Navigation

Configure Kerberos for BI Connector

New in version 2.5.

The MongoDB Connector for BI supports Kerberos authentication for connecting BI tools and for the BI Connector’s admin user authenticating with MongoDB.

The following section guides you through configuring the BI Connector to use Kerberos authentication with two of the most common use cases:

  • Windows/Linux client machines authenticating to Active Directory
  • macOS client machine authenticating to Linux KDC

If you have another use case, please contact MongoDB Support for assistance.

Important

The domain part of any username must be written in all capital letters. This part of the username corresponds to a Kerberos realm or Active Directory domain. It is case sensitive.

Active Directory Configuration

  • Make sure you have a domain configured.
  • Create a user for MongoDB on the domain you created.
  • Create a user for MongoSQL on the domain you created.
  • Register an SPN for the MongoDB Service.
  • Register an SPN for the MongoSQL Service.
  • Enable delegation for your MongoSQL Service user.

Example

Assuming this configuration:

  • Your name is Grace Smith.
  • Your Windows domain is named EXAMPLE.COM.
  • You are running your BI tool on a Windows host named BI.EXAMPLE.COM.

In Active Directory, you create three users:

  • For MongoDB: mongodb@EXAMPLE.COM
  • For BI Connector: mongosql@EXAMPLE.COM
  • For you: grace.smith@EXAMPLE.COM

Create an SPN for each service:

setspn.exe -S mongodb/BI.EXAMPLE.COM mongodb
setspn.exe -S mongosql/BI.EXAMPLE.COM mongosql

Note

The names can be anything you choose as long as you use them consistently throughout this setup.

Open the Active Directory Administrative Center and double-click on your MongoDB service user (mongodb).

Set the mongosql user to delegate for the mongodb user from the BI.EXAMPLE.COM host.

Linux Schema User Authenticating to ADC

If you are authenticating a user from a Linux host and the schema user is using a keytab file instead of a password, the following is required in addition to creating the user in MongoDB:

  • Creating a UPN for the schema user.
  • Setting the KRB5_CLIENT_KTNAME environment variable to this user’s keytab.

MongoDB Configuration

BI Connector Configuration

Example

  • Your name is Grace Smith.
  • Your Windows domain is named EXAMPLE.COM.
  • You are running your BI tool on a Windows host named BI.EXAMPLE.COM.

On BI.EXAMPLE.COM:

  • Install MongoDB and MongoDB Connector for BI as services.

  • Edit your mongod.cfg file to resemble:

    systemLog:
      destination: "file"
      path: "c:\\data\\log\\mongod.log"
      verbosity: 2
    storage:
      dbPath: "c:\\data\\db"
    net:
      bindIp: BI.EXAMPLE.COM
    setParameter:
      authenticationMechanisms: "GSSAPI"
    
  • Log on to the mongo shell and create your BI Connector user.

    db.getSiblingDB("$external").createUser(
      {
        user: "grace.smith@EXAMPLE.COM",
        roles: [ { role: "readAnyDatabase", db: "admin" } ]
      }
    )
    
  • Edit your mongosqld.cfg file to resemble:

    systemLog:
      path: "c:\\data\\log\\mongosqld.log"
      logAppend: true
      logRotate: "reopen"
      verbosity: 3
    runtime:
      memory:
        maxPerStage: 102400
    net:
      bindIp: BI.EXAMPLE.COM
      port: 3306
    security:
      enabled: true
      defaultSource: "$external"
      defaultMechanism: "GSSAPI"
      gssapi:
        hostname: "BI.EXAMPLE.COM"
        serviceName: "mongosql"
    mongodb:
      net:
        uri: "mongodb://BI.EXAMPLE.COM/"
        auth:
          username: "grace.smith@EXAMPLE.COM"
          password: "abc123!"
          source: "$external"
          mechanism: "GSSAPI"
    processManagement:
      service:
        displayName: "MongoDB BI Connector"
    
  • Open Services.

  • Set MongoDB to Log on as: This account: mongodb@EXAMPLE.COM

  • Set MongoDB Connector for BI to Log on as: This account: mongosql@EXAMPLE.COM

  • Start the MongoDB and MongoDB Connector for BI services.

Linux Schema User Authenticating to ADC

If you are authenticating a user from a Linux host and your schema user is going to use a username and password, the following is required:

See also

To learn how to configure Active Directory to manage your MongoDB instance, see Configure MongoDB with Kerberos Authentication and Active Directory Authorization.

MongoDB Configuration

BI Connector Configuration

Testing BI Connector with Kerberos on localhost

If you are testing Kerberos with a mongosqld running on a localhost, you must set net.unixDomainSocket.enabled to true in the mongosqld configuration file.