When setting up the MongoDB servers with TLS, authenticating after connecting with db.getSiblingDB("$external").auth or via mongo command-line parameters (as described in the online MongoDB documentation) worked perfectly. However, the validation script failed to connect.
The problem seemed to be that MongoDB did not automatically recognize the username from the certificate. When connecting with:
mongo --host localhost --ssl --sslPEMKeyFile ~/shared/certs/client.pem --sslCAFile ~/shared/certs/ca.pem --port 31240
The user has no privileges (which is what the validation script also output). When connecting with:
mongo --host localhost --ssl --sslPEMKeyFile ~/shared/certs/client.pem --sslCAFile ~/shared/certs/ca.pem --port 31240 --authenticationDatabase ‘$external’ --authenticationMechanism MONGODB-X509 -u “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”
I could connect perfectly. This is how it is described in the online documentation as well. To solve the homework, I modified the validation script to include the --authenticationDatabase, --authenticationMechanism, and -u parameters. That caused the script to work as intended.
Out of curiosity, did anyone else encounter that? Is there a mongod option to “inherit the username from the certificate” that I could have specified? Or perhaps a way of disabling all authentication except for x.509 so that mongod defaulted to the $external database for authentication?