SERVER-34750 Update man pages

12 files changed, 9788 insertions, 2410 deletions

diff --git a/debian/bsondump.1 b/debian/bsondump.1
index 892b46c92c2..74f091ea918 100644
--- a/debian/bsondump.1
+++ b/debian/bsondump.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "BSONDUMP" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "BSONDUMP" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 bsondump \- MongoDB BSON Utility
 .
@@ -30,22 +30,42 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Use\fP
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.sp
+Users running on Mac OSX Sierra require the 3.2.10 or newer version
+of  \fI\%bsondump\fP\&.
+.UNINDENT
+.UNINDENT
 .SH SYNOPSIS
 .sp
-The \fBbsondump\fP converts \fIBSON\fP files into human\-readable
-formats, including \fIJSON\fP\&. For example, \fBbsondump\fP is useful
+The \fI\%bsondump\fP converts BSON files into human\-readable
+formats, including JSON\&. For example, \fI\%bsondump\fP is useful
 for reading the output files generated by \fBmongodump\fP\&.
 .sp
+Run \fI\%bsondump\fP from the system command line, not the \fBmongo\fP shell.
+.sp
 \fBIMPORTANT:\fP
 .INDENT 0.0
 .INDENT 3.5
-\fBbsondump\fP is a diagnostic tool for inspecting
+\fI\%bsondump\fP is a diagnostic tool for inspecting
 BSON files, not a tool for data ingestion or other application use.
 .UNINDENT
 .UNINDENT
 .SH OPTIONS
 .sp
-Changed in version 3.0.0: \fBbsondump\fP removed the \fB\-\-filter\fP option.
+Changed in version 3.0.0: \fI\%bsondump\fP removed the \fB\-\-filter\fP, \fB\-\-dbpath\fP and the
+\fB\-\-noobjcheck\fP options.
 
 .INDENT 0.0
 .TP
@@ -53,10 +73,6 @@ Changed in version 3.0.0: \fBbsondump\fP removed the \fB\-\-filter\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B bsondump
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-help
 Returns information on the options and use of \fBbsondump\fP\&.
 .UNINDENT
@@ -70,13 +86,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBbsondump\fP in a quiet mode that attempts to limit the amount
+Runs \fBbsondump\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -93,31 +109,16 @@ Returns the \fBbsondump\fP release number.
 .INDENT 0.0
 .TP
 .B \-\-objcheck
-Validates each \fIBSON\fP object before outputting it in \fIJSON\fP
-format. By default, \fBbsondump\fP enables \fI\-\-objcheck\fP\&.
+Validates each BSON object before outputting it in JSON
+format. By default, \fBbsondump\fP enables \fI\%\-\-objcheck\fP\&.
 For objects with a high degree of sub\-document nesting,
-\fI\-\-objcheck\fP can have a small impact on performance. You can set
-\fI\-\-noobjcheck\fP to disable object checking.
-.sp
-Changed in version 2.4: MongoDB enables \fI\-\-objcheck\fP by default, to prevent any
-client from inserting malformed or invalid BSON into a MongoDB
-database.
-
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-noobjcheck
-New in version 2.4.
-
-.sp
-Disables the default document validation that MongoDB performs on all
-incoming BSON documents.
+\fI\%\-\-objcheck\fP can have a small impact on performance.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-type <=json|=debug>
 Changes the operation of \fBbsondump\fP from outputting
-"\fIJSON\fP" (the default) to a debugging format.
+“JSON” (the default) to a debugging format.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -129,29 +130,54 @@ Outputs documents in a pretty\-printed format JSON.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-bsonFile
+New in version 3.4.
+
+.sp
+Specifies a path to a BSON file to dump to JSON. \fI\%\-\-bsonFile\fP is
+an alternative to the positional \fI\%<bsonFilename>\fP option.
+.sp
+By default, \fBbsondump\fP reads from standard input.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B <bsonFilename>
 The final argument to \fBbsondump\fP is a document containing
-\fIBSON\fP\&. This data is typically generated by
-\fBbsondump\fP or by MongoDB in a \fIrollback\fP operation.
+BSON\&. This data is typically generated by
+\fBbsondump\fP or by MongoDB in a rollback operation.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-outFile
+New in version 3.4.
+
+.sp
+Specifies the path of the file to which \fBbsondump\fP should write
+its output JSON data.
+.sp
+By default, \fBbsondump\fP writes to standard output.
 .UNINDENT
 .SH USE
 .sp
-By default, \fBbsondump\fP outputs data to standard output. To
-create corresponding \fIJSON\fP files, you will need to use the
-shell redirect. See the following command:
+Changed in version 3.4.
+
+.sp
+By default, \fI\%bsondump\fP outputs data to standard output. To
+create corresponding JSON files, you can use the
+\fI\%\-\-outFile\fP option:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-bsondump collection.bson > collection.json
+bsondump \-\-outFile collection.json collection.bson
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
 Use the following command (at the system shell) to produce debugging
-output for a \fIBSON\fP file:
+output for a BSON file:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -165,6 +191,6 @@ bsondump \-\-type=debug collection.bson
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongo.1 b/debian/mongo.1
index 62ed3d1e5b3..3d2e876cbfb 100644
--- a/debian/mongo.1
+++ b/debian/mongo.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGO" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGO" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongo \- MongoDB Shell
 .
@@ -30,21 +30,41 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Description\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Files\fP
+.IP \(bu 2
+\fI\%Environment\fP
+.IP \(bu 2
+\fI\%Keyboard Shortcuts\fP
+.IP \(bu 2
+\fI\%Use\fP
+.UNINDENT
 .SH DESCRIPTION
 .sp
-\fBmongo\fP is an interactive JavaScript shell interface to
+\fI\%mongo\fP is an interactive JavaScript shell interface to
 MongoDB, which provides a powerful interface for systems
 administrators as well as a way for developers to test queries and
-operations directly with the database. \fBmongo\fP also provides
+operations directly with the database. \fI\%mongo\fP also provides
 a fully functional JavaScript environment for use with a MongoDB. This
-document addresses the basic invocation of the \fBmongo\fP shell
+document addresses the basic invocation of the \fI\%mongo\fP shell
 and an overview of its usage.
-.SH OPTIONS
-.SS Core Options
+.sp
+\fBNOTE:\fP
 .INDENT 0.0
-.TP
-.B mongo
+.INDENT 3.5
+Starting in version 4.0, \fI\%mongo\fP disables support for TLS 1.0
+encryption on systems where TLS 1.1+ is available. For
+more details, see 4.0\-disable\-tls\&.
+.UNINDENT
 .UNINDENT
+.SH OPTIONS
+.SS Core Options
 .INDENT 0.0
 .TP
 .B \-\-shell
@@ -58,7 +78,7 @@ provides the user with a shell prompt after the file finishes executing.
 .B \-\-nodb
 Prevents the shell from connecting to any database instances. Later, to
 connect to a database within the shell, see
-\fImongo\-shell\-new\-connections\fP\&.
+mongo\-shell\-new\-connections\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -75,14 +95,14 @@ Silences output from the shell during the connection process.
 .TP
 .B \-\-port <port>
 Specifies the port where the \fBmongod\fP or \fBmongos\fP
-instance is listening. If \fI\-\-port\fP is not specified,
+instance is listening. If \fI\%\-\-port\fP is not specified,
 \fBmongo\fP attempts to connect to port \fB27017\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-host <hostname>
-Specifies the name of the host machine where the \fBmongod\fP or
-\fBmongos\fP is running. If this is not specified,
+Specifies the name of the host machine where the
+\fBmongod\fP or \fBmongos\fP is running. If this is not specified,
 \fBmongo\fP attempts to connect to a MongoDB process running on
 the localhost.
 .sp
@@ -98,6 +118,35 @@ following form:
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+For TLS/SSL connections (\fB\-\-ssl\fP), \fBmongo\fP verifies that the
+hostname of the \fBmongod\fP or \fBmongos\fP to which you are connecting matches
+the CN or SAN of the \fBmongod\fP or \fBmongos\fP’s \fB\-\-sslPEMKeyFile\fP certificate.
+If the hostname does not match the CN/SAN, \fBmongo\fP will fail to
+connect.
+.sp
+For \fI\%DNS seedlist connections\fP, specify the connection protocol as
+\fBmongodb+srv\fP, followed by the DNS SRV hostname record and any
+options. The  \fBauthSource\fP and \fBreplicaSet\fP options, if included in
+the connection string, will override any corresponding DNS\-configured options
+set in the TXT record. Use of the \fBmongodb+srv:\fP connection string implicitly
+enables TLS/SSL (normally set with \fBssl=true\fP) for the client connection. The
+TLS/SSL option can be turned off by setting \fBssl=false\fP in the query string.
+.sp
+Example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodb+srv://server.example.com/?connectionTimeout=3000ms
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+New in version 3.6.
+
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -117,9 +166,9 @@ that uses authentication. Use in conjunction with the \fB\-\-password\fP and
 .TP
 .B \-\-password <password>, \-p <password>
 Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fI\-\-username\fP
-and \fI\-\-authenticationDatabase\fP options. To force \fBmongo\fP to
-prompt for a password, enter the \fI\-\-password\fP option as the
+that uses authentication. Use in conjunction with the \fI\%\-\-username\fP
+and \fI\%\-\-authenticationDatabase\fP options. To force \fBmongo\fP to
+prompt for a password, enter the \fI\%\-\-password\fP option as the
 last option and leave out the argument.
 .UNINDENT
 .INDENT 0.0
@@ -140,15 +189,71 @@ process.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-networkMessageCompressors <string>
+New in version 3.4.
+
+.sp
+.INDENT 7.0
+Changed in version 3.6: .IP \(bu 2
+Add support for zlib compressor.
+.IP \(bu 2
+Enabled by default. To disable, set to \fBdisabled\fP\&.
+.UNINDENT
+
+.sp
+Enables network compression for communication between this
+\fBmongo\fP shell and:
+.INDENT 7.0
+.IP \(bu 2
+a \fBmongod\fP instance
+.IP \(bu 2
+a \fBmongos\fP instance.
+.UNINDENT
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+Messages are compressed when both parties enable network
+compression. Otherwise, messages between the parties are
+uncompressed.
+.UNINDENT
+.UNINDENT
+.sp
+You can specify the following compressors:
+.INDENT 7.0
+.IP \(bu 2
+snappy (Default)
+.IP \(bu 2
+zlib
+.UNINDENT
+.sp
+If you specify multiple compressors, then the order in which you list
+the compressors matter as well as the communication initiator. For
+example, if a \fI\%mongo\fP shell specifies the following network
+compressors \fBzlib,snappy\fP and the \fBmongod\fP specifies
+\fBsnappy,zlib\fP, messages between \fI\%mongo\fP shell and
+\fBmongod\fP uses \fBzlib\fP\&.
+.sp
+If the parties do not share at least one common compressor, messages
+between the parties are uncompressed. For example, if a
+\fI\%mongo\fP shell specifies the network compressor
+\fBzlib\fP and \fBmongod\fP specifies \fBsnappy\fP, messages
+between \fI\%mongo\fP shell and \fBmongod\fP are not compressed.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-ipv6
-Enables IPv6 support and allows the \fBmongo\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+\fIRemoved in version 3.0.\fP
+.sp
+Enables IPv6 support and allows \fBmongo\fP to connect to the
+MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
+had to specify \fI\%\-\-ipv6\fP to use IPv6. In MongoDB 3.0 and later, IPv6
+is always enabled.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B <db address>
-Specifies the "database address" of the database to connect to. For
+.B <db name>
+Specifies the name of the database to connect to. For
 example:
 .INDENT 7.0
 .INDENT 3.5
@@ -162,7 +267,7 @@ mongo admin
 .UNINDENT
 .sp
 The above command will connect the \fBmongo\fP shell to the
-\fIadmin database\fP on the local machine. You may specify a remote
+admin database of the MongoDB deployment running on the local machine. You may specify a remote
 database instance, with the resolvable hostname or IP address. Separate
 the database name from the hostname using a \fB/\fP character. See the
 following examples:
@@ -171,7 +276,7 @@ following examples:
 .sp
 .nf
 .ft C
-mongo mongodb1.example.net
+mongo mongodb1.example.net/test
 mongo mongodb1/admin
 mongo 10.8.8.10/test
 .ft P
@@ -182,7 +287,84 @@ mongo 10.8.8.10/test
 This syntax is the \fIonly\fP way to connect to a specific database.
 .sp
 To specify alternate hosts and a database, you must use this syntax and cannot
-use \fI\-\-host\fP or \fI\-\-port\fP\&.
+use \fI\%\-\-host\fP or \fI\%\-\-port\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-enableJavaScriptJIT
+New in version 4.0.
+
+.sp
+Enable the JavaScript engine’s JIT compiler.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-disableJavaScriptJIT
+Changed in version 4.0: The JavaScript engine’s JIT compiler is now disabled by default.
+
+.sp
+Disables the JavaScript engine’s JIT compiler.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-disableJavaScriptProtection
+New in version 3.4.
+
+.sp
+Allows fields of type javascript and
+javascriptWithScope to be automatically
+marshalled to JavaScript functions in the \fI\%mongo\fP
+shell.
+.sp
+With the \fB\-\-disableJavaScriptProtection\fP flag set, it is possible
+to immediately execute JavaScript functions contained in documents.
+The following example demonstrates this behavior within the shell:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+> db.test.insert({ _id: 1, jsFunc: function(){ print("hello") } } )
+WriteResult({ "nInserted" : 1 })
+> var doc = db.test.findOne({ _id: 1 })
+> doc
+{ "_id" : 1, "jsFunc" : function (){ print ("hello") } }
+> typeof doc.jsFunc
+function
+> doc.jsFunc()
+hello
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The default behavior (when \fI\%mongo\fP starts \fIwithout\fP the
+\fB\-\-disableJavaScriptProtection\fP flag) is to convert embedded
+JavaScript functions to the non\-executable MongoDB shell type
+\fBCode\fP\&. The following example demonstrates the default behavior
+within the shell:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+> db.test.insert({ _id: 1, jsFunc: function(){ print("hello") } } )
+WriteResult({ "nInserted" : 1 })
+> var doc = db.test.findOne({ _id: 1 })
+> doc
+{ "_id" : 1, "jsFunc" : { "code" : "function (){print(\e"hello\e")}" } }
+> typeof doc.func
+object
+> doc.func instanceof Code
+true
+> doc.jsFunc()
+2016\-11\-09T12:30:36.808\-0800 E QUERY    [thread1] TypeError: doc.jsFunc is
+not a function :
+@(shell):1:1
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -195,8 +377,8 @@ be the last option specified.
 .sp
 To specify a JavaScript file to execute \fIand\fP allow
 \fBmongo\fP to prompt you for a password using
-\fI\-\-password\fP, pass the filename as the first parameter with
-\fI\-\-username\fP and \fI\-\-password\fP as the last options, as
+\fI\%\-\-password\fP, pass the filename as the first parameter with
+\fI\%\-\-username\fP and \fI\%\-\-password\fP as the last options, as
 in the following:
 .INDENT 0.0
 .INDENT 3.5
@@ -218,28 +400,26 @@ finishes running.
 .INDENT 0.0
 .TP
 .B \-\-authenticationDatabase <dbname>
-New in version 2.4.
-
-.sp
-Specifies the database that holds the user\(aqs credentials.
+Specifies the database in which the user is created.
+See user\-authentication\-database\&.
 .sp
-If you do not specify a value for \fI\-\-authenticationDatabase\fP, \fBmongo\fP uses the database
+If you do not specify a value for \fI\%\-\-authenticationDatabase\fP, \fBmongo\fP uses the database
 specified in the connection string.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
-
-.sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+\fIDefault\fP: SCRAM\-SHA\-1
 .sp
 Specifies the authentication mechanism the \fBmongo\fP instance uses to
 authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.sp
+Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
+Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
+.sp
+MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
+function (\fBSCRAM\-SHA\-256\fP).
+
 .TS
 center;
 |l|l|.
@@ -251,33 +431,47 @@ Description
 T}
 _
 T{
-MONGODB\-CR
+SCRAM\-SHA\-1
 T}	T{
-MongoDB challenge/response authentication.
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
 T}
 _
 T{
-MONGODB\-X509
+SCRAM\-SHA\-256
 T}	T{
-MongoDB SSL certificate authentication.
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
 T}
 _
 T{
-PLAIN
+MONGODB\-X509
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+MongoDB TLS/SSL certificate authentication.
 T}
 _
 T{
-GSSAPI
+GSSAPI (Kerberos)
 T}	T{
 External authentication using Kerberos. This mechanism is
 available only in \fI\%MongoDB Enterprise\fP\&.
 T}
 _
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
 .TE
 .UNINDENT
 .INDENT 0.0
@@ -286,7 +480,7 @@ _
 New in version 2.6.
 
