Enterprise Authentication Mechanisms企业身份验证机制
On this page本页内容
In this guide, you can find sample code for connection to MongoDB with each authentication mechanism available in the MongoDB Enterprise Edition:在本指南中,您可以找到使用MongoDB Enterprise Edition中提供的每个身份验证机制连接MongoDB的示例代码:Kerberos (GSSAPI/SSPI) and LDAP (PLAIN).
Kerberos (GSSAPI/SSPI)
The Node.js driver supports Kerberos on UNIX using the MIT Kerberos library and on Windows using the SSPI API.Node.js驱动程序在使用MIT Kerberos库的UNIX上和使用SSPI API的Windows上支持Kerberos。
The GSSAPI authentication mechanism uses your user principal to authenticate to a Kerberos service.GSSAPI身份验证机制使用用户主体对Kerberos服务进行身份验证。
You can specify this authentication mechanism by performing the following actions while specifying options on your connection string:您可以通过在连接字符串上指定选项的同时执行以下操作来指定此身份验证机制:
Set the将authMechanismparameter toGSSAPI.authMechanism参数设置为GSSAPI。Set the如果使用SERVICE_NAMEvalue in theauthMechanismPropertiesparameter if using a value other thanmongodb.mongodb以外的值,请在authMechanismProperties参数中设置SERVICE_NAME值。Specify a如果需要自定义服务领域,请在SERVICE_REALMvalue in theauthMechanismPropertiesparameter if a custom service realm is required.authMechanismProperties参数中指定SERVICE_REALM值。Specify a如果需要对主机名进行规范化,请在CANONICALIZE_HOST_NAMEvalue in theauthMechanismPropertiesparameter if canonicalization of the hostname is required.authMechanismProperties参数中指定CANONICALIZE_HOST_NAME值。This property can take the following values:此属性可以采用以下值:none: (Default) Does not perform hostname canonicalization:(默认值)不执行主机名规范化forward: Performs a forward DNS lookup to canonicalize the hostname:执行正向DNS查找以规范化主机名forwardAndReverse: Performs a forward DNS lookup and then a reverse lookup on that value to canonicalize the hostname:对该值执行正向DNS查找,然后执行反向查找以规范化主机名
The gssapiServiceName parameter is deprecated and may be removed in future versions of the driver. gssapiServiceName参数已弃用,可能会在未来版本的驱动程序中删除。Use 请在连接URI中改用authMechanismProperties=SERVICE_NAME:<your service name> in the connection URI instead. authMechanismProperties=SERVICE_NAME:<your service name>。See the authMechanismProperties parameter documentation for more information.有关详细信息,请参阅authMechanismProperties参数文档。
The following code sample authenticates to Kerberos for UNIX using 以下代码示例使用GSSAPI.GSSAPI对Kerberos for UNIX进行身份验证。
Always URI encode the principal using the 始终使用encodeURIComponent method to ensure it is correctly parsed.encodeURIComponent方法对主体进行URI编码,以确保其正确解析。
const { MongoClient } = require("mongodb");
//specify the placeholder values for your environment in the following lines在以下行中指定环境的占位符值
const clusterUrl = "<MongoDB cluster URL>";
const principal = encodeURIComponent("<Kerberos principal and realm>");
const serviceRealm = "<Kerberos service realm>";
const canonicalizationSetting = "<canonicalization setting>";
const authMechanismProperties = `SERVICE_REALM:${serviceRealm},CANONICALIZE_HOST_NAME:${canonicalizationSetting}`;
const authMechanism = "GSSAPI";
//Connection URI连接URI
const uri = `mongodb+srv://${principal}@${clusterUrl}/?authMechanism=${authMechanism}&authMechanismProperties=${authMechanismProperties}`;
const client = new MongoClient(uri);
//Function to connect to the server用于连接到服务器的函数
async function run() {
try {
//Establish and verify connection建立并验证连接
await client.db("admin").command({ ping: 1 });
console.log("Connected successfully to server");
} finally {
//Ensures that the client will close when you finish/error确保客户端在您完成/出错时关闭
await client.close();
}
}
run().catch(console.dir);
The method refers to the 该方法引用GSSAPI authentication mechanism instead of Kerberos because the driver authenticates via GSSAPI RFC-4652
the SASL mechanism.GSSAPI身份验证机制而不是Kerberos,因为驱动程序通过GSSAPI RFC-4652对SASL机制进行身份验证。
LDAP (PLAIN)
The PLAIN authentication mechanism uses your username and password to authenticate to a Lightweight Directory Access Protocol (LDAP) server.PLAIN身份验证机制使用您的用户名和密码对轻型目录访问协议(LDAP)服务器进行身份验证。
You can specify this authentication mechanism by setting the 您可以通过将authMechanism parameter to PLAIN and including your LDAP username and password in the connection string as shown in the following sample code.authMechanism参数设置为PLAIN并在连接字符串中包含LDAP用户名和密码来指定此身份验证机制,如以下示例代码所示
const { MongoClient } = require("mongodb");
//specify the placeholder values for your environment in the following lines在以下行中指定环境的占位符值
const clusterUrl = "<MongoDB cluster URL>";
const ldapUsername = "<LDAP username>";
const ldapPassword = "<LDAP password>";
const authMechanism = "PLAIN";
// Connection URI
const uri = `mongodb+srv://${ldapUsername}:${ldapPassword}@${clusterUrl}/?authMechanism=${authMechanism}`;
const client = new MongoClient(uri);
//Function to connect to the server用于连接到服务器的函数
async function run() {
try {
//Establish and verify connection建立并验证连接
await client.db("admin").command({ ping: 1 });
console.log("Connected successfully to server");
} finally {
//Ensures that the client will close when you finish/error确保客户端在您完成/出错时关闭
await client.close();
}
}
run().catch(console.dir);
The authentication mechanism is named 身份验证机制被命名为PLAIN instead of LDAP since it authenticates using the PLAIN Simple Authentication and Security Layer (SASL) defined in RFC-4616.PLAIN而不是LDAP,因为它使用RFC-4616中定义的PLAIN简单身份验证和安全层(SASL)进行身份验证。