MongoDB Server Parameters
On this page
MongoDB provides a number of configuration options that you can set using:
Changed in version 2.6: Added support for the
Changed in version 3.0: Added support for the
Specifies the list of authentication mechanisms the server accepts. Set this to one or more of the following values. If you specify multiple values, use a comma-separated list and no spaces. For descriptions of the authentication mechanisms, see Authentication.
Value Description SCRAM-SHA-1 RFC 5802 standard Salted Challenge Response Authentication Mechanism using the SHA-1 hash function. MONGODB-CR MongoDB challenge/response authentication. (Deprecated in MongoDB 3.6) MONGODB-X509 MongoDB TLS/SSL certificate authentication. GSSAPI (Kerberos) External authentication using Kerberos. This mechanism is available only in MongoDB Enterprise . PLAIN (LDAP SASL)
PLAINtransmits passwords in plain text. Required for LDAP Proxy Authentication. Optional for authenticating non-
For example, to specify
PLAINas the authentication mechanism, use the following command:
New in version 2.6.
x509. Useful during rolling upgrade to use x509 for membership authentication to minimize downtime.
falseto disable localhost authentication bypass. Enabled by default.
See Localhost Exception for more information.
New in version 3.6.
Default: 7776000 seconds (90 days)
Specifies the number of seconds for which an HMAC signing key is valid before rotating to the next one. This parameter is intended primarily to facilitate authentication testing.
The interval (in seconds) that the
mongodinstance waits between external user cache flushes. After MongoDB flushes the external user cache, MongoDB reacquires authorization data from the LDAP server the next time an LDAP-authorized user issues an operation.
Increasing the value specified increases the amount of time MongoDB and the LDAP server can be out of sync, but reduces the load on the LDAP server. Conversely, decreasing the value specified decreases the time MongoDB and the LDAP server can be out of sync while increasing the load on the LDAP server.
Defaults to 30 seconds.
New in version 3.6.
Specify the cipher string for OpenSSL when using TLS/SSL encryption. For a list of cipher strings, see https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-STRINGS
Available only in MongoDB Enterprise (except MongoDB Enterprise for Windows).
Specify the path to the Unix Domain Socket of the
saslauthdinstance to use for proxy authentication.
saslHostNameoverrides MongoDB’s default hostname detection for the purpose of configuring SASL and Kerberos authentication.
saslHostNamesupports Kerberos authentication and is only included in MongoDB Enterprise. For Linux systems, see Configure MongoDB with Kerberos Authentication on Linux for more information.
saslServiceNameis only available in MongoDB Enterprise.
Ensure that your driver supports alternate service names.
New in version 3.0.0.
Changes the number of hashing iterations used for all new stored passwords. More iterations increase the amount of time required for clients to authenticate to MongoDB, but makes passwords less susceptible to brute-force attempts. The default value is ideal for most common use cases and requirements. If you modify this value, it does not change the number of iterations for existing passwords.
New in version 2.6.
New in version 3.6.9.
A TLS certificate is set for a
mongoseither by the
--sslClusterFileoption or by the
--sslClusterFileis not set. If the TLS certificate is set, by default, the instance sends the certificate when initiating intra-cluster communications with other
mongosinstances in the deployment. Set
trueto direct the instance to withhold sending its TLS certificate during these communications. Use this option with
--sslAllowConnectionsWithoutCertificates(to allow inbound connections without certificates) on all members of the deployment.
sslWithholdClientCertificateis mutually exclusive with