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
+Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
 not match the hostname resolved by DNS.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -297,31 +491,38 @@ This option is available only in MongoDB Enterprise.
 New in version 2.6.
 
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
+Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
 default name of \fBmongodb\fP\&.
 .sp
 This option is available only in MongoDB Enterprise.
 .UNINDENT
-.SS SSL Options
+.SS TLS/SSL Options
 .INDENT 0.0
 .TP
 .B \-\-ssl
-New in version 2.2.
+Changed in version 3.2.6.
 
 .sp
 Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+TLS/SSL support enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.2.6, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is
+not specified, the system\-wide CA certificate store will be used
+when connecting to an TLS/SSL\-enabled server. In previous versions
+of MongoDB, the \fI\%mongo\fP shell exited with an error that
+it could not validate the certificate.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslPEMKeyFile <filename>
-New in version 2.4.
-
-.sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
@@ -330,68 +531,56 @@ to a \fBmongod\fP or \fBmongos\fP that has
 \fBCAFile\fP enabled \fIwithout\fP
 \fBallowConnectionsWithoutCertificates\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslPEMKeyPassword <value>
-New in version 2.4.
-
-.sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fB\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fB\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongo\fP will
 redact the password from all logging and reporting output.
 .sp
-Changed in version 2.6: If the private key in the PEM file is encrypted and you do not
-specify the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongo\fP will prompt for a
-passphrase. See \fIssl\-certificate\-password\fP\&.
-
+If the private key in the PEM file is encrypted and you do not
+specify the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongo\fP will prompt for a
+passphrase. See ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslCAFile <filename>
-New in version 2.4.
-
-.sp
 Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.2.6, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is
+not specified, the system\-wide CA certificate store will be used
+when connecting to an TLS/SSL\-enabled server. In previous versions
+of MongoDB, the \fI\%mongo\fP shell exited with an error that
+it could not validate the certificate.
 .sp
-\fBWARNING:\fP
-.INDENT 7.0
-.INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
-.UNINDENT
-.UNINDENT
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslCRLFile <filename>
-New in version 2.4.
-
-.sp
 Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -401,30 +590,61 @@ New in version 2.6.
 .sp
 Directs the \fBmongo\fP to use the FIPS mode of the installed OpenSSL
 library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslAllowInvalidCertificates
-New in version 2.6.
-
-.sp
 Bypasses the validation checks for server certificates and allows
-the use of invalid certificates. When using the
-\fBallowInvalidCertificates\fP setting, MongoDB logs as a
-warning the use of the invalid certificate.
+the use of invalid certificates to connect.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.UNINDENT
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL connections to \fBmongod\fP and
+\fBmongos\fP, avoid using
+\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
+\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
+not possible.
+.sp
+If the \fI\%mongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fI\%mongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances.
+.UNINDENT
+.UNINDENT
+.sp
+When using the \fBallowInvalidCertificates\fP setting,
+MongoDB logs as a warning the use of the invalid certificate.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -432,49 +652,78 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongo\fP to connect to MongoDB instances if the hostname their
+Disables the validation of the hostnames in TLS/SSL certificates. Allows
+\fBmongo\fP to connect to MongoDB instances even if the hostname in their
 certificates do not match the specified hostname.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslDisabledProtocols <string>
+Disables the specified TLS protocols. The option recognizes the
+following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP, and \fBTLS1_2\fP:
+.INDENT 7.0
+.IP \(bu 2
+On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
+\fBTLS1_2\fP enabled. You must also disable at least one of the other
+two; for example, \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+To list multiple protocols, specify as a comma separated list of
+protocols. For example \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+The specified disabled protocols overrides any default disabled
+protocols.
+.UNINDENT
+.sp
+Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
+1.1+ is available on the system. To enable the
+disabled TLS 1.0, specify \fBnone\fP to \fI\%\-\-sslDisabledProtocols\fP\&.  See 4.0\-disable\-tls\&.
+.sp
+New in version 3.6.5.
+
+.UNINDENT
+.SS Sessions
+.INDENT 0.0
+.TP
+.B \-\-retryWrites
+New in version 3.6.
+
+.sp
+Enables retryable writes as the default for sessions in the
+\fI\%mongo\fP shell.
+.sp
+For more information on sessions, see sessions\&.
 .UNINDENT
 .SH FILES
 .INDENT 0.0
 .TP
 .B \fB~/.dbshell\fP
-\fBmongo\fP maintains a history of commands in the \fB\&.dbshell\fP
+\fI\%mongo\fP maintains a history of commands in the \fB\&.dbshell\fP
 file.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-\fBmongo\fP does not recorded interaction related to
+\fI\%mongo\fP does not record interaction related to
 authentication in the history file, including
 \fBauthenticate\fP and \fBdb.createUser()\fP\&.
 .UNINDENT
 .UNINDENT
-.sp
-\fBWARNING:\fP
-.INDENT 7.0
-.INDENT 3.5
-Versions of Windows \fBmongo.exe\fP earlier than 2.2.0 will
-save the \fI\&.dbshell\fP file in the \fBmongo.exe\fP working
-directory.
-.UNINDENT
-.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \fB~/.mongorc.js\fP
-\fBmongo\fP will read the \fB\&.mongorc.js\fP file from the home
-directory of the user invoking \fBmongo\fP\&. In the file, users
-can define variables, customize the \fBmongo\fP shell prompt,
+\fI\%mongo\fP will read the \fB\&.mongorc.js\fP file from the home
+directory of the user invoking \fI\%mongo\fP\&. In the file, users
+can define variables, customize the \fI\%mongo\fP shell prompt,
 or update information that they would like updated every time they
 launch a shell. If you use the shell to evaluate a JavaScript file
-or expression either on the command line with \fI\%\-\-eval\fP or
+or expression either on the command line with \fI\%mongo \-\-eval\fP or
 by specifying \fI\%a .js file to mongo\fP,
-\fBmongo\fP will read the \fB\&.mongorc.js\fP file \fIafter\fP the
+\fI\%mongo\fP will read the \fB\&.mongorc.js\fP file \fIafter\fP the
 JavaScript has finished processing.
 .sp
 Specify the \fI\%\-\-norc\fP option to disable
@@ -483,27 +732,27 @@ reading \fB\&.mongorc.js\fP\&.
 .INDENT 0.0
 .TP
 .B \fB/etc/mongorc.js\fP
-Global \fBmongorc.js\fP file which the \fBmongo\fP shell
+Global \fBmongorc.js\fP file which the \fI\%mongo\fP shell
 evaluates upon start\-up. If a user also has a \fB\&.mongorc.js\fP
-file located in the \fI\%HOME\fP directory, the \fBmongo\fP
+file located in the \fI\%HOME\fP directory, the \fI\%mongo\fP
 shell evaluates the global \fB/etc/mongorc.js\fP file \fIbefore\fP
-evaluating the user\(aqs \fB\&.mongorc.js\fP file.
+evaluating the user’s \fB\&.mongorc.js\fP file.
 .sp
 \fB/etc/mongorc.js\fP must have read permission for the user
-running the shell. The \fI\%\-\-norc\fP option for \fBmongo\fP
-suppresses only the user\(aqs \fB\&.mongorc.js\fP file.
+running the shell. The \fI\%\-\-norc\fP option for \fI\%mongo\fP
+suppresses only the user’s \fB\&.mongorc.js\fP file.
 .sp
 On Windows, the global \fBmongorc.js </etc/mongorc.js>\fP exists
 in the \fB%ProgramData%\eMongoDB\fP directory.
 .TP
-.B \fB/tmp/mongo_edit\fI<time_t>\fP\&.js\fP
-Created by \fBmongo\fP when editing a file. If the file exists,
-\fBmongo\fP will append an integer from \fB1\fP to \fB10\fP to the
+.B \fB/tmp/mongo_edit\fP\fI<time_t>\fP\fB\&.js\fP
+Created by \fI\%mongo\fP when editing a file. If the file exists,
+\fI\%mongo\fP will append an integer from \fB1\fP to \fB10\fP to the
 time value to attempt to create a unique file.
 .TP
-.B \fB%TEMP%mongo_edit\fI<time_t>\fP\&.js\fP
+.B \fB%TEMP%mongo_edit\fP\fI<time_t>\fP\fB\&.js\fP
 Created by \fBmongo.exe\fP on Windows when editing a file. If
-the file exists, \fBmongo\fP will append an integer from \fB1\fP
+the file exists, \fI\%mongo\fP will append an integer from \fB1\fP
 to \fB10\fP to the time value to attempt to create a unique file.
 .UNINDENT
 .SH ENVIRONMENT
@@ -517,7 +766,7 @@ command.  A JavaScript variable \fBEDITOR\fP will override the value of
 .INDENT 0.0
 .TP
 .B HOME
-Specifies the path to the home directory where \fBmongo\fP will
+Specifies the path to the home directory where \fI\%mongo\fP will
 read the \fB\&.mongorc.js\fP file and write the \fB\&.dbshell\fP
 file.
 .UNINDENT
@@ -525,19 +774,19 @@ file.
 .TP
 .B HOMEDRIVE
 On Windows systems, \fI\%HOMEDRIVE\fP specifies the path the
-directory where \fBmongo\fP will read the \fB\&.mongorc.js\fP
+directory where \fI\%mongo\fP will read the \fB\&.mongorc.js\fP
 file and write the \fB\&.dbshell\fP file.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B HOMEPATH
 Specifies the Windows path to the home directory where
-\fBmongo\fP will read the \fB\&.mongorc.js\fP file and write
+\fI\%mongo\fP will read the \fB\&.mongorc.js\fP file and write
 the \fB\&.dbshell\fP file.
 .UNINDENT
 .SH KEYBOARD SHORTCUTS
 .sp
-The \fBmongo\fP shell supports the following keyboard shortcuts:
+The \fI\%mongo\fP shell supports the following keyboard shortcuts:
 [1]
 .TS
 center;
@@ -630,13 +879,13 @@ _
 T{
 Ctrl\-C
 T}	T{
-Exit the \fBmongo\fP shell
+Exit the \fI\%mongo\fP shell
 T}
 _
 T{
 Ctrl\-D
 T}	T{
-Delete a char (or exit the \fBmongo\fP shell)
+Delete a char (or exit the \fI\%mongo\fP shell)
 T}
 _
 T{
@@ -810,11 +1059,11 @@ _
 .TE
 .IP [1] 5
 MongoDB accommodates multiple keybinding.
-Since 2.0, \fBmongo\fP includes support for basic emacs
+Since 2.0, \fI\%mongo\fP includes support for basic emacs
 keybindings.
 .SH USE
 .sp
-Typically users invoke the shell with the \fBmongo\fP command at
+Typically users invoke the shell with the \fI\%mongo\fP command at
 the system prompt. Consider the following examples for other
 scenarios.
 .sp
@@ -844,7 +1093,7 @@ mongo \-u <user> \-p <pass> \-\-host <host> \-\-port 28015
 .UNINDENT
 .sp
 Replace \fB<user>\fP, \fB<pass>\fP, and \fB<host>\fP with the appropriate
-values for your situation and substitute or omit the \fI\-\-port\fP
+values for your situation and substitute or omit the \fI\%\-\-port\fP
 as needed.
 .sp
 To execute a JavaScript file without evaluating the \fB~/.mongorc.js\fP
@@ -873,8 +1122,8 @@ mongo script\-file.js \-u <user> \-p
 .UNINDENT
 .UNINDENT
 .sp
-To print return a query as \fIJSON\fP, from the system prompt using
-the \fI\-\-eval\fP option, use the following form:
+To print return a query as JSON, from the system prompt using
+the \fI\%\-\-eval\fP option, use the following form:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -888,24 +1137,23 @@ mongo \-\-eval \(aqdb.collection.find().forEach(printjson)\(aq
 .sp
 Use single quotes (e.g. \fB\(aq\fP) to enclose the JavaScript, as well as
 the additional JavaScript required to generate this output.
-.SH ADDITIONAL INFORMATION
+.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
 .INDENT 0.0
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/mongo\-shell
-.IP \(bu 2
-http://docs.mongodb.org/manual/reference/method
-.IP \(bu 2
-http://docs.mongodb.org/manual/tutorial/access\-mongo\-shell\-help
-.IP \(bu 2
-http://docs.mongodb.org/manual/tutorial/getting\-started\-with\-the\-mongo\-shell
+/reference/mongo\-shell
 .IP \(bu 2
-http://docs.mongodb.org/manual/core/shell\-types
+/reference/method
 .IP \(bu 2
-http://docs.mongodb.org/manual/tutorial/write\-scripts\-for\-the\-mongo\-shell
+/mongo
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongod.1 b/debian/mongod.1
index 7982e554870..8e3df2f97f1 100644
--- a/debian/mongod.1
+++ b/debian/mongod.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGOD" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGOD" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongod \- MongoDB Server
 .
@@ -30,23 +30,65 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Options\fP
+.INDENT 2.0
+.IP \(bu 2
+\fI\%Core Options\fP
+.IP \(bu 2
+\fI\%Free Monitoring\fP
+.IP \(bu 2
+\fI\%LDAP Authentication or Authorization Options\fP
+.IP \(bu 2
+\fI\%Storage Options\fP
+.IP \(bu 2
+\fI\%WiredTiger Options\fP
+.IP \(bu 2
+\fI\%Replication Options\fP
+.IP \(bu 2
+\fI\%Sharded Cluster Options\fP
+.IP \(bu 2
+\fI\%TLS/SSL Options\fP
+.IP \(bu 2
+\fI\%Profiler Options\fP
+.IP \(bu 2
+\fI\%Audit Options\fP
+.IP \(bu 2
+\fI\%SNMP Options\fP
+.IP \(bu 2
+\fI\%inMemory Options\fP
+.IP \(bu 2
+\fI\%Encryption Key Management Options\fP
+.IP \(bu 2
+\fI\%Text Search Options\fP
+.UNINDENT
+.UNINDENT
 .SH SYNOPSIS
 .sp
-\fBmongod\fP is the primary daemon process for the MongoDB
+\fI\%mongod\fP is the primary daemon process for the MongoDB
 system. It handles data requests, manages data access, and performs
 background management operations.
 .sp
 This document provides a complete overview of all command line options
-for \fBmongod\fP\&. These command line options are primarily useful
-for testing: In common operation, use the \fBconfiguration file
-options\fP to control the behavior of
+for \fI\%mongod\fP\&. These command line options are primarily useful
+for testing: In common operation, use the configuration file
+options to control the behavior of
 your database.
-.SH OPTIONS
-.SS Core Options
+.sp
+\fBNOTE:\fP
 .INDENT 0.0
-.TP
-.B mongod
+.INDENT 3.5
+Starting in version 4.0, MongoDB disables support for TLS 1.0
+encryption on systems where TLS 1.1+ is available. For
+more details, see 4.0\-disable\-tls\&.
+.UNINDENT
 .UNINDENT
+.SH OPTIONS
+.SS Core Options
 .INDENT 0.0
 .TP
 .B \-\-help, \-h
@@ -63,7 +105,7 @@ Returns the \fBmongod\fP release number.
 Specifies a configuration file for runtime configuration options. The
 configuration file is the preferred method for runtime configuration of
 \fBmongod\fP\&. The options are equivalent to the command\-line
-configuration options. See http://docs.mongodb.org/manual/reference/configuration\-options for
+configuration options. See /reference/configuration\-options for
 more information.
 .sp
 Ensure the configuration file uses ASCII encoding. The \fBmongod\fP
@@ -80,13 +122,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBmongod\fP in a quiet mode that attempts to limit the amount
+Runs \fBmongod\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -106,35 +148,188 @@ client connections.
 .INDENT 0.0
 .TP
 .B \-\-bind_ip <ip address>
-\fIDefault\fP: All interfaces.
+\fIDefault\fP: localhost
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 3.6, \fBmongod\fP bind to localhost
+(\fB127.0.0.1\fP) by default. See 3.6\-bind\-to\-localhost\&.
+.UNINDENT
+.UNINDENT
+.sp
+The IP addresses and/or full Unix domain socket paths on which
+\fBmongod\fP should listen for client connections. You may attach
+\fBmongod\fP to any interface. To bind to multiple addresses, enter a
+list of comma\-separated values.
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
+.sp
+\fBlocalhost,/tmp/mongod.sock\fP
+.UNINDENT
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Before you bind to other ip addresses, consider enabling
+access control and other security measures listed
+in /administration/security\-checklist to prevent unauthorized
+access.
+.UNINDENT
+.UNINDENT
+.sp
+To bind to all IPv4 addresses, enter \fB0.0.0.0\fP\&.
+.sp
+To bind to all IPv4 and IPv6 addresses, enter \fB0.0.0.0,::\fP
+or alternatively, use the \fBnet.bindIpAll\fP setting.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. That
+is, you can specify one or the other, but not both.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-bind_ip_all
+New in version 3.6.
+
+.sp
+If specified, the \fBmongod\fP instance binds to all ip addresses. When
+attaching \fBmongod\fP to a publicly accessible interface, ensure
+that you have implemented proper authentication and firewall
+restrictions to protect the integrity of your database.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Before you bind to other ip addresses, consider enabling
+access control and other security measures listed
+in /administration/security\-checklist to prevent unauthorized
+access.
+.UNINDENT
+.UNINDENT
 .sp
-Changed in version 2.6.0: The \fBdeb\fP and \fBrpm\fP packages include a default
-configuration file that sets \fI\-\-bind_ip\fP to \fB127.0.0.1\fP\&.
+Alternatively, you can set the \fB\-\-bind_ip\fP option to
+\fB0.0.0.0,::\fP to bind to all IP addresses.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. That
+is, you can specify one or the other, but not both.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ipv6
+Enables IPv6 support. \fBmongod\fP disables IPv6 support by default.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-listenBacklog <number>
+\fIDefault\fP: Target system \fBSOMAXCONN\fP constant
+.sp
+New in version 3.6.
 
