How does the mongod know the identity of the client?
Check all that apply:
- a. It obtains a certificate from the client when the TLS connection is established.
- b. The certificate must be signed by the certificate authority file passed to the mongod.
- c. The subject of the certificate must match the name of the user in the $external database.
Answer
All of the options are true:
- It obtains a certificate from the client when the TLS connection is established.
- The certificate must be signed by the certificate authority file passed to the
mongod
. - The subject of the certificate must match the name of the user in the
$external
database
Which of the following are true regarding LDAP authentication?
Check all that apply:
- MongoDB drivers authenticating to MongoDB with LDAP send LDAP credentials using SASL PLAIN which sends the username/password in clear text.
- LDAP Authentication support is a MongoDB Enterprise only feature.
- LDAP is more secure than Kerberos
- saslauthd is a proxy service used by mongod to talk to a LDAP server
This is one of the faq MongoDB security for mongoDB interview.
Answer
The following are true regarding LDAP authentication:
- – MongoDB drivers authenticating to MongoDB with LDAP send LDAP credentials using SASL PLAIN which sends the username/password in clear text.
- – LDAP Authentication support is a MongoDB Enterprise only feature.
- – saslauthd is a proxy service used by mongod to talk to a LDAP server
- – LDAP is more secure than Kerberos
This is not true. LDAP was not designed for the purpose of external authentication. LDAP was designed to store user meta-data in a directory service. Kerberos was designed for the sole purpose of external authentication.