User authentication with the wire listener

You can authenticate users through the wire listener with MongoDB authentication or with the database server, through a pluggable authentication module (PAM).

You can use the following types of authentication methods with the wire listener:

MONGODB-CR challenge-response: The wire listener authenticates users with the MongoDB challenge-response authentication method outside of the database server environment. You create users with the MongoDB API create user commands. Clients connect to the wire listener as MongoDB users and the wire listener authenticates the users. The wire listener connects to the database server as the user that is specified by the url parameter in the wire listener configuration file. The database server cannot access MongoDB user account information.; For MongoDB version 2.4, user information and privileges are stored in the system_users collection in each database. For MongoDB version 2.6 and later, user information and privileges are stored in the system.users collection in the admin database. If you are upgrading your MongoDB version and you have existing users, you must upgrade your user schema.
SCRAM-SHA-1 two-step authentication: SCRAM-SHA-1 is only available when the mongo.api.version=3.0 parameter is set in the wire listener configuration file.; The wire listener authenticates users with the SCRAM-SHA-1 authentication method outside of the database server environment. You create users with the MongoDB API create user commands. User information and privileges are stored in the system.users collection in the admin database. Clients connect to the wire listener as MongoDB users and the wire listener authenticates the users. The wire listener connects to the database server as the user that is specified by the url parameter in the wire listener configuration file. The database server cannot access MongoDB user account information.; Important: You cannot use SCRAM authentication with the REST API or the MQTT protocol.
Database server authentication with a PAM (UNIX, Linux): The PAM implements the MONGODB-CR challenge-response method. The wire listener connects to the database server using the user and password that is provided by clients and the database server authenticates the user through PAM. The database server controls all user accounts and privileges. You can audit user activities and configure fine-grained access control.

Which types of authentication that you can use depend on the type of client and the version of MongoDB.

MongoDB clients

Table 1. Authentication types for the MongoDB API by version
Authentication type	MongoDB 2.4	MongoDB 2.6	MongoDB 3.0	Details
MONGODB-CR	Yes	Yes	No	Follow the instructions for configuring MongoDB authentication.
SCRAM-SHA-1	No	No	Yes	The user schema must be at MongoDB version 2.6 or later.
PAM	Yes	Yes	No	Follow the instructions for configuring database server authentication with PAM.

REST API clients

Important: You cannot set the mongo.api.version parameter to 3.0 in the wire listener configuration file because the REST API does not support SCRAM authentication.

Table 2. Authentication types for the REST API by supported MongoDB versions
Authentication type	MongoDB 2.4	MongoDB 2.6	MongoDB 3.0	Details
MONGODB-CR	Yes	Yes	No	Follow the instructions for configuring MongoDB authentication. HTTP clients authenticate using the HTTP basic authentication method.
SCRAM-SHA-1	No	No	No	SCRAM is not supported.
PAM	Yes	Yes	No	Follow the instructions for configuring database server authentication with PAM. HTTP clients authenticate using the HTTP basic authentication method.

MQTT clients

Important: You cannot set the mongo.api.version parameter to 3.0 in the wire listener configuration file because the MQTT protocol does not support SCRAM authentication.

Table 3. Authentication types for the MQTT protocol by supported MongoDB versions
Authentication type	MongoDB 2.4	MongoDB 2.6	MongoDB 3.0	Details
MONGODB-CR	Yes	Yes	Yes	Follow the instructions for configuring MongoDB authentication. The MQTT CONNECT packet must include the database name as a prefix of the user name, in the following format: `"database_name.user_name"`.
SCRAM-SHA-1	No	No	No	SCRAM is not supported.
PAM	Yes	Yes	No	Follow the instructions for configuring database server authentication with PAM. The MQTT CONNECT packet must include the database name as a prefix of the user name, in the following format: `"database_name.user_name"`.