 .sp
-Specifies the IP address that \fBmongod\fP binds to in order to listen
-for connections from applications. You may attach \fBmongod\fP to any
-interface. When attaching \fBmongod\fP to a publicly accessible
-interface, ensure that you have implemented proper authentication and
-firewall restrictions to protect the integrity of your database.
+The maximum number of connections that can exist in the listen
+queue.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Consult your local system’s documentation to understand the
+limitations and configuration requirements before using this
+parameter.
+.UNINDENT
+.UNINDENT
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+To prevent undefined behavior, specify a value for this
+parameter between \fB1\fP and the local system \fBSOMAXCONN\fP
+constant.
+.UNINDENT
+.UNINDENT
+.sp
+The default value for the \fBlistenBacklog\fP parameter is set at
+compile time to the target system \fBSOMAXCONN\fP constant.
+\fBSOMAXCONN\fP is the maximum valid value that is documented for
+the \fIbacklog\fP parameter to the \fIlisten\fP system call.
+.sp
+Some systems may interpret \fBSOMAXCONN\fP symbolically, and others
+numerically. The actual \fIlisten backlog\fP applied in practice may
+differ from any numeric interpretation of the \fBSOMAXCONN\fP constant
+or argument to \fB\-\-listenBacklog\fP, and may also be constrained by
+system settings like \fBnet.core.somaxconn\fP on Linux.
+.sp
+Passing a value for the \fBlistenBacklog\fP parameter that exceeds the
+\fBSOMAXCONN\fP constant for the local system is, by the letter of the
+standards, undefined behavior. Higher values may be silently integer
+truncated, may be ignored, may cause unexpected resource
+consumption, or have other adverse consequences.
+.sp
+On systems with workloads that exhibit connection spikes, for which
+it is empirically known that the local system can honor higher
+values for the \fIbacklog\fP parameter than the \fBSOMAXCONN\fP constant,
+setting the \fBlistenBacklog\fP parameter to a higher value may reduce
+operation latency as observed by the client by reducing the number
+of connections which are forced into a backoff state.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-maxConns <number>
 The maximum number of simultaneous connections that \fBmongod\fP will
 accept. This setting has no effect if it is higher than your operating
-system\(aqs configured maximum connection tracking threshold.
+system’s configured maximum connection tracking threshold.
 .sp
-Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP setting.
+Do not assign too low of a value to this option, or you will
+encounter errors during normal application operation.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP
+setting.
 
 .UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-logpath <path>
+Sends all diagnostic logging information to a log file instead of to
+standard output or to the host’s syslog system. MongoDB creates
+the log file at the path you specify.
+.sp
+By default, MongoDB will move any existing log file rather than overwrite
+it. To instead append to the log file, set the \fI\%\-\-logappend\fP option.
+.UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-syslog
-Sends all logging output to the host\(aqs \fIsyslog\fP system rather
-than to standard output or to a log file. , as with \fI\-\-logpath\fP\&.
+Sends all logging output to the host’s syslog system rather
+than to standard output or to a log file. , as with \fI\%\-\-logpath\fP\&.
 .sp
-The \fI\-\-syslog\fP option is not supported on Windows.
+The \fI\%\-\-syslog\fP option is not supported on Windows.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+The \fBsyslog\fP daemon generates timestamps when it logs a message, not
+when MongoDB issues the message. This can lead to misleading timestamps
+for log entries, especially when the system is under heavy load. We
+recommend using the \fI\%\-\-logpath\fP option for production systems to
+ensure accurate timestamps.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -143,49 +338,35 @@ The \fI\-\-syslog\fP option is not supported on Windows.
 .sp
 Specifies the facility level used when logging messages to syslog.
 The value you specify must be supported by your
-operating system\(aqs implementation of syslog. To use this option, you
-must enable the \fI\-\-syslog\fP option.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-logpath <path>
-Sends all diagnostic logging information to a log file instead of to
-standard output or to the host\(aqs \fIsyslog\fP system. MongoDB creates
-the log file at the path you specify.
-.sp
-By default, MongoDB overwrites the log file when the process restarts.
-To instead append to the log file, set the \fI\-\-logappend\fP option.
+operating system’s implementation of syslog. To use this option, you
+must  enable the \fI\%\-\-syslog\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-logappend
-Appends new entries to the end of the log file rather than overwriting
-the content of the log when the \fBmongod\fP instance restarts.
+Appends new entries to the end of the existing log file when the \fBmongod\fP
+instance restarts. Without this option, \fI\%mongod\fP will back up the
+existing log and create a new file.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-logRotate <string>
 \fIDefault\fP: rename
 .sp
-New in version 3.0.0: Specifies the \fBlogRotate\fP behavior.
+New in version 3.0.0.
 
 .sp
-Specify either \fBrename\fP or \fBreopen\fP\&.
-.sp
+Determines the behavior for the \fBlogRotate\fP command.
+Specify either \fBrename\fP or \fBreopen\fP:
+.INDENT 7.0
+.IP \(bu 2
 \fBrename\fP renames the log file.
-.sp
+.IP \(bu 2
 \fBreopen\fP closes and reopens the log file following the typical
-Linux/Unix log rotate behavior.
-Use \fBreopen\fP when using the Linux/Unix
-logrotate utility to avoid log loss.
+Linux/Unix log rotate behavior. Use \fBreopen\fP when using the
+Linux/Unix logrotate utility to avoid log loss.
 .sp
-If you specify \fBreopen\fP, you must also use \fI\-\-logappend\fP\&.
-.sp
-\fBSEE ALSO:\fP
-.INDENT 7.0
-.INDENT 3.5
-http://docs.mongodb.org/manual/reference/command/logRotate\&.
-.UNINDENT
+If you specify \fBreopen\fP, you must also use \fI\%\-\-logappend\fP\&.
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
@@ -225,7 +406,7 @@ T{
 T}	T{
 Displays timestamps in local time in the ISO\-8601
 format. For example, for New York at the start of the Epoch:
-\fB1969\-12\-31T19:00:00.000+0500\fP
+\fB1969\-12\-31T19:00:00.000\-0500\fP
 T}
 _
 .TE
@@ -240,8 +421,8 @@ For internal diagnostic use only.
 .B \-\-pidfilepath <path>
 Specifies a file location to hold the process ID of the \fBmongod\fP
 process where \fBmongod\fP will write its PID. This is useful for
-tracking the \fBmongod\fP process in combination with the
-\fI\-\-fork\fP option. Without a specified \fI\-\-pidfilepath\fP option, the
+tracking the \fBmongod\fP process in combination with
+the \fI\%\-\-fork\fP option. Without a specified \fI\%\-\-pidfilepath\fP option, the
 process creates no PID file.
 .UNINDENT
 .INDENT 0.0
@@ -249,71 +430,35 @@ process creates no PID file.
 .B \-\-keyFile <file>
 Specifies the path to a key file that stores the shared secret
 that MongoDB instances use to authenticate to each other in a
-\fIsharded cluster\fP or \fIreplica set\fP\&. \fI\-\-keyFile\fP implies
-\fI\%\-\-auth\fP\&. See \fIinter\-process\-auth\fP for more
+sharded cluster or replica set\&. \fI\%\-\-keyFile\fP implies
+\fI\%\-\-auth\fP\&. See inter\-process\-auth for more
 information.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-setParameter <options>
 Specifies one of the MongoDB parameters described in
-http://docs.mongodb.org/manual/reference/parameters\&. You can specify multiple \fBsetParameter\fP
+/reference/parameters\&. You can specify multiple \fBsetParameter\fP
 fields.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-httpinterface
-New in version 2.6.
-
-.sp
-Enables the HTTP interface. Enabling the interface can increase
-network exposure.
-.sp
-Leave the HTTP interface \fIdisabled\fP for production deployments. If you
-\fIdo\fP enable this interface, you should only allow trusted clients to
-access this port. See \fIsecurity\-firewalls\fP\&.
-.sp
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-In MongoDB Enterprise, the HTTP Console does not support Kerberos
-Authentication.
-.UNINDENT
-.UNINDENT
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-nohttpinterface
-Deprecated since version 2.6: MongoDB disables the HTTP interface by default.
-
-.sp
-Disables the HTTP interface.
-.sp
-Do not use in conjunction with \fI\%\-\-rest\fP or \fI\-\-jsonp\fP\&.
-.sp
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-In MongoDB Enterprise, the HTTP Console does not support Kerberos
-Authentication.
-.UNINDENT
-.UNINDENT
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-nounixsocket
-Disables listening on the UNIX domain socket. The \fBmongod\fP process
+Disables listening on the UNIX domain socket. \fI\%\-\-nounixsocket\fP applies only
+to Unix\-based systems.
+.sp
+The \fBmongod\fP process
 always listens on the UNIX socket unless one of the following is true:
 .INDENT 7.0
 .IP \(bu 2
-\fI\-\-nounixsocket\fP is set
+\fI\%\-\-nounixsocket\fP is set
 .IP \(bu 2
-\fBbindIp\fP is not set
+\fBnet.bindIp\fP is not set
 .IP \(bu 2
-\fBbindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
 .UNINDENT
 .sp
-New in version 2.6: \fBmongod\fP installed from official \fB\&.deb\fP and \fB\&.rpm\fP packages
+New in version 2.6: \fBmongod\fP installed from official \&.deb and \&.rpm packages
 have the \fBbind_ip\fP configuration set to \fB127.0.0.1\fP by
 default.
 
@@ -323,40 +468,54 @@ default.
 .B \-\-unixSocketPrefix <path>
 \fIDefault\fP: /tmp
 .sp
-The path for the UNIX socket. If this option has no value, the
+The path for the UNIX socket. \fI\%\-\-unixSocketPrefix\fP applies only
+to Unix\-based systems.
+.sp
+If this option has no value, the
 \fBmongod\fP process creates a socket with \fB/tmp\fP as a prefix. MongoDB
 creates and listens on a UNIX socket unless one of the following is true:
 .INDENT 7.0
 .IP \(bu 2
-\fI\-\-nounixsocket\fP is set
+\fBnet.unixDomainSocket.enabled\fP is \fBfalse\fP
+.IP \(bu 2
+\fI\%\-\-nounixsocket\fP is set
 .IP \(bu 2
-\fBbindIp\fP is not set
+\fBnet.bindIp\fP is not set
 .IP \(bu 2
-\fBbindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-filePermissions <path>
+\fIDefault\fP: \fB0700\fP
+.sp
+Sets the permission for the UNIX domain socket file.
+.sp
+\fI\%\-\-filePermissions\fP applies only to Unix\-based systems.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-fork
-Enables a \fIdaemon\fP mode that runs the \fBmongod\fP process in the
+Enables a daemon mode that runs the \fBmongod\fP process in the
 background. By default \fBmongod\fP does not run as a daemon:
 typically you will run \fBmongod\fP as a daemon, either by using
-\fI\-\-fork\fP or by using a controlling process that handles the
+\fI\%\-\-fork\fP or by using a controlling process that handles the
 daemonization process (e.g. as with \fBupstart\fP and \fBsystemd\fP).
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-auth
-Enables authorization to control user\(aqs access to database resources
+Enables authorization to control user’s access to database resources
 and operations. When authorization is enabled, MongoDB requires all
 clients to authenticate themselves first in order to determine the
 access for the client.
 .sp
-Configure users via the \fBmongo shell\fP\&. If no users exist, the localhost interface
+Configure users via the mongo shell\&. If no users exist, the localhost interface
 will continue to have access to the database until you create
 the first user.
 .sp
-See \fBSecurity\fP
+See Security
 for more information.
 .UNINDENT
 .INDENT 0.0
@@ -367,356 +526,951 @@ compatibility and clarity.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-ipv6
-Enables IPv6 support and allows the \fBmongod\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+.B \-\-transitionToAuth
+New in version 3.4: Allows the \fBmongod\fP to accept and create authenticated and
+non\-authenticated connections to and from other \fI\%mongod\fP
+and \fBmongos\fP instances in the deployment. Used for
+performing rolling transition of replica sets or sharded clusters
+from a no\-auth configuration to internal authentication\&. Requires specifying a internal
+authentication mechanism such as
+\fI\%\-\-keyFile\fP\&.
+
+.sp
+For example, if using keyfiles for
+internal authentication, the \fBmongod\fP creates
+an authenticated connection with any \fI\%mongod\fP or \fBmongos\fP
+in the deployment using a matching keyfile. If the security mechanisms do
+not match, the \fBmongod\fP utilizes a non\-authenticated connection instead.
+.sp
+A \fBmongod\fP running with \fI\%\-\-transitionToAuth\fP does not enforce user access
+controls\&. Users may connect to your deployment without any
+access control checks and perform read, write, and administrative operations.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+A \fBmongod\fP running with internal authentication and \fIwithout\fP \fI\%\-\-transitionToAuth\fP requires clients to connect
+using user access controls\&. Update clients to
+connect to the \fBmongod\fP using the appropriate user
+prior to restarting \fBmongod\fP without \fI\%\-\-transitionToAuth\fP\&.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-jsonp
-Permits \fIJSONP\fP access via an HTTP interface. Enabling the
-interface can increase network exposure. The \fI\-\-jsonp\fP option enables the
-HTTP interface, even if the \fBHTTP interface\fP
-option is disabled.
+.B \-\-cpu
+Forces the \fBmongod\fP process to report the percentage of CPU time in
+write lock, every four seconds.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-rest
-Enables the simple \fIREST\fP API. Enabling the \fIREST\fP API
-enables the HTTP interface, even if the \fBHTTP interface\fP option is disabled, and as a result can increase
-network exposure.
+.B \-\-sysinfo
+Returns diagnostic system information and then exits. The
+information provides the page size, the number of physical pages,
+and the number of available physical pages.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-slowms <integer>
-\fIDefault\fP: 100
+.B \-\-noscripting
+Disables the scripting engine.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-notablescan
+Forbids operations that require a collection scan. See \fBnotablescan\fP for additional information.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-shutdown
+The \fI\%\-\-shutdown\fP option cleanly and safely terminates the \fBmongod\fP
+process. When invoking \fBmongod\fP with this option you must set the
+\fI\%\-\-dbpath\fP option either directly or by way of the
+configuration file and the
+\fI\%\-\-config\fP option.
 .sp
-The threshold in milliseconds at which the database profiler considers a
-query slow. MongoDB records all slow queries to the log, even when the
-database profiler is off. When the profiler is on, it writes to the
-\fBsystem.profile\fP collection. See the \fBprofile\fP command for
-more information on the database profiler.
+The \fI\%\-\-shutdown\fP option is available only on Linux systems.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-profile <level>
-\fIDefault\fP: 0
+.B \-\-redactClientLogData
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+A \fBmongod\fP running with \fI\%\-\-redactClientLogData\fP redacts any message accompanying a given
+log event before logging. This prevents the \fBmongod\fP from writing
+potentially sensitive data stored on the database to the diagnostic log.
+Metadata such as error or operation codes, line numbers, and source file
+names are still visible in the logs.
+.sp
+Use \fI\%\-\-redactClientLogData\fP in conjunction with encryption to assist compliance with regulatory
+requirements.
+.sp
+For example, a MongoDB deployment might store Personally Identifiable
+Information (PII) in one or more collections. The \fBmongod\fP logs events
+such as those related to CRUD operations, sharding metadata, etc. It is
+possible that the \fBmongod\fP may expose PII as a part of these logging
+operations. A \fBmongod\fP running with \fI\%\-\-redactClientLogData\fP removes any message
+accompanying these events before being output to the log, effectively
+removing the PII.
+.sp
+Diagnostics on a \fBmongod\fP running with \fI\%\-\-redactClientLogData\fP may be more difficult
+due to the lack of data related to a log event. See the
+process logging manual page for an
+example of the effect of \fI\%\-\-redactClientLogData\fP on log output.
+.sp
+You can enable or disable log redaction on a running \fBmongod\fP
+using the \fBsetParameter\fP database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand(
+  { setParameter: 1, redactClientLogData : true | false }
+)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-networkMessageCompressors <string>
+New in version 3.4.
+
+.sp
+.INDENT 7.0
+Changed in version 3.6: .IP \(bu 2
+Add support for zlib compressor.
+.IP \(bu 2
+Enabled by default. To disable, set to \fBdisabled\fP\&.
+.UNINDENT
+
+.sp
+Enables network compression for communication between this
+\fBmongod\fP instance and:
+.INDENT 7.0
+.IP \(bu 2
+other members of the replica set, if the instance is part of a
+replica set
+.IP \(bu 2
+other members of the sharded cluster, if the instance is part of a
+sharded cluster
+.IP \(bu 2
+a \fBmongo\fP shell,
+.IP \(bu 2
+drivers that support the \fBOP_COMPRESSED\fP message format.
+.UNINDENT
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+Messages are compressed when both parties enable network
+compression. Otherwise, messages between the parties are
+uncompressed.
+.UNINDENT
+.UNINDENT
+.sp
+You can specify the following compressors:
+.INDENT 7.0
+.IP \(bu 2
+snappy (Default)
+.IP \(bu 2
+zlib
+.UNINDENT
+.sp
+If you specify multiple compressors, then the order in which you list
+the compressors matter as well as the communication initiator. For
+example, if a \fBmongo\fP shell specifies the following network
+compressors \fBzlib,snappy\fP and the \fI\%mongod\fP specifies
+\fBsnappy,zlib\fP, messages between \fBmongo\fP shell and
+\fI\%mongod\fP uses \fBzlib\fP\&.
+.sp
+If the parties do not share at least one common compressor, messages
+between the parties are uncompressed. For example, if a
+\fBmongo\fP shell specifies the network compressor
+\fBzlib\fP and \fI\%mongod\fP specifies \fBsnappy\fP, messages
+between \fBmongo\fP shell and \fI\%mongod\fP are not compressed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-timeZoneInfo <path>
+The full path from which to load the time zone database. If this option
+is not provided, then MongoDB will use its built\-in time zone database.
+.sp
+The configuration file included with Linux and macOS packages sets the time
+zone database path to \fB/usr/share/zoneinfo\fP by default.
+.sp
+The built\-in time zone database is a copy of the \fI\%Olson/IANA time zone
+database\fP\&. It is updated along with MongoDB
+releases, but the release cycle of the time zone database differs from the
+release cycle of MongoDB. A copy of the most recent release of the time zone
+database can be downloaded from
+\fI\%https://downloads.mongodb.org/olson_tz_db/timezonedb\-latest.zip\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+wget https://downloads.mongodb.org/olson_tz_db/timezonedb\-latest.zip
+unzip timezonedb\-latest.zip
+mongod \-\-timeZoneInfo timezonedb\-2017b/
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .sp
-Changes the level of database profiling, which inserts information about
-operation performance into standard output or a log file. Specify one
-of the following levels:
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBprocessManagement.timeZoneInfo\fP\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-serviceExecutor <string>
+\fIDefault\fP: synchronous
+.sp
+New in version 3.6.
+
+.sp
+Determines the threading and execution model \fBmongod\fP uses to
+execute client requests. The \fB\-\-serviceExecutor\fP option accepts one
+of the following values:
 .TS
 center;
 |l|l|.
 _
 T{
-Level
+Value
 T}	T{
-Setting
+Description
 T}
 _
 T{
-0
+\fBsynchronous\fP
 T}	T{
-Off. No profiling.
+The \fBmongod\fP uses synchronous networking and manages its
+networking thread pool on a per connection basis. Previous
+versions of MongoDB managed threads in this way.
 T}
 _
 T{
-1
+\fBadaptive\fP
 T}	T{
-On. Only includes slow operations.
+The \fBmongod\fP uses the new experimental asynchronous
+networking mode with an adaptive thread pool which manages
+threads on a per request basis. This mode should have more
+consistent performance and use less resources when there are
+more inactive connections than database requests.
 T}
 _
+.TE
+.UNINDENT
+.SS Free Monitoring
+.sp
+New in version 4.0.
+
+.INDENT 0.0
+.TP
+.B \-\-enableFreeMonitoring <runtime|on|off>
+New in version 4.0: Available for MongoDB Community Edition.
+
+.sp
+Enables or disables free MongoDB Cloud monitoring\&. \fI\%\-\-enableFreeMonitoring\fP accepts the following
+values:
+.TS
+center;
+|l|l|.
+_
 T{
-2
+\fBruntime\fP
 T}	T{
-On. Includes all operations.
+Default. You can enable or disable free monitoring during
+runtime.
+.sp
+To enable or disable free monitoring during runtime, see
+\fBdb.enableFreeMonitoring()\fP and
+\fBdb.disableFreeMonitoring()\fP\&.
+.sp
+To enable or disable free monitoring during runtime when
+running with access control, users must have required
+privileges. See \fBdb.enableFreeMonitoring()\fP and
+\fBdb.disableFreeMonitoring()\fP for details.
+T}
+_
+T{
+\fBon\fP
+T}	T{
+Enables free monitoring at startup; i.e. registers for free
+monitoring. When enabled at startup, you cannot disable free
+monitoring during runtime.
+T}
+_
+T{
+\fBoff\fP
+T}	T{
+Disables free monitoring at startup, regardless of whether
+you have previously registered for free monitoring.  When disabled at startup,
+you cannot enable free monitoring during runtime.
 T}
 _
 .TE
 .sp
-Database profiling can impact database
-performance. Enable this option only after careful consideration.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-cpu
-Forces the \fBmongod\fP process to report the percentage of CPU time in
-write lock, every four seconds.
+Once enabled, the free monitoring state remains enabled until
+explicitly disabled. That is, you do not need to re\-enable each time
+you start the server.
+.sp
+For the corresponding configuration file setting, see
+\fBcloud.monitoring.free.state\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sysinfo
-Returns diagnostic system information and then exits. The
-information provides the page size, the number of physical pages,
-and the number of available physical pages.
+.B \-\-enableFreeMonitoringTag <string>
+New in version 4.0: Available for MongoDB Community Edition.
+
+.sp
+Optional tag to describe environment context. The tag can be sent as
+part of the free MongoDB Cloud monitoring registration at start up.
+.sp
+For the corresponding configuration file setting, see
+\fBcloud.monitoring.free.tag\fP\&.
 .UNINDENT
+.SS LDAP Authentication or Authorization Options
 .INDENT 0.0
 .TP
-.B \-\-objcheck
-Forces the \fBmongod\fP to validate all requests from clients upon
-receipt to ensure that clients never insert invalid documents into the
-database. For objects with a high degree of sub\-document nesting, the
-\fI\-\-objcheck\fP option can have a small impact on performance. You can set
-\fI\-\-noobjcheck\fP to disable object checking at runtime.
-.sp
-Changed in version 2.4: MongoDB enables the \fI\-\-objcheck\fP option by default in order to prevent
-any client from inserting malformed or invalid BSON into a MongoDB
-database.
+.B \-\-ldapServers <host1>:<port>,<host2>:<port>,...,<hostN>:<port>
+New in version 3.4: Available in MongoDB Enterprise only.
 
