MongoDB Authentication Interview Questions

Introduction

This guide covers essential MongoDB authentication concepts commonly asked in technical interviews. Each question includes detailed answers and practical examples.

Medium

1. What are the different authentication mechanisms in MongoDB?

MongoDB supports several authentication mechanisms:

  • SCRAM (Salted Challenge Response Authentication Mechanism)
  • X.509 Certificate Authentication
  • LDAP Authentication
  • Kerberos Authentication
  • OAuth 2.0 (MongoDB Atlas)
Authentication Methods:
  • SCRAM-SHA-1 (Legacy)
  • SCRAM-SHA-256 (Recommended)
  • MONGODB-X509
  • PLAIN (LDAP)
  • GSSAPI (Kerberos)
Hard

2. How do you implement SCRAM authentication?

SCRAM authentication implementation involves several steps:

1. User Creation with SCRAM
// Create user with SCRAM-SHA-256
db.createUser({
    user: "appUser",
    pwd: "securePassword",
    roles: [
        { role: "readWrite", db: "myapp" }
    ],
    mechanisms: ["SCRAM-SHA-256"]
})

// Enable SCRAM authentication
mongod --auth --setParameter authenticationMechanisms=SCRAM-SHA-256

// Connect with SCRAM
mongosh "mongodb://appUser:securePassword@localhost:27017/myapp?authMechanism=SCRAM-SHA-256"
2. Password Management
// Change password
db.changeUserPassword("appUser", "newSecurePassword")

// Update user with new password
db.updateUser(
    "appUser",
    {
        pwd: "newSecurePassword",
        mechanisms: ["SCRAM-SHA-256"]
    }
)
Hard

3. How do you implement X.509 certificate authentication?

X.509 certificate authentication implementation:

1. Certificate Setup
// Generate CA certificate
openssl req -x509 -newkey rsa:4096 -days 365 -nodes -out ca.pem -keyout ca.key

// Generate server certificate
openssl req -newkey rsa:4096 -nodes -out server.csr -keyout server.key

// Sign server certificate
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem

// Generate client certificate
openssl req -newkey rsa:4096 -nodes -out client.csr -keyout client.key

// Sign client certificate
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem
2. MongoDB Configuration
// Start MongoDB with TLS
mongod --tlsMode requireTLS \
    --tlsCertificateKeyFile /etc/ssl/mongodb.pem \
    --tlsCAFile /etc/ssl/ca.pem

// Create user with X.509
db.getSiblingDB("$external").createUser({
    user: "CN=client,OU=IT,O=Company,L=City,ST=State,C=US",
    roles: [
        { role: "readWrite", db: "myapp" }
    ]
})

// Connect with X.509
mongosh "mongodb://localhost:27017/myapp?authMechanism=MONGODB-X509&tlsCertificateKeyFile=/etc/ssl/client.pem&tlsCAFile=/etc/ssl/ca.pem"
Hard

4. How do you implement LDAP authentication?

LDAP authentication implementation:

1. LDAP Configuration
// MongoDB LDAP configuration
security:
    ldap:
        servers: "ldap://ldap.example.com"
        bindMethod: "simple"
        bindQueryUser: "CN=admin,DC=example,DC=com"
        bindQueryPassword: "ldapPassword"
        userToDNMapping: '[{"match": "(.+)", "ldapQuery": "DC=example,DC=com??sub?(uid={0})"}]'
        authz:
            queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member={USER}))"

// Start MongoDB with LDAP
mongod --auth --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256
2. User Mapping
// Create role mapping
db.getSiblingDB("$external").createRole({
    role: "appRole",
    privileges: [
        {
            resource: { db: "myapp", collection: "" },
            actions: [ "find", "update", "insert", "remove" ]
        }
    ],
    roles: []
})

// Map LDAP group to role
db.getSiblingDB("$external").createUser({
    user: "CN=appUsers,DC=example,DC=com",
    roles: [
        { role: "appRole", db: "$external" }
    ]
})
Hard

5. What are the authentication best practices?

Follow these authentication best practices:

1. Security Configuration
// Secure authentication configuration
security:
    authorization: enabled
    authenticationMechanisms: ["SCRAM-SHA-256"]
    sasl:
        hostName: "mongodb.example.com"
        serviceName: "mongodb"
    ldap:
        transportSecurity: "tls"
        timeoutMS: 5000
        retryWrites: true

// Password policies
db.adminCommand({
    setParameter: 1,
    authenticationMechanisms: ["SCRAM-SHA-256"],
    passwordHashIterations: 10000
})
2. Monitoring and Maintenance
// Monitor authentication attempts
db.system.profile.find({
    "command.authenticate": { $exists: true }
}).sort({ millis: -1 })

// Check user sessions
db.system.sessions.find()

// Rotate credentials
db.changeUserPassword("appUser", "newSecurePassword")
db.updateUser(
    "appUser",
    {
        pwd: "newSecurePassword",
        mechanisms: ["SCRAM-SHA-256"]
    }
)

Next Steps

Continue your MongoDB interview preparation with: