access to admin-database (no access to db.system.users.find()) ? are there any helper methods? I couldn't find one...
You can check the user/password combination by attempting to authenticate with it. You will also have to consider whether the user's roles grant appropriate permissions to run requested commands (if not, your application will have to handle the auth exception).
There are a full set of User and Role Management helpers in the mongo shell if you want to view or manage authentication details (and assuming you have the appropriate privileges to do so).