+.sp
+The LDAP server against which the \fBmongod\fP executes LDAP operations
+against to authenticate users or determine what actions a user is authorized
+to perform on a given database. If the LDAP server specified has any
+replicated instances, you may specify the host and port of each replicated
+server in a comma\-delimited list.
+.sp
+If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
+servers, specify \fIone\fP LDAP server any of its replicated instances to
+\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
+4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
+for listing every LDAP server in your infrastucture.
+.sp
+This setting can be configured on a running \fBmongod\fP using
+\fBsetParameter\fP\&.
+.sp
+If unset, \fBmongod\fP cannot use LDAP authentication or authorization\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-noobjcheck
-New in version 2.4.
+.B \-\-ldapQueryUser <string>
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Disables the default document validation that MongoDB performs on all
-incoming BSON documents.
+The identity with which \fBmongod\fP binds as, when connecting to or
+performing queries on an LDAP server.
+.sp
+Only required if any of the following are true:
+.INDENT 7.0
+.IP \(bu 2
+Using LDAP authorization\&.
+.IP \(bu 2
+Using an LDAP query for \fI\%username transformation\fP\&.
+.IP \(bu 2
+The LDAP server disallows anonymous binds
+.UNINDENT
+.sp
+You must use \fI\%\-\-ldapQueryUser\fP with \fI\%\-\-ldapQueryPassword\fP\&.
+.sp
+If unset, \fBmongod\fP will not attempt to bind to the LDAP server.
+.sp
+This setting can be configured on a running \fBmongod\fP using
+\fBsetParameter\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Windows MongoDB deployments can use \fI\%\-\-ldapBindWithOSDefaults\fP
+instead of \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP\&. You cannot specify
+both \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the same time.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-noscripting
-Disables the scripting engine.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-notablescan
-Forbids operations that require a table scan. See \fBnotablescan\fP for additional information.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-shutdown
-The \fI\%\-\-shutdown\fP option cleanly and safely terminates the \fBmongod\fP
-process. When invoking \fBmongod\fP with this option you must set the
-\fI\%\-\-dbpath\fP option either directly or by way of the
-\fBconfiguration file\fP and the
-\fI\-\-config\fP option.
+.B \-\-ldapQueryPassword <string>
+New in version 3.4: Available in MongoDB Enterprise only.
 .sp
-The \fI\%\-\-shutdown\fP option is available only on Linux systems.
+The password used to bind to an LDAP server when using
+\fI\%\-\-ldapQueryUser\fP\&. You must use \fI\%\-\-ldapQueryPassword\fP with
+\fI\%\-\-ldapQueryUser\fP\&.
+
+.sp
+If unset, \fBmongod\fP will not attempt to bind to the LDAP server.
+.sp
+This setting can be configured on a running \fBmongod\fP using
+\fBsetParameter\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Windows MongoDB deployments can use \fI\%\-\-ldapBindWithOSDefaults\fP
+instead of \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapQueryPassword\fP\&. You cannot specify
+both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the same time.
+.UNINDENT
+.UNINDENT
 .UNINDENT
-.SS Storage Options
 .INDENT 0.0
 .TP
-.B \-\-dbpath <path>
-\fIDefault\fP: \fB/data/db\fP on Linux and OS X, \fB\edata\edb\fP on Windows
+.B \-\-ldapBindWithOSDefaults <bool>
+\fIDefault\fP: False
 .sp
-The directory where the \fBmongod\fP instance stores its data.
+New in version 3.4: Available in MongoDB Enterprise for the Windows platform only.
+
 .sp
-If you
-installed MongoDB using a package management system, check the
-\fB/etc/mongodb.conf\fP file provided by your packages to see the
-directory is specified.
+Allows \fBmongod\fP to authenticate, or bind, using your Windows login
+credentials when connecting to the LDAP server.
 .sp
-Changed in version 3.0: The files in \fI\%\-\-dbpath\fP must correspond to the storage engine
-specified in \fI\%\-\-storageEngine\fP\&. If the data files do not
-correspond to \fI\%\-\-storageEngine\fP, \fBmongod\fP will refuse to
-start.
-
+Only required if:
+.INDENT 7.0
+.IP \(bu 2
+Using LDAP authorization\&.
+.IP \(bu 2
+Using an LDAP query for \fI\%username transformation\fP\&.
+.IP \(bu 2
+The LDAP server disallows anonymous binds
+.UNINDENT
+.sp
+Use \fI\%\-\-ldapBindWithOSDefaults\fP to replace \fI\%\-\-ldapQueryUser\fP and
+\fI\%\-\-ldapQueryPassword\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-storageEngine string
-\fIDefault\fP: \fBmmapv1\fP
+.B \-\-ldapBindMethod <string>
+\fIDefault\fP: simple
 .sp
-New in version 3.0.0.
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Specifies the storage engine for the \fBmongod\fP database. Valid
-options include \fBmmapv1\fP and \fBwiredTiger\fP\&.
+The method \fBmongod\fP uses to authenticate to an LDAP server.
+Use with \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP to
+connect to the LDAP server.
 .sp
-If you attempt to start a \fBmongod\fP with a
-\fIstorage.dbPath\fP that contains data files produced by a
-storage engine other than the one specified by \fI\%\-\-storageEngine\fP, \fBmongod\fP
-will refuse to start.
+\fI\%\-\-ldapBindMethod\fP supports the following values:
+.INDENT 7.0
+.IP \(bu 2
+\fBsimple\fP \- \fBmongod\fP uses simple authentication.
+.IP \(bu 2
+\fBsasl\fP \- \fBmongod\fP uses SASL protocol for authentication
+.UNINDENT
+.sp
+If you specify \fBsasl\fP, you can configure the available SASL mechanisms
+using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongod\fP defaults to
+using \fBDIGEST\-MD5\fP mechanism.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-wiredTigerDirectoryForIndexes
-\fIType\fP: boolean
+.B \-\-ldapBindSASLMechanisms <string>
+\fIDefault\fP: DIGEST\-MD5
 .sp
-\fIDefault\fP: false
-.sp
-New in version 3.0.0.
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-When you start \fBmongod\fP with \fI\%\-\-wiredTigerDirectoryForIndexes\fP, \fBmongod\fP stores indexes
-and collections in separate directories.
+A comma\-separated list of SASL mechanisms \fBmongod\fP can
+use when authenticating to the LDAP server. The \fBmongod\fP and the
+LDAP server must agree on at least one mechanism. The \fBmongod\fP
+dynamically loads any SASL mechanism libraries installed on the host
+machine at runtime.
+.sp
+Install and configure the appropriate libraries for the selected
+SASL mechanism(s) on both the \fBmongod\fP host and the remote
+LDAP server host. Your operating system may include certain SASL
+libraries by default. Defer to the documentation associated with each
+SASL mechanism for guidance on installation and configuration.
+.sp
+If using the \fBGSSAPI\fP SASL mechanism for use with
+security\-kerberos, verify the following for the
+\fBmongod\fP host machine:
+.INDENT 7.0
+.TP
+.B \fBLinux\fP
+.INDENT 7.0
+.IP \(bu 2
+The \fBKRB5_CLIENT_KTNAME\fP environment
+variable resolves to the name of the client keytab\-files
+for the host machine. For more on Kerberos environment
+variables, please defer to the
+\fI\%Kerberos documentation\fP\&.
+.IP \(bu 2
+The client keytab includes a
+kerberos\-user\-principal for the \fBmongod\fP to use when
+connecting to the LDAP server and execute LDAP queries.
 .UNINDENT
-.INDENT 0.0
 .TP
-.B \-\-wiredTigerCacheSizeGB number
-\fIDefault\fP: the maximum of half of physical RAM or 1 gigabyte
+.B \fBWindows\fP
+If connecting to an Active Directory server, the Windows
+Kerberos configuration automatically generates a
+\fI\%Ticket\-Granting\-Ticket\fP
+when the user logs onto the system. Set \fI\%\-\-ldapBindWithOSDefaults\fP to
+\fBtrue\fP to allow \fBmongod\fP to use the generated credentials when
+connecting to the Active Directory server and execute queries.
+.UNINDENT
 .sp
-New in version 3.0.0.
-
+Set \fI\%\-\-ldapBindMethod\fP to \fBsasl\fP to use this option.
 .sp
-Defines the maximum size of the cache that WiredTiger will use for
-all data. Ensure that \fI\%\-\-wiredTigerCacheSizeGB\fP is sufficient to hold the entire
-working set for the \fBmongod\fP instance.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For a complete list of SASL mechanisms see the
+\fI\%IANA listing\fP\&.
+Defer to the documentation for your LDAP or Active Directory
+service for identifying the SASL mechanisms compatible with the
+service.
+.sp
+MongoDB is not a source of SASL mechanism libraries, nor
+is the MongoDB documentation a definitive source for
+installing or configuring any given SASL mechanism. For
+documentation and support, defer to the SASL mechanism
+library vendor or owner.
+.sp
+For more information on SASL, defer to the following resources:
+.INDENT 0.0
+.IP \(bu 2
+For Linux, please see the \fI\%Cyrus SASL documentation\fP\&.
+.IP \(bu 2
+For Windows, please see the \fI\%Windows SASL documentation\fP\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-wiredTigerCheckpointDelaySecs <seconds>
-\fIDefault\fP: 60
+.B \-\-ldapTransportSecurity <string>
+\fIDefault\fP: tls
 .sp
-New in version 3.0.0.
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Defines the interval between checkpoints when WiredTiger writes all
-modified data to the data files in \fBdbPath\fP\&. If
-the \fBmongod\fP exits between checkpoints and you do not have
-\fBstorage.journal.enabled\fP set to \fBtrue\fP, any data
-modified since the last checkpoint will not persist. The data files
-are \fIalways\fP valid even if \fBmongod\fP exits between or during a
-checkpoint.
+By default, \fBmongod\fP creates a TLS/SSL secured connection to the LDAP
+server.
+.sp
+For Linux deployments, you must configure the appropriate TLS Options in
+\fB/etc/openldap/ldap.conf\fP file. Your operating system’s package manager
+creates this file as part of the MongoDB Enterprise installation, via the
+\fBlibldap\fP dependency. See the documentation for \fBTLS Options\fP in the
+\fI\%ldap.conf OpenLDAP documentation\fP
+for more complete instructions.
+.sp
+For Windows deployment, you must add the LDAP server CA certificates to the
+Windows certificate management tool. The exact name and functionality of the
+tool may vary depending on operating system version. Please see the
+documentation for your version of Windows for more information on
+certificate management.
+.sp
+Set \fI\%\-\-ldapTransportSecurity\fP to \fBnone\fP to disable TLS/SSL between \fBmongod\fP and the LDAP
+server.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Setting \fI\%\-\-ldapTransportSecurity\fP to \fBnone\fP transmits plaintext information and possibly
+credentials between \fBmongod\fP and the LDAP server.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-wiredTigerStatisticsLogDelaySecs <seconds>
-\fIDefault\fP: 0
+.B \-\-ldapTimeoutMS <long>
+\fIDefault\fP: 10000
 .sp
-New in version 3.0.0.
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-When \fB0\fP WiredTiger will not log statistics. Otherwise WiredTiger
-will log statistics to a file in the \fBdbPath\fP
-on the interval defined by \fI\%\-\-wiredTigerStatisticsLogDelaySecs\fP\&.
+The amount of time in milliseconds \fBmongod\fP should wait for an LDAP server
+to respond to a request.
+.sp
+Increasing the value of \fI\%\-\-ldapTimeoutMS\fP may prevent connection failure between the
+MongoDB server and the LDAP server, if the source of the failure is a
+connection timeout. Decreasing the value of \fI\%\-\-ldapTimeoutMS\fP reduces the time
+MongoDB waits for a response from the LDAP server.
+.sp
+This setting can be configured on a running \fBmongod\fP using
+\fBsetParameter\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-wiredTigerJournalCompressor <compressor>
-\fIDefault\fP: snappy
-.sp
-New in version 3.0.0.
+.B \-\-ldapUserToDNMapping <string>
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Specifies the type of compression to use to compress the journal
-data (i.e. \fBstorage.journal\fP\&.)
-.sp
-Available compressors are:
+Maps the username provided to \fBmongod\fP for authentication to a LDAP
+Distinguished Name (DN). You may need to use \fI\%\-\-ldapUserToDNMapping\fP to transform a
+username into an LDAP DN in the following scenarios:
 .INDENT 7.0
 .IP \(bu 2
-\fBnone\fP
+Performing LDAP authentication with simple LDAP binding, where users
+authenticate to MongoDB with usernames that are not full LDAP DNs.
 .IP \(bu 2
-\fIsnappy\fP
+Using an \fI\%LDAP authorization query template\fP that requires a DN.
 .IP \(bu 2
-\fIzlib\fP
+Transforming the usernames of clients authenticating to Mongo DB using
+different authentication mechanisms (e.g. x.509, kerberos) to a full LDAP
+DN for authorization.
 .UNINDENT
+.sp
+\fI\%\-\-ldapUserToDNMapping\fP expects a quote\-enclosed JSON\-string representing an ordered array
+of documents. Each document contains a regular expression \fBmatch\fP and
+either a \fBsubstitution\fP or \fBldapQuery\fP template used for transforming the
+incoming username.
+.sp
+Each document in the array has the following form:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+{
+  match: "<regex>"
+  substitution: "<LDAP DN>" | ldapQuery: "<LDAP Query>"
+}
+.ft P
+.fi
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-wiredTigerCollectionBlockCompressor <compressor>
-\fIDefault\fP: none
+.UNINDENT
+.TS
+center;
+|l|l|l|.
+_
+T{
+Field
+T}	T{
+Description
+T}	T{
+Example
+T}
+_
+T{
+\fBmatch\fP
+T}	T{
+An ECMAScript\-formatted regular expression (regex) to match against a
+provided username. Each parenthesis\-enclosed section represents a
+regex capture group used by \fBsubstitution\fP or \fBldapQuery\fP\&.
+T}	T{
+\fB"(.+)ENGINEERING"\fP
+\fB"(.+)DBA"\fP
+T}
+_
+T{
+\fBsubstitution\fP
+T}	T{
+An LDAP distinguished name (DN) formatting template that converts the
+authentication name matched by the \fBmatch\fP regex into a LDAP DN.
+Each curly bracket\-enclosed numeric value is replaced by the
+corresponding \fI\%regex capture group\fP extracted
+from the authentication username via the \fBmatch\fP regex.
+T}	T{
+\fB"cn={0},ou=engineering,
+dc=example,dc=com"\fP
+T}
+_
+T{
+\fBldapQuery\fP
+T}	T{
+A LDAP query formatting template that inserts the authentication
+name matched by the \fBmatch\fP regex into an LDAP query URI encoded
+respecting RFC4515 and RFC4516. Each curly bracket\-enclosed numeric
+value is replaced by the corresponding \fI\%regex capture group\fP extracted
+from the authentication username via the \fBmatch\fP expression.
+\fBmongod\fP executes the query against the LDAP server to retrieve
+the LDAP DN for the authenticated user. \fBmongod\fP requires
+exactly one returned result for the transformation to be
+successful, or \fBmongod\fP skips this transformation.
+T}	T{
+\fB"ou=engineering,dc=example,
+dc=com??one?(user={0})"\fP
+T}
+_
+.TE
 .sp
-New in version 3.0.0.
-
+For each document in the array, you must use either \fBsubstitution\fP or
+\fBldapQuery\fP\&. You \fIcannot\fP specify both in the same document.
 .sp
-Specifies the default type of compression to use to compress index
-data. You can override this on a per\-index basis when creating
-indexes.
+When performing authentication or authorization, \fBmongod\fP steps through
+each document in the array in the given order, checking the authentication
+username against the \fBmatch\fP filter.  If a match is found,
+\fBmongod\fP applies the transformation and uses the output for
+authenticating the user. \fBmongod\fP does not check the remaining documents
+in the array.
 .sp
-Available compressors are:
+If the given document does not match the provided authentication name, or
+the transformation described by the document fails, \fBmongod\fP continues
+through the list of documents to find additional matches. If no matches are
+found in any document, \fBmongod\fP returns an error.
 .INDENT 7.0
-.IP \(bu 2
-\fBnone\fP
-.IP \(bu 2
-\fIsnappy\fP
-.IP \(bu 2
-\fIzlib\fP
+.INDENT 3.5
+.SS Example
+.sp
+The following shows two transformation documents. The first
+document matches against any string ending in \fB@ENGINEERING\fP, placing
+anything preceeding the suffix into a regex capture group. The
+second document matches against any string ending in \fB@DBA\fP, placing
+anything preceeding the suffix into a regex capture group.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 0.0
+.INDENT 3.5
+You must pass the array to \fI\%\-\-ldapUserToDNMapping\fP as a string.
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
-.TP
-.B \-\-wiredTigerIndexPrefixCompression <boolean>
-\fIDefault\fP: true
+.INDENT 3.5
 .sp
-New in version 3.0.0.
+.nf
+.ft C
+"[
+   {
+      match: "(.+)@ENGINEERING.EXAMPLE.COM",
+      substitution: "cn={0},ou=engineering,dc=example,dc=com"
+   },
+   {
+      match: "(.+)@DBA.EXAMPLE.COM",
+      ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})"
+
+   }
 
