MongoDB Authentication

Add authentication to MongoDB

These instructions are for Oracle Linux 7. The commands for other distributions will be different. First install and start MongoDB.

sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo << EOF
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF

sudo yum -y install mongodb-org
sudo systemctl start mongod
sudo systemctl enable mongod

Then create an admin user by first connecting with the mongo cli. Once connected switch to the admin database and run the create user command. Change the PASSWORD below to a secure random password.

mongo
use admin;
db.createUser(
  {
    user: "admin",
    pwd: "PASSWORD",
    roles: [
      "userAdminAnyDatabase",
      "dbAdminAnyDatabase",
      "readWriteAnyDatabase"
    ]
  }
);

After the user has been created edit the MongoDB configuration to enable authorization. The net section should be replaced with the section below.

sudo nano /etc/mongod.conf
security:
  authorization: enabled

Create Pritunl User

Then create a pritunl user for the prituinl database in the admin database. First connect with the mongo cli using the admin account then switch to the admin database. Change the PASSWORD below to a secure random password. When authenticating from mongo cli tools use --authenticationDatabase admin.

If configuring Pritunl Zero or Pritunl Cloud update the name of the database below.

mongo --host subnet.domain.com -u admin --authenticationDatabase admin

use admin;
db.createUser({
  user: "pritunl",
  pwd: "PASSWORD",
  roles: [{role: "dbOwner", db: "pritunl"}]
});

Test the new use with the command below.

mongo --host mongo-test.silicon.red -u pritunl --authenticationDatabase admin pritunl

Connecting to MongoDB

When configuring Pritunl the username, password and ssl option must be added to the MongoDB uri. Such as mongodb://pritunl:[email protected]:27017/pritunl?authSource=admin If configuring Pritunl Zero or Pritunl Cloud update the name of the database.

Authentication Database

If the authentication user is on a different database the authSource parameter must be included in the MongoDB uri. Such as mongodb://pritunl:[email protected]:27017/pritunl?authSource=admin