Authentication Parameters

authenticationMechanisms

Changed in version 2.6: Added support for the PLAIN and MONGODB-X509 authentication mechanisms.

Changed in version 3.0: Added support for the SCRAM-SHA-1 authentication mechanism.

Available for both mongod and mongos.

Specifies the list of authentication mechanisms the server accepts. Set this to one or more of the following values. If you specify multiple values, use a comma-separated list and no spaces. For descriptions of the authentication mechanisms, see Authentication.

Value	Description
SCRAM-SHA-1	RFC 5802 standard Salted Challenge Response Authentication Mechanism using the SHA-1 hash function.
MONGODB-CR	MongoDB challenge/response authentication. (Deprecated in MongoDB 3.6)
MONGODB-X509	MongoDB TLS/SSL certificate authentication.
GSSAPI (Kerberos)	External authentication using Kerberos. This mechanism is available only in MongoDB Enterprise .
PLAIN (LDAP SASL)	PLAIN transmits passwords in plain text. Required for LDAP Proxy Authentication. Optional for authenticating non-$external users.

For example, to specify PLAIN as the authentication mechanism, use the following command:

copy

mongod --setParameter authenticationMechanisms=PLAIN --auth

clusterAuthMode

New in version 2.6.

Available for both mongod and mongos.

Set the clusterAuthMode to either sendX509 or x509. Useful during rolling upgrade to use x509 for membership authentication to minimize downtime.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

copy

db.adminCommand( { setParameter: 1, clusterAuthMode: "sendX509" } )

enableLocalhostAuthBypass

Available for both mongod and mongos.

Specify 0 or false to disable localhost authentication bypass. Enabled by default.

enableLocalhostAuthBypass is not available using setParameter database command. Use the setParameter option in the configuration file or the --setParameter option on the command line.

See Localhost Exception for more information.

KeysRotationIntervalSec

New in version 3.6.

Default: 7776000 seconds (90 days)

Specifies the number of seconds for which an HMAC signing key is valid before rotating to the next one. This parameter is intended primarily to facilitate authentication testing.

You can only set KeysRotationIntervalSec during start-up, and cannot change this setting with the setParameter database command.

ldapUserCacheInvalidationInterval

For use with MongoDB deployments using LDAP Authorization. Available for mongod instances only.

The interval (in seconds) that the mongod instance waits between external user cache flushes. After MongoDB flushes the external user cache, MongoDB reacquires authorization data from the LDAP server the next time an LDAP-authorized user issues an operation.

Increasing the value specified increases the amount of time MongoDB and the LDAP server can be out of sync, but reduces the load on the LDAP server. Conversely, decreasing the value specified decreases the time MongoDB and the LDAP server can be out of sync while increasing the load on the LDAP server.

Defaults to 30 seconds.

opensslCipherConfig

New in version 3.6.

Specify the cipher string for OpenSSL when using TLS/SSL encryption. For a list of cipher strings, see https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-STRINGS

You can only set opensslCipherConfig during start-up, and cannot change this setting using the setParameter database command.

copy

mongod --setParameter opensslCipherConfig=HIGH:!EXPORT:!aNULL@STRENGTH --sslMode requireSSL --sslPEMKeyFile Certs/server.pem

saslauthdPath

Note

Available only in MongoDB Enterprise (except MongoDB Enterprise for Windows).

Available for both mongod and mongos.

Specify the path to the Unix Domain Socket of the saslauthd instance to use for proxy authentication.

saslHostName

Available for both mongod and mongos.

saslHostName overrides MongoDB’s default hostname detection for the purpose of configuring SASL and Kerberos authentication.

saslHostName does not affect the hostname of the mongod or mongos instance for any purpose beyond the configuration of SASL and Kerberos.

You can only set saslHostName during start-up, and cannot change this setting using the setParameter database command.

Note

saslHostName supports Kerberos authentication and is only included in MongoDB Enterprise. For Linux systems, see Configure MongoDB with Kerberos Authentication on Linux for more information.

saslServiceName

Available for both mongod and mongos.

Allows users to override the default Kerberos service name component of the Kerberos principal name, on a per-instance basis. If unspecified, the default value is mongodb.

MongoDB only permits setting saslServiceName at startup. The setParameter command can not change this setting.

saslServiceName is only available in MongoDB Enterprise.

Important

Ensure that your driver supports alternate service names.

scramIterationCount

New in version 3.0.0.

Default: 10000

Available for both mongod and mongos.

Changes the number of hashing iterations used for all new stored passwords. More iterations increase the amount of time required for clients to authenticate to MongoDB, but makes passwords less susceptible to brute-force attempts. The default value is ideal for most common use cases and requirements. If you modify this value, it does not change the number of iterations for existing passwords.

You can set scramIterationCount when starting MongoDB or on running mongod instances.

sslMode

New in version 2.6.

Available for both mongod and mongos.

Set the net.ssl.mode to either preferSSL or requireSSL. Useful during rolling upgrade to TLS/SSL to minimize downtime.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients .

copy

db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } )

sslWithholdClientCertificate

Default: false

New in version 3.6.9.

Available for both mongod and mongos.

A TLS certificate is set for a mongod or mongos either by the --sslClusterFile option or by the --sslPEMKeyFile option when --sslClusterFile is not set. If the TLS certificate is set, by default, the instance sends the certificate when initiating intra-cluster communications with other mongod or mongos instances in the deployment. Set sslWithholdClientCertificate to 1 or true to direct the instance to withhold sending its TLS certificate during these communications. Use this option with --sslAllowConnectionsWithoutCertificates (to allow inbound connections without certificates) on all members of the deployment. sslWithholdClientCertificate is mutually exclusive with --clusterAuthMode x509.