+]"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+A user with username \fBalice@ENGINEERING.EXAMPLE.COM\fP matches the first
+document. The regex capture group \fB{0}\fP corresponds to the string
+\fBalice\fP\&. The resulting output is the DN
+\fB"cn=alice,ou=engineering,dc=example,dc=com"\fP\&.
 .sp
-Specify \fBtrue\fP for \fI\%\-\-wiredTigerIndexPrefixCompression\fP to enable \fIprefix compression\fP for
-index data.
+A user with username \fBbob@DBA.EXAMPLE.COM\fP matches the second document.
+The regex capture group \fB{0}\fP corresponds to the string \fBbob\fP\&.  The
+resulting output is the LDAP query
+\fB"ou=dba,dc=example,dc=com??one?(user=bob)"\fP\&. \fBmongod\fP executes this
+query against the LDAP server, returning the result
+\fB"cn=bob,ou=dba,dc=example,dc=com"\fP\&.
+.UNINDENT
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-directoryperdb
-Stores each database\(aqs files in its own folder in the \fIdata
-directory\fP\&. When applied to an existing system, the
-\fI\%\-\-directoryperdb\fP option alters the storage pattern of the data
-directory.
 .sp
-Use this option in conjunction with your file system and device
-configuration so that MongoDB will store data on a number of distinct
-disk devices to increase write throughput or disk capacity.
+If \fI\%\-\-ldapUserToDNMapping\fP is unset, \fBmongod\fP applies no transformations to the username
+when attempting to authenticate or authorize a user against the LDAP server.
 .sp
-\fBWARNING:\fP
+This setting can be configured on a running \fBmongod\fP using the
+\fBsetParameter\fP database command.
+.sp
+\fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-To enable this option for an \fBexisting\fP system, migrate the
-database\-specific data files to the new directory structure before
-enabling \fI\%\-\-directoryperdb\fP\&. Database\-specific data files
-begin with the name of an existing database and end with either
-"\fBns\fP" or a number. For example, the following data directory
-includes files for the \fBlocal\fP and \fBtest\fP databases:
+An explanation of \fI\%RFC4515\fP,
+\fI\%RFC4516\fP or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
+.UNINDENT
+.UNINDENT
 .INDENT 0.0
+.TP
+.B \-\-ldapAuthzQueryTemplate <string>
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+A relative LDAP query URL formatted conforming to \fI\%RFC4515\fP and \fI\%RFC4516\fP that \fBmongod\fP executes to obtain
+the LDAP groups to which the authenticated user belongs to. The query is
+relative to the host or hosts specified in \fI\%\-\-ldapServers\fP\&.
+.sp
+Use the \fB{USER}\fP placeholder in the URL to substitute the authenticated
+username, or the transformed username if a \fI\%username mapping\fP is specified.
+.sp
+When constructing the query URL, ensure that the order of LDAP parameters
+respects RFC4516:
+.INDENT 7.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-journal
-mongod.lock
-local.0
-local.1
-local.ns
-test.0
-test.1
-test.ns
+[ dn  [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ]
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-After migration, the data directory would have the following structure:
+If your query includes an attribute, \fBmongod\fP assumes that the query
+retrieves a the DNs which this entity is member of.
+.sp
+If your query does not include an attribute, \fBmongod\fP assumes
+the query retrieves all entities which the user is member of.
+.sp
+For each LDAP DN returned by the query, \fBmongod\fP assigns the authorized
+user a corresponding role on the \fBadmin\fP database. If a role on the on the
+\fBadmin\fP database exactly matches the DN, \fBmongod\fP grants the user the
+roles and privileges assigned to that role. See the
+\fBdb.createRole()\fP method for more information on creating roles.
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
+.sp
+This LDAP query returns any groups listed in the LDAP user object’s
+\fBmemberOf\fP attribute.
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-journal
-mongod.lock
-local/local.0
-local/local.1
-local/local.ns
-test/test.0
-test/test.1
-test/test.ns
+"{USER}?memberOf?base"
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+Your LDAP configuration may not include the \fBmemberOf\fP attribute as part
+of the user schema, may possess a different attribute for reporting group
+membership, or may not track group membership through attributes.
+Configure your query with respect to your own unique LDAP configuration.
+.UNINDENT
+.UNINDENT
+.sp
+If unset, \fBmongod\fP cannot authorize users using LDAP.
+.sp
+This setting can be configured on a running \fBmongod\fP using the
+\fBsetParameter\fP database command.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+An explanation of \fI\%RFC4515\fP,
+\fI\%RFC4516\fP or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Storage Options
+.INDENT 0.0
+.TP
+.B \-\-storageEngine string
+\fIDefault\fP: \fBwiredTiger\fP
+.sp
+Changed in version 4.0: MongoDB deprecates the MMAPv1 storage engine.
+
+.sp
+Specifies the storage engine for the \fBmongod\fP database. Available
+values include:
+.TS
+center;
+|l|l|.
+_
+T{
+Value
+T}	T{
+Description
+T}
+_
+T{
+\fBwiredTiger\fP
+T}	T{
+To specify the /core/wiredtiger\&.
+T}
+_
+T{
+\fBinMemory\fP
+T}	T{
+To specify the /core/inmemory\&.
+.sp
+New in version 3.2: Available in MongoDB Enterprise only.
+T}
+_
+T{
+\fBmmapv1\fP (Deprecated in MongoDB 4.0)
+T}	T{
+To specify the /core/mmapv1\&.
+T}
+_
+.TE
+.sp
+If you attempt to start a \fBmongod\fP with a
+\fI\%\-\-dbpath\fP that contains data files produced by a
+storage engine other than the one specified by \fI\%\-\-storageEngine\fP, \fBmongod\fP
+will refuse to start.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-dbpath <path>
+\fIDefault\fP: \fB/data/db\fP on Linux and macOS, \fB\edata\edb\fP on Windows
+.sp
+The directory where the \fBmongod\fP instance stores its data.
+.sp
+If you
+installed MongoDB using a package management system, check the
+\fB/etc/mongod.conf\fP file provided by your packages to see the
+directory is specified.
+.sp
+Changed in version 3.0: The files in \fI\%\-\-dbpath\fP must correspond to the storage engine
+specified in \fI\%\-\-storageEngine\fP\&. If the data files do not
+correspond to \fI\%\-\-storageEngine\fP, \fBmongod\fP will refuse to
+start.
+
 .UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-directoryperdb
+Uses a separate directory to store data for each database. The
+directories are under the \fI\%\-\-dbpath\fP directory, and each subdirectory
+name corresponds to the database name.
+.sp
+Changed in version 3.0: To change the \fI\%\-\-directoryperdb\fP option for existing deployments, you must
+restart the \fI\%mongod\fP instances with the new \fI\%\-\-directoryperdb\fP
+value \fBand\fP a new data directory (\fI\%\-\-dbpath <new path>\fP), and then
+repopulate the data.
+.INDENT 7.0
+.IP \(bu 2
+For standalone instances, you can use \fBmongodump\fP on
+the existing instance, stop the instance, restart with the new
+\fI\%\-\-directoryperdb\fP value \fBand\fP a new data directory, and use
+\fBmongorestore\fP to populate the new data directory.
+.IP \(bu 2
+For replica sets, you can update in a rolling manner by stopping
+a secondary member, restart with the new \fI\%\-\-directoryperdb\fP value \fBand\fP
+a new data directory, and use initial sync to populate the new data directory.
+To update all members, start with the secondary members first.
+Then step down the primary, and update the stepped\-down member.
 .UNINDENT
+
+.sp
+Not available for \fI\%mongod\fP instances that use the
+in\-memory storage engine\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-noIndexBuildRetry
-Stops the \fBmongod\fP from rebuilding incomplete indexes on the next
+Changed in version 4.0: \fI\%\-\-noIndexBuildRetry\fP cannot be used in
+conjunction with \fI\%\-\-replSet\fP\&.
+
+.sp
+Stops the \fBmongod\fP standalone instance from rebuilding incomplete indexes on the next
 start up. This applies in cases where the \fBmongod\fP restarts after it
 has shut down or stopped in the middle of an index build. In such cases,
 the \fBmongod\fP always removes any incomplete indexes, and then also, by
 default, attempts to rebuild them. To stop the \fBmongod\fP from
 rebuilding incomplete indexes on start up, include this option on the
 command\-line.
+.sp
+Not available for \fI\%mongod\fP instances that use the
+in\-memory storage engine\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-noprealloc
-Deprecated since version 2.6.
+Deprecated since version 2.6: By default, MongoDB does not preallocate data files. The option
+exists for compatibility and clarity.
 
