Skip to content

PBM-1565 Update authentication.md #342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rasika-chivate merged 23 commits into from
Mar 5, 2026
Merged

PBM-1565 Update authentication.md #342

Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
571a304
Update authentication.md
igroene Feb 24, 2026
8aab741
Update authentication.md
igroene Feb 24, 2026
2404353
Update authentication.md
igroene Feb 24, 2026
723981d
Update authentication.md
igroene Feb 24, 2026
5be78a4
Update docs/details/authentication.md
igroene Feb 24, 2026
412cb21
Minor changes
rasika-chivate Mar 2, 2026
2882b5a
Apply suggestions from code review
radoslawszulgo Mar 2, 2026
9d458e3
Apply suggestions from code review
radoslawszulgo Mar 2, 2026
7945a94
Update docs/details/authentication.md
radoslawszulgo Mar 2, 2026
bac00f4
Update docs/details/authentication.md
rasika-chivate Mar 5, 2026
5b8f26e
Initial plan
Copilot Mar 5, 2026
ccc6e61
Clarify {USER} placeholder and fix formatting consistency in Kerberos…
Copilot Mar 5, 2026
3e7bca8
Merge pull request #345 from percona/copilot/sub-pr-342
rasika-chivate Mar 5, 2026
c2f39c1
Update authentication.md
rasika-chivate Mar 5, 2026
2871ade
Merge branch 'igroene-patch-12' of https://github.com/percona/pbm-doc…
rasika-chivate Mar 5, 2026
0862a40
Update authentication.md
rasika-chivate Mar 5, 2026
c66901a
Update authentication.md
rasika-chivate Mar 5, 2026
cdee026
Update authentication.md
rasika-chivate Mar 5, 2026
9f441b4
Update authentication.md
rasika-chivate Mar 5, 2026
9ea8dd7
Update authentication.md
rasika-chivate Mar 5, 2026
6fc7cc7
Update authentication.md
rasika-chivate Mar 5, 2026
36541ab
Update authentication.md
rasika-chivate Mar 5, 2026
308cc6b
Update authentication.md
rasika-chivate Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 41 additions & 9 deletions docs/details/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,19 +129,51 @@

For [Kerberos authentication :octicons-link-external-16:](https://docs.percona.com/percona-server-for-mongodb/latest/authentication.html#kerberos-authentication), create the `pbm` user in the `$external` database in the format `<username@KERBEROS_REALM>` (e.g. [pbm@PERCONATEST.COM](mailto:pbm@PERCONATEST.COM)).

Specify the following string for MongoDB connection URI:
You can choose any of these methods to authenticate `pbm` user against Kerberos:

Check warning on line 132 in docs/details/authentication.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/details/authentication.md#L132 

[Vale.Spelling] Did you really mean 'Kerberos'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'Kerberos'?", "location": {"path": "docs/details/authentication.md", "range": {"start": {"line": 132, "column": 72}}}, "severity": "WARNING"}

```bash
PBM_MONGODB_URI="mongodb://<username>%40<KERBEROS_REALM>@<hostname>:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx"
```
=== "Using a Keytab (Recommended)"

Check warning on line 134 in docs/details/authentication.md

View workflow job for this annotation

GitHub Actions / vale

[vale] docs/details/authentication.md#L134 

[Vale.Spelling] Did you really mean 'Keytab'?
Raw output 
{"message": "[Vale.Spelling] Did you really mean 'Keytab'?", "location": {"path": "docs/details/authentication.md", "range": {"start": {"line": 134, "column": 14}}}, "severity": "WARNING"}

Note that you must first obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**:
1. Set the environment variable `KRB5_CLIENT_KTNAME` with the path to the generated keytab for the `pbm` user. This way no password is required to get the ticket.

```bash
export KRB5_CLIENT_KTNAME=/path/to/keytab
```


2. Specify the following MongoDB connection URI without the password:

```bash
PBM_MONGODB_URI="mongodb://<username>%40<KERBEROS_REALM>@<hostname>:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx"
```

```bash
sudo -u {USER} kinit pbm
```
=== "Requesting a ticket manually"

Note that the `{USER}` is the user that you will run the `pbm-agent` process.
1. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**. Kerberos will prompt you for the password and issue a Ticket-Granting Ticket (TGT):

```bash
sudo -u {USER} kinit <username>@<KERBEROS_REALM>
```

where `{USER}` is the OS user account that runs the `pbm-agent` process.

!!! note

Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`.

2. Specify the following MongoDB connection URI without the password.

```bash PBM_MONGODB_URI="mongodb://<username>%40<KERBEROS_REALM>@<hostname>:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx"
```

=== "Using username and password"

You can authenticate using a connection string URI specifying your URL-encoded Kerberos principal and password, and the address of your MongoDB server:

```bash
PBM_MONGODB_URI="mongodb://<username>%40<KERBEROS_REALM>:<PASSWORD>@<hostname>:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx"
```

Make sure that `<PASSWORD>` is also percent-encoded if it contains reserved characters (see [Passwords with special characters](#passwords-with-special-characters)).

### LDAP binding

Expand Down