Search code examples
mongodbauthenticationx509

How to configure Mongo client to login regardless of whether the Mongo server requires x509 authentication or nothing

I'm currently in the process of upgrading several Mongodb servers that don't use authentication at all to use x509 certificates for authentication.

During this process, I'd like the client to be able to connect to the servers regardless of whether they are configured to use authentication or not.

Basically I'd like to be able to use the same connect string on the client when authorization is configured and when it isn't. This would be a temporary setup. Is this possible? If not, other suggestions are appreciated.

Just to be clear, the client would connect using something like this

    $server = 'mongodb://mongoserver1:27017/';
    $options = [
        'authMechanism' => 'MONGODB-X509',
        'username' => 'C=US,ST=DC,L=DC,O=NO,OU=CLIENT,CN=user1',
        'authSource' => '$external',
        'ssl' => false,
        'tlsCertificateKeyFile' => '/etc/ssl/certs/user1.pem',
        'tlsCAFile' => '/etc/ssl/certs/CA.pem',
        'tlsInsecure' => 'true'
];
    $driverOptions = [];
    $database = 'test';
    
    $client = new MongoDB\Client($server, $options, $driverOptions);
    $db = $client->selectDatabase($database);

On the server, in /etc/mongod.conf I would use something like this

net:
  tls:
    mode: preferTLS
    certificateKeyFile: /etc/ssl/certs/server1.pem
    CAFile: /etc/ssl/CA.pem
    allowConnectionsWithoutCertificates: true

I'd also add the user on the server via mongosh with

db.getSiblingDB("$external").runCommand(
                  {
                    createUser: "C=US,ST=DC,L=DC,O=NO,OU=CLIENT,CN=user1",
                    roles: [
                         { role: "readWriteAnyDatabase", db: "admin" },
                         { role: "clusterMonitor", db: "admin" }
                    ],
                    writeConcern: { w: "majority" , wtimeout: 5000 }
                  }
                )

Relevant certificates would be on the server or accessible by the client as required.

I've tried the above and a few other things, but was unsuccessful. With the above configurations I got the error - "AuthenticationFailed: No verified subject name available from client"

Solution

  • Some general points:

    I think you should skip 'username' => 'C=US,ST=DC,L=DC,O=YES,OU=CLIENT,CN=user1', the username is taken from the client certificate DistinguishedName. Note, your username differs by O=NO to the created user O=YES. They have to be the same - but maybe that's just a typo in your question.

    Why do you use 'ssl' => false? You have all certificates available, thus you should also encrypt the connection by TLS/SSL.

    Regarding your specific question. Set parameter security.transitionToAuth

    security:
   authorization: enabled
   transitionToAuth: true

    A mongod running with --transitionToAuth accepts both authenticated and non-authenticated connections. Clients connected to the mongod during this transition state can perform read, write, and administrative operations on any database.