 .sp
-Disables the preallocation of data files. Currently the default.
-Exists for future compatibility and clarity.
+Disables the preallocation of data files.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -752,7 +1506,7 @@ option requires that you set \fI\%\-\-quota\fP\&.
 .B \-\-smallfiles
 Sets MongoDB to use a smaller default file size. The \fI\%\-\-smallfiles\fP option
 reduces the initial size for data files and limits the maximum size to
-512 megabytes. \fI\%\-\-smallfiles\fP also reduces the size of each \fIjournal\fP
+512 megabytes. \fI\%\-\-smallfiles\fP also reduces the size of each journal
 file from 1 gigabyte to 128 megabytes. Use \fI\%\-\-smallfiles\fP if you have a large
 number of databases that each holds a small quantity of data.
 .sp
@@ -765,7 +1519,9 @@ number of files, which can affect performance for larger databases.
 \fIDefault\fP: 60
 .sp
 Controls how much time can pass before MongoDB flushes data to the data
-files via an \fIfsync\fP operation. \fBDo not set this value on
+files via an fsync operation.
+.sp
+\fBDo not set this value on
 production systems.\fP In almost every situation, you should use the
 default setting.
 .sp
@@ -778,11 +1534,18 @@ memory mapped files to disk.
 .UNINDENT
 .sp
 The \fBmongod\fP process writes data very quickly to the journal and
-lazily to the data files. \fBsyncPeriodSecs\fP has no effect on the
-\fBjournal\fP files or \fBjournaling\fP\&.
+lazily to the data files. \fI\%\-\-syncdelay\fP has no effect on the
+\fBjournal\fP files or journaling,
+but if \fI\%\-\-syncdelay\fP is set to \fB0\fP the journal will eventually consume
+all available disk space. If you set \fI\%\-\-syncdelay\fP to \fB0\fP for testing
+purposes, you should also set \fI\%\-\-nojournal\fP
+to \fBtrue\fP\&.
 .sp
 The \fBserverStatus\fP command reports the background flush
-thread\(aqs status via the \fBbackgroundFlushing\fP field.
+thread’s status via the \fBbackgroundFlushing\fP field.
+.sp
+Not available for \fI\%mongod\fP instances that use the
+in\-memory storage engine\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -807,96 +1570,274 @@ command on all databases.
 \fBWARNING:\fP
 .INDENT 7.0
 .INDENT 3.5
-During normal operations, only use the \fBrepairDatabase\fP
-command and wrappers including \fBdb.repairDatabase()\fP in the
-\fBmongo\fP shell and \fImongod \-\-repair\fP, to compact
-database files and/or reclaim disk space. Be aware that these
+.INDENT 0.0
+.IP \(bu 2
+Before using \fBrepairDatabase\fP, make a backup copy of
+the dbpath directory.
+.IP \(bu 2
+Avoid running \fBrepairDatabase\fP against a replica set.
+If you are trying to repair a replica set member, and you
+have access to an intact copy of your data (e.g. a recent backup
+or an intact member of the replica set), you should
+restore from that intact copy (see
+/tutorial/resync\-replica\-set\-member), and \fBnot\fP use
+\fBrepairDatabase\fP\&.
+.IP \(bu 2
+Only use the \fBrepairDatabase\fP command and associated
+wrappers, including \fBdb.repairDatabase()\fP and
+\fI\%mongod \-\-repair\fP, if you have no other options. These
 operations remove and do not save any corrupt data during the
 repair process.
-.sp
-If you are trying to repair a \fIreplica set\fP member, and you have
-access to an intact copy of your data (e.g. a recent backup or an
-intact member of the \fIreplica set\fP), you should restore from that
-intact copy, and \fBnot\fP use \fBrepairDatabase\fP\&.
+.UNINDENT
 .UNINDENT
 .UNINDENT
 .sp
-When using \fIjournaling\fP, there is almost never
-any need to run \fBrepairDatabase\fP\&. In the event of an
-unclean shutdown, the server will be able to restore the data files
-to a pristine state automatically.
+If you are running with journaling enabled, there is
+almost never any need to run \fBrepairDatabase\fP unless you
+need to recover from a disk\-level data corruption. In the event of an
+unclean shutdown, the server will be able to restore the data files to
+a clean state automatically.
 .sp
 Changed in version 2.1.2.
 
 .sp
 If you run the repair option \fIand\fP have data in a journal file, the
 \fBmongod\fP instance refuses to start. In these cases you should start
-the \fBmongod\fP without the \fI\-\-repair\fP option, which allows the
+the \fBmongod\fP without the \fI\%\-\-repair\fP option, which allows the
 \fBmongod\fP to recover data from the journal. This completes more
 quickly and is more likely to produce valid data files. To continue the
 repair operation despite the journal files, shut down the \fBmongod\fP
-cleanly and restart with the \fI\-\-repair\fP option.
+cleanly and restart with the \fI\%\-\-repair\fP option.
 .sp
-The \fI\-\-repair\fP option copies data from the source data files into new data
+The \fI\%\-\-repair\fP option copies data from the source data files into new data
 files in the \fBrepairPath\fP and then replaces the original data
 files with the repaired data files.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-repairpath <path>
-\fIDefault\fP: A \fB_tmp\fP directory within the path specified by the
-\fBdbPath\fP option.
+\fIDefault\fP: A \fB_tmp_repairDatabase_<num>\fP directory under the
+\fBdbPath\fP\&.
 .sp
 Specifies a working directory that MongoDB will use during the
-\fI\-\-repair\fP operation. After \fI\-\-repair\fP completes,
-the data files in \fBdbPath\fP and the \fI\%\-\-repairpath\fP
-directory is empty.
+\fI\%\-\-repair\fP operation. When \fB\-\-repair\fP completes, the
+\fI\%\-\-repairpath\fP directory is empty, and
+\fBdbPath\fP contains the repaired files.
 .sp
 The \fI\%\-\-repairpath\fP must be within the \fBdbPath\fP\&. You can
 specify a symlink to \fI\%\-\-repairpath\fP to use a path on a different file
 system.
+.sp
+Only available for \fI\%mongod\fP instance using the MMAPv1 storage engine.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-journal
-Enables the durability \fIjournal\fP to ensure data files remain valid
+Enables the durability journal to ensure data files remain valid
 and recoverable. This option applies only when you specify the
-\fI\%\-\-dbpath\fP option. The \fBmongod\fP enables journaling by default
-on 64\-bit builds of versions after 2.0.
+\fI\%\-\-dbpath\fP option. \fBmongod\fP enables journaling by default.
+.sp
+Not available for \fI\%mongod\fP instances that use the
+in\-memory storage engine\&.
+.sp
+If any voting member of a replica set uses the in\-memory
+storage engine, you must set
+\fBwriteConcernMajorityJournalDefault\fP to \fBfalse\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-nojournal
-Disables the durability journaling. The \fBmongod\fP instance
-enables journaling by default in 64\-bit versions after v2.0.
+Disables journaling\&. \fBmongod\fP
+enables journaling by default.
+.sp
+Not available for \fI\%mongod\fP instances that use the
+in\-memory storage engine\&.
+.sp
+Starting in MongoDB 4.0, you cannot specify \fI\%\-\-nojournal\fP option or \fBstorage.journal.enabled:
+false\fP for replica set members that use the
+WiredTiger storage engine.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-journalOptions <arguments>
 Provides functionality for testing. Not for general use, and will affect data
 file integrity in the case of abnormal system shutdown.
+.sp
+Not available for \fI\%mongod\fP instances that use the
+in\-memory storage engine\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-journalCommitInterval <value>
 \fIDefault\fP: 100 or 30
 .sp
-The maximum amount of time the \fBmongod\fP process allows between
-journal operations. Values can range from 2 to 300 milliseconds. Lower
+Changed in version 3.2.
+
+.sp
+The maximum amount of time in milliseconds that
+the \fBmongod\fP process allows between
+journal operations. Values can range from 1 to 500 milliseconds. Lower
 values increase the durability of the journal, at the expense of disk
-performance.
+performance.  The default journal commit interval is 100 milliseconds.
+.sp
+On MMAPv1, if the journal is on a different block device (e.g. physical
+volume, RAID device, or LVM volume) than the data files, the default journal
+commit interval is 30 milliseconds. Additionally, on MMAPv1, when a write
+operation with \fBj:true\fP is pending, \fBmongod\fP will reduce
+\fBcommitIntervalMs\fP to a third of the set value.
+.sp
+On WiredTiger, the default journal commit interval is 100 milliseconds. Additionally,
+a write with \fBj:true\fP will cause an immediate sync of the journal.
+.sp
+Not available for \fI\%mongod\fP instances that use the
+in\-memory storage engine\&.
+.UNINDENT
+.SS WiredTiger Options
+.INDENT 0.0
+.TP
+.B \-\-wiredTigerCacheSizeGB float
+Defines the maximum size of the internal cache that WiredTiger will
+use for all data.
+.sp
+Changed in version 3.4: Values can range from 256MB to 10TB and can be a float. In
+addition, the default value has also changed.
+
+.sp
+Starting in 3.4, the WiredTiger internal cache, by default, will use
+the larger of either:
+.INDENT 7.0
+.IP \(bu 2
+50% of (RAM \- 1 GB), or
+.IP \(bu 2
+256 MB.
+.UNINDENT
+.sp
+For example, on a system with a total of 4GB of RAM the WiredTiger
+cache will use 1.5GB of RAM (\fB0.5 * (4 GB \- 1 GB) = 1.5 GB\fP).
+Conversely, a system with a total of 1.25 GB of RAM will allocate 256
+MB to the WiredTiger cache because that is more than half of the
+total RAM minus one gigabyte (\fB0.5 * (1.25 GB \- 1 GB) = 128 MB < 256 MB\fP).
+.sp
+Avoid increasing the WiredTiger internal cache size above its
+default value.
+.sp
+With WiredTiger, MongoDB utilizes both the WiredTiger internal cache
+and the filesystem cache.
+.sp
+Via the filesystem cache, MongoDB automatically uses all free memory
+that is not used by the WiredTiger cache or by other processes.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The \fI\%\-\-wiredTigerCacheSizeGB\fP limits the size of the WiredTiger internal
+cache. The operating system will use the available free memory
+for filesystem cache, which allows the compressed MongoDB data
+files to stay in memory. In addition, the operating system will
+use any free RAM to buffer file system blocks and file system
+cache.
+.sp
+To accommodate the additional consumers of RAM, you may have to
+decrease WiredTiger internal cache size.
+.UNINDENT
+.UNINDENT
+.sp
+The default WiredTiger internal cache size value assumes that there is a
+single \fI\%mongod\fP instance per machine. If a single machine
+contains multiple MongoDB instances, then you should decrease the setting to
+accommodate the other \fI\%mongod\fP
+instances.
+.sp
+If you run \fI\%mongod\fP in a container (e.g. \fBlxc\fP,
+\fBcgroups\fP, Docker, etc.) that does \fInot\fP have access to all of the
+RAM available in a system, you must set \fI\%\-\-wiredTigerCacheSizeGB\fP to a value less
+than the amount of RAM available in the container. The exact amount
+depends on the other processes running in the container.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-wiredTigerJournalCompressor <compressor>
+\fIDefault\fP: snappy
 .sp
-The default journal commit interval is 100 milliseconds if a single
-block device (e.g. physical volume, RAID device, or LVM volume) contains
-both the journal and the data files.
+New in version 3.0.0.
+
 .sp
-If the journal is on a different block device than the data files the
-default journal commit interval is 30 milliseconds.
+Specifies the type of compression to use to compress WiredTiger
+journal data.
 .sp
-To force \fBmongod\fP to commit to the journal more frequently, you
-can specify \fBj:true\fP\&. When a write operation with \fBj:true\fP is
-pending, \fBmongod\fP will reduce \fBcommitIntervalMs\fP
-to a third of the set value.
+Available compressors are:
+.INDENT 7.0
+.IP \(bu 2
+\fBnone\fP
+.IP \(bu 2
+snappy
+.IP \(bu 2
+zlib
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-wiredTigerDirectoryForIndexes
+New in version 3.0.0.
+
+.sp
+When you start \fBmongod\fP with \fI\%\-\-wiredTigerDirectoryForIndexes\fP, \fBmongod\fP stores indexes and collections in separate
+subdirectories under the data (i.e. \fI\%\-\-dbpath\fP) directory.
+Specifically, \fBmongod\fP stores the indexes in a subdirectory named
+\fBindex\fP and the collection data in a subdirectory named
+\fBcollection\fP\&.
+.sp
+By using a symbolic link, you can specify a different location for
+the indexes. Specifically, when \fI\%mongod\fP instance is \fBnot\fP
+running, move the \fBindex\fP subdirectory to the destination and
+create a symbolic link named \fBindex\fP under the data directory to
+the new destination.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-wiredTigerCollectionBlockCompressor <compressor>
+\fIDefault\fP: snappy
+.sp
+New in version 3.0.0.
+
+.sp
+Specifies the default type of compression to use to compress collection
+data. You can override this on a per\-collection basis when creating
+collections.
+.sp
+Available compressors are:
+.INDENT 7.0
+.IP \(bu 2
+\fBnone\fP
+.IP \(bu 2
+snappy
+.IP \(bu 2
+zlib
+.UNINDENT
+.sp
+\fI\%\-\-wiredTigerCollectionBlockCompressor\fP affects all collections created. If you change
+the value of \fI\%\-\-wiredTigerCollectionBlockCompressor\fP on an existing MongoDB deployment, all new
+collections will use the specified compressor. Existing collections
+will continue to use the compressor specified when they were
+created, or the default compressor at that time.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-wiredTigerIndexPrefixCompression <boolean>
+\fIDefault\fP: true
+.sp
+New in version 3.0.0.
+
+.sp
+Enables or disables prefix compression for index data.
+.sp
+Specify \fBtrue\fP for \fI\%\-\-wiredTigerIndexPrefixCompression\fP to enable prefix compression for
+index data, or \fBfalse\fP to disable prefix compression for index data.
+.sp
+The \fI\%\-\-wiredTigerIndexPrefixCompression\fP setting affects all indexes created. If you change
+the value of \fI\%\-\-wiredTigerIndexPrefixCompression\fP on an existing MongoDB deployment, all new
+indexes will use prefix compression. Existing indexes
+are not affected.
 .UNINDENT
 .SS Replication Options
 .INDENT 0.0
@@ -905,6 +1846,16 @@ to a third of the set value.
 Configures replication. Specify a replica set name as an argument to
 this set. All hosts in the replica set must have the same set name.
 .sp
+Starting in MongoDB 4.0,
+.INDENT 7.0
+.IP \(bu 2
+\fI\%\-\-replSet\fP cannot be used in conjunction with
+\fI\%\-\-noIndexBuildRetry\fP\&.
+.IP \(bu 2
+For the WiredTiger storage engine, \fI\%\-\-replSet\fP cannot be used in
+conjunction with \fI\%\-\-nojournal\fP\&.
+.UNINDENT
+.sp
 If your application connects to more than one replica set, each set
 should have a distinct name. Some drivers group replica set
 connections by replica set name.
@@ -913,21 +1864,23 @@ connections by replica set name.
 .TP
 .B \-\-oplogSize <value>
 Specifies a maximum size in megabytes for the replication operation log
-(i.e., the \fIoplog\fP). The \fBmongod\fP process creates an
-\fIoplog\fP based on the maximum amount of space available. For 64\-bit
-systems, the oplog is typically 5% of available disk space. Once the
-\fBmongod\fP has created the oplog for the first time, changing the
-\fI\%\-\-oplogSize\fP option will not affect the size of the oplog.
+(i.e., the oplog). The \fBmongod\fP process creates an
+oplog based on the maximum amount of space available. For 64\-bit
+systems, the oplog is typically 5% of available disk space.
+.sp
+Once the \fBmongod\fP has created the oplog for the first time,
+changing the \fI\%\-\-oplogSize\fP option will not affect the size of the oplog.
+Use the \fBreplSetResizeOplog\fP administrative command to
+change the oplog size of a running \fBmongod\fP replica set member.
+\fBreplSetResizeOplog\fP enables you to resize the oplog
+dynamically without restarting the \fI\%mongod\fP process.
 .sp
-See \fIreplica\-set\-oplog\-sizing\fP for more information.
+See replica\-set\-oplog\-sizing for more information.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-replIndexPrefetch
 \fIDefault\fP: all
-.sp
-New in version 2.2.
-
 .INDENT 7.0
 .INDENT 3.5
 .IP "Storage Engine Specific Feature"
@@ -937,11 +1890,12 @@ storage engine.
 .UNINDENT
 .UNINDENT
 .sp
-Determines which indexes \fIsecondary\fP members of a \fIreplica
-set\fP load into memory before applying operations from the oplog. By
+Determines which indexes secondary members of a replica
+set load into memory before applying operations from the oplog. By
 default secondaries load all indexes related to an operation into memory
-before applying operations from the oplog. This option can have one of
-the following values:
+before applying operations from the oplog.
+.sp
+Set this option to one of the following:
 .TS
 center;
 |l|l|.
@@ -973,128 +1927,122 @@ T}
 _
 .TE
 .UNINDENT
-.SS Master\-Slave Replication
-.sp
-These options provide access to conventional master\-slave database
-replication. While this functionality remains accessible in MongoDB,
-replica sets are the preferred configuration for database replication.
-.INDENT 0.0
-.TP
-.B \-\-master
-Configures the \fBmongod\fP to run as a replication \fImaster\fP\&.
-.UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-slave
-Configures the \fBmongod\fP to run as a replication \fIslave\fP\&.
+.B \-\-enableMajorityReadConcern
+Deprecated since version 3.6: Starting in MongoDB 3.6, \fB"majority"\fP read concern
+is always enabled, and this option has no effect.
+
 .UNINDENT
+.SS Sharded Cluster Options
 .INDENT 0.0
 .TP
-.B \-\-source <host><:port>
-For use with the \fI\%\-\-slave\fP option, the \fB\-\-source\fP option
-designates the server that this instance will replicate.
+.B \-\-configsvr
+\fIRequired if starting a config server.\fP
+.sp
+Declares that this \fBmongod\fP instance serves as the config
+server of a sharded cluster. When
+running with this option, clients (i.e. other cluster components)
+cannot write data to any database other than \fBconfig\fP
+and \fBadmin\fP\&. The default port for a \fBmongod\fP with this option is
+\fB27019\fP and the default \fI\%\-\-dbpath\fP directory is
+\fB/data/configdb\fP, unless specified.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in 3.4, you must deploy config servers as a replica set.
+The use of the deprecated mirrored \fI\%mongod\fP instances as
+config servers (SCCC) is no longer supported.
+.sp
+The replica set config servers (CSRS) must run the
+WiredTiger storage engine\&.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-only <arg>
-For use with the \fI\%\-\-slave\fP option, the \fB\-\-only\fP option
-specifies only a single \fIdatabase\fP to replicate.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-slavedelay <value>
-For use with the \fI\%\-\-slave\fP option, the \fI\%\-\-slavedelay\fP
-option configures a "delay" in seconds, for this slave to wait to
-apply operations from the \fImaster\fP node.
+.sp
+The \fI\%\-\-configsvr\fP option creates a local oplog\&.
+.sp
+Do not use the \fI\%\-\-configsvr\fP option with \fI\%\-\-shardsvr\fP\&. Config
+servers cannot be a shard server.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-autoresync
-For use with the \fI\%\-\-slave\fP option. When set,
-the \fI\%\-\-autoresync\fP option allows this slave to automatically
-resync if it is more than 10 seconds behind the master. This
-setting may be problematic if the \fI\%\-\-oplogSize\fP specifies
-a too small oplog.
+.B \-\-configsvrMode <string>
+\fBAvailable in MongoDB 3.2 version only\fP
+.sp
+If set to \fBsccc\fP, indicates that the config servers are deployed
+as three mirrored \fI\%mongod\fP instances, even if one or more
+config servers is also a member of a replica set. \fBconfigsvrMode\fP
+only accepts the value \fBsccc\fP\&.
 .sp
-If the \fIoplog\fP is not large enough to store the difference in
-changes between the master\(aqs current state and the state of the slave,
-this instance will forcibly resync itself unnecessarily. If you don\(aqt
-specify \fI\%\-\-autoresync\fP, the slave will not attempt an automatic resync more
-than once in a ten minute period.
+If unset, config servers running as replica sets expect to use the
+“config server replica set” protocol for writing to config servers,
+rather than the “mirrored mongod” write protocol.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-fastsync
-In the context of \fIreplica set\fP replication, set this option
-if you have seeded this member with an up\-to\-date copy of the entire
-\fBdbPath\fP of another member of the set. Otherwise the
-\fBmongod\fP will attempt to perform an initial sync,
-as though the member were a new member.
+.B \-\-shardsvr
+\fIRequired if starting a shard server.\fP
 .sp
-\fBWARNING:\fP
+Configures this \fBmongod\fP instance as a shard in a
+sharded cluster. The default port for these instances is
+\fB27018\fP\&.
+.sp
+\fBIMPORTANT:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the data is not perfectly synchronized \fIand\fP
-the \fBmongod\fP starts with \fIfastsync\fP, then the
-secondary or slave will be permanently out of sync with the
-primary, which may cause significant consistency problems.
+Changed in version 3.6.
+
+.sp
+You must deploy shards as replica sets. See the \fI\%\-\-replSet\fP
+option to deploy \fBmongod\fP as part of a replica set.
 .UNINDENT
 .UNINDENT
 .UNINDENT
-.SS Sharded Cluster Options
 .INDENT 0.0
 .TP
-.B \-\-configsvr
-Declares that this \fBmongod\fP instance serves as the
-\fIconfig database\fP of a sharded cluster. When running with
-this option, clients (i.e. other cluster components) will not be
-able to write data to any database other than \fBconfig\fP and
-\fBadmin\fP\&. The default port for a \fBmongod\fP with this option is
-\fB27019\fP and the default \fI\%\-\-dbpath\fP directory is
-\fB/data/configdb\fP, unless specified.
-.sp
-Changed in version 2.2: The \fI\%\-\-configsvr\fP option also sets \fI\%\-\-smallfiles\fP\&.
-
-.sp
-Changed in version 2.4: The \fI\%\-\-configsvr\fP option creates a local \fIoplog\fP\&.
-
+.B \-\-moveParanoia
+If specified, during chunk migration, a shard saves,
+to the \fBmoveChunk\fP directory of the \fB\-\-dbpath\fP, all documents
+migrated from that shard.
 .sp
-Do not use the \fI\%\-\-configsvr\fP option with \fI\%\-\-replSet\fP or
-\fI\%\-\-shardsvr\fP\&. Config servers cannot be a shard
-server or part of a \fIreplica set\fP\&.
+MongoDB does not automatically delete the data saved in the
+\fBmoveChunk\fP directory.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-shardsvr
-Configures this \fBmongod\fP instance as a shard in a
-partitioned cluster. The default port for these instances is
-\fB27018\fP\&.  The only effect of \fI\%\-\-shardsvr\fP is to change
-the port number.
+.B \-\-noMoveParanoia
+Changed in version 3.2: Starting in 3.2, MongoDB uses \fB\-\-noMoveParanoia\fP as the default.
+
+.sp
+During chunk migration, a shard does not save documents migrated from
+the shard.
 .UNINDENT
-.SS SSL Options
+.SS TLS/SSL Options
 .INDENT 0.0
 .INDENT 3.5
 .SS See
 .sp
-http://docs.mongodb.org/manual/tutorial/configure\-ssl for full
-documentation of MongoDB\(aqs support.
+/tutorial/configure\-ssl for full
+documentation of MongoDB’s support.
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslOnNormalPorts
-Deprecated since version 2.6.
+Deprecated since version 2.6: Use \fI\%\-\-sslMode requireSSL\fP instead.
 
 .sp
-Enables SSL for \fBmongod\fP\&.
+Enables TLS/SSL for \fBmongod\fP\&.
 .sp
-With \fI\-\-sslOnNormalPorts\fP, a \fBmongod\fP requires SSL encryption for all
+With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongod\fP requires TLS/SSL encryption for all
 connections on the default MongoDB port, or the port specified by
-\fI\-\-port\fP\&. By default, \fI\-\-sslOnNormalPorts\fP is
+\fI\%\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is
 disabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -1102,8 +2050,8 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 2.6.
 
 .sp
-Enables SSL or mixed SSL used for all network connections. The
-argument to the \fI\-\-sslMode\fP option can be one of the following:
+Enables TLS/SSL or mixed TLS/SSL used for all network connections. The
+argument to the \fI\%\-\-sslMode\fP option can be one of the following:
 .TS
 center;
 |l|l|.
@@ -1117,67 +2065,72 @@ _
 T{
 \fBdisabled\fP
 T}	T{
-The server does not use SSL.
+The server does not use TLS/SSL.
 T}
 _
 T{
 \fBallowSSL\fP
 T}	T{
-Connections between servers do not use SSL. For incoming
-connections, the server accepts both SSL and non\-SSL.
+Connections between servers do not use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
 T}
 _
 T{
 \fBpreferSSL\fP
 T}	T{
-Connections between servers use SSL. For incoming
-connections, the server accepts both SSL and non\-SSL.
+Connections between servers use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
 T}
 _
 T{
 \fBrequireSSL\fP
 T}	T{
-The server uses and accepts only SSL encrypted connections.
+The server uses and accepts only TLS/SSL encrypted connections.
 T}
 _
 .TE
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslPEMKeyFile <filename>
-New in version 2.2.
-
-.sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
-When SSL is enabled, you must specify \fI\-\-sslPEMKeyFile\fP\&.
+You must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslPEMKeyPassword <value>
-New in version 2.2.
-
-.sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fB\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongod\fP will
 redact the password from all logging and reporting output.
 .sp
 Changed in version 2.6: If the private key in the PEM file is encrypted and you do not
-specify the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongod\fP will prompt for a
-passphrase. See \fIssl\-certificate\-password\fP\&.
+specify the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongod\fP will prompt for a
+passphrase. See ssl\-certificate\-password\&.
 
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -1188,7 +2141,7 @@ New in version 2.6.
 
 .sp
 The authentication mode used for cluster authentication. If you use
-\fIinternal x.509 authentication\fP,
+internal x.509 authentication,
 specify so here. This option can have one of the following values:
 .TS
 center;
@@ -1232,8 +2185,17 @@ T}
 _
 .TE
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -1242,16 +2204,19 @@ New in version 2.6.
 
 .sp
 Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key
-file for \fImembership authentication\fP
+file for membership authentication
 for the cluster or replica set.
 .sp
-If \fI\-\-sslClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster
+If \fI\%\-\-sslClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster
 authentication, the cluster uses the \fB\&.pem\fP file specified in the
-\fI\-\-sslPEMKeyFile\fP option.
+\fI\%\-\-sslPEMKeyFile\fP option.
 .sp
-The default distribution of MongoDB does not contain support for
-SSL.  For more information on MongoDB and SSL, see
-http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -1260,71 +2225,73 @@ New in version 2.6.
 
 .sp
 Specifies the password to de\-crypt the x.509 certificate\-key file
-specified with \fB\-\-sslClusterFile\fP\&. Use the \fI\-\-sslClusterPassword\fP option only
+specified with \fB\-\-sslClusterFile\fP\&. Use the \fI\%\-\-sslClusterPassword\fP option only
 if the certificate\-key file is encrypted. In all cases, the \fBmongod\fP
 will redact the password from all logging and reporting output.
 .sp
 If the x.509 key file is encrypted and you do not specify the
-\fI\-\-sslClusterPassword\fP option, the \fBmongod\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+\fI\%\-\-sslClusterPassword\fP option, the \fBmongod\fP will prompt for a passphrase. See
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslCAFile <filename>
-New in version 2.4.
-
-.sp
 Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
 .sp
-\fBWARNING:\fP
-.INDENT 7.0
-.INDENT 3.5
-If the \fI\-\-sslCAFile\fP option and its target
-file are not specified, x.509 client and member authentication will not
-function. \fBmongod\fP, and \fBmongos\fP in sharded systems,
-will not be able to verify the certificates of processes connecting to it
-against the trusted certificate authority (CA) that issued them, breaking
-the certificate chain.
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
-As of version 2.6.4, \fBmongod\fP will not start with x.509
-authentication enabled if the CA file is not specified.
-.UNINDENT
-.UNINDENT
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslCRLFile <filename>
-New in version 2.4.
-
-.sp
-Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
+Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslAllowInvalidCