This guide covers essential MongoDB authentication concepts commonly asked in technical interviews. Each question includes detailed answers and practical examples.
MongoDB supports several authentication mechanisms:
SCRAM authentication implementation involves several steps:
// Create user with SCRAM-SHA-256
db.createUser({
user: "appUser",
pwd: "securePassword",
roles: [
{ role: "readWrite", db: "myapp" }
],
mechanisms: ["SCRAM-SHA-256"]
})
// Enable SCRAM authentication
mongod --auth --setParameter authenticationMechanisms=SCRAM-SHA-256
// Connect with SCRAM
mongosh "mongodb://appUser:securePassword@localhost:27017/myapp?authMechanism=SCRAM-SHA-256"
// Change password
db.changeUserPassword("appUser", "newSecurePassword")
// Update user with new password
db.updateUser(
"appUser",
{
pwd: "newSecurePassword",
mechanisms: ["SCRAM-SHA-256"]
}
)
X.509 certificate authentication implementation:
// Generate CA certificate
openssl req -x509 -newkey rsa:4096 -days 365 -nodes -out ca.pem -keyout ca.key
// Generate server certificate
openssl req -newkey rsa:4096 -nodes -out server.csr -keyout server.key
// Sign server certificate
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem
// Generate client certificate
openssl req -newkey rsa:4096 -nodes -out client.csr -keyout client.key
// Sign client certificate
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem
// Start MongoDB with TLS
mongod --tlsMode requireTLS \
--tlsCertificateKeyFile /etc/ssl/mongodb.pem \
--tlsCAFile /etc/ssl/ca.pem
// Create user with X.509
db.getSiblingDB("$external").createUser({
user: "CN=client,OU=IT,O=Company,L=City,ST=State,C=US",
roles: [
{ role: "readWrite", db: "myapp" }
]
})
// Connect with X.509
mongosh "mongodb://localhost:27017/myapp?authMechanism=MONGODB-X509&tlsCertificateKeyFile=/etc/ssl/client.pem&tlsCAFile=/etc/ssl/ca.pem"
LDAP authentication implementation:
// MongoDB LDAP configuration
security:
ldap:
servers: "ldap://ldap.example.com"
bindMethod: "simple"
bindQueryUser: "CN=admin,DC=example,DC=com"
bindQueryPassword: "ldapPassword"
userToDNMapping: '[{"match": "(.+)", "ldapQuery": "DC=example,DC=com??sub?(uid={0})"}]'
authz:
queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member={USER}))"
// Start MongoDB with LDAP
mongod --auth --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256
// Create role mapping
db.getSiblingDB("$external").createRole({
role: "appRole",
privileges: [
{
resource: { db: "myapp", collection: "" },
actions: [ "find", "update", "insert", "remove" ]
}
],
roles: []
})
// Map LDAP group to role
db.getSiblingDB("$external").createUser({
user: "CN=appUsers,DC=example,DC=com",
roles: [
{ role: "appRole", db: "$external" }
]
})
Follow these authentication best practices:
// Secure authentication configuration
security:
authorization: enabled
authenticationMechanisms: ["SCRAM-SHA-256"]
sasl:
hostName: "mongodb.example.com"
serviceName: "mongodb"
ldap:
transportSecurity: "tls"
timeoutMS: 5000
retryWrites: true
// Password policies
db.adminCommand({
setParameter: 1,
authenticationMechanisms: ["SCRAM-SHA-256"],
passwordHashIterations: 10000
})
// Monitor authentication attempts
db.system.profile.find({
"command.authenticate": { $exists: true }
}).sort({ millis: -1 })
// Check user sessions
db.system.sessions.find()
// Rotate credentials
db.changeUserPassword("appUser", "newSecurePassword")
db.updateUser(
"appUser",
{
pwd: "newSecurePassword",
mechanisms: ["SCRAM-SHA-256"]
}
)
Continue your MongoDB interview preparation with: