Navigation

Configure Kerberos for BI Connector

New in version 2.5.

The MongoDB Connector for BI supports Kerberos authentication for connecting BI tools and for the BI Connector’s admin user authenticating with MongoDB. The following section guides you through configuring the BI Connector to use Kerberos authentication on either Windows or macOS.

Important

The domain part of any username must be written in all capital letters. This part of the username corresponds to a Kerberos realm or Active Directory domain. It is case sensitive.

Active Directory Configuration

  • Make sure you have a domain configured.
  • Create a user for MongoDB on the domain you created.
  • Create a user for MongoSQL on the domain you created.
  • Register an SPN for the MongoDB Service.
  • Register an SPN for the MongoSQL Service.
  • Enable delegation for your MongoSQL Service user.

Example

  • Your name is Grace Smith.
  • Your Windows domain is named EXAMPLE.COM.
  • You are running your BI tool on a Windows host named BI.EXAMPLE.COM.

In Active Directory, you create three users:

  • For MongoDB: mongodb@EXAMPLE.COM
  • For BI Connector: mongosql@EXAMPLE.COM
  • For you: grace.smith@EXAMPLE.COM

Create an SPN for each service:

setspn.exe -A mongodb/BI.EXAMPLE.COM mongodb
setspn.exe -A mongosql/BI.EXAMPLE.COM mongosql

Open the Active Directory Administrative Center and double-click on your MongoDB service user (mongodb).

Set the mongosql user to delegate for the mongodb user from the BI.EXAMPLE.COM host.

MongoDB Configuration

BI Connector Configuration

Example

  • Your name is Grace Smith.
  • Your Windows domain is named EXAMPLE.COM.
  • You are running your BI tool on a Windows host named BI.EXAMPLE.COM.

On BI.EXAMPLE.COM:

  • Install MongoDB and MongoDB Connector for BI as services.

  • Edit your mongod.cfg file to resemble:

    systemLog:
      destination: "file"
      path: "c:\\data\\log\\mongod.log"
      verbosity: 2
    storage:
      dbPath: "c:\\data\\db"
    net:
      bindIp: BI.EXAMPLE.COM
    setParameter:
      authenticationMechanisms: "GSSAPI"
    
  • Log on to the mongo shell and create your BI Connector user.

    db.getSiblingDB("$external").createUser(
      {
        user: "grace.smith@EXAMPLE.COM",
        roles: [ { role: "readAnyDatabase", db: "admin" } ]
      }
    )
    
  • Edit your mongosqld.cfg file to resemble:

    systemLog:
      path: "c:\\data\\log\\mongosqld.log"
      logAppend: true
      logRotate: "reopen"
      verbosity: 3
    runtime:
      memory:
        maxPerStage: 102400
    net:
      bindIp: BI.EXAMPLE.COM
      port: 3306
    security:
      enabled: true
      defaultSource: "$external"
      defaultMechanism: "GSSAPI"
      gssapi:
        hostname: "BI.EXAMPLE.COM"
        serviceName: "mongosql"
    mongodb:
      net:
        uri: "mongodb://BI.EXAMPLE.COM/"
        auth:
          username: "grace.smith@EXAMPLE.COM"
          password: "abc123!"
          source: "$external"
          mechanism: "GSSAPI"
    processManagement:
      service:
        displayName: "MongoDB BI Connector"
    
  • Open Services.

  • Set MongoDB to Log on as: This account: mongodb@EXAMPLE.COM

  • Set MongoDB Connector for BI to Log on as: This account: mongosql@EXAMPLE.COM

  • Start the MongoDB and MongoDB Connector for BI services.

See also

To learn how to configure Active Directory to manage your MongoDB instance, see Configure MongoDB with Kerberos Authentication and Active Directory Authorization.

MongoDB Configuration

BI Connector Configuration

Testing BI Connector with Kerberos on localhost

If you are testing Kerberos with a mongosqld running on a localhost, you must set net.unixDomainSocket.enabled to true in the mongosqld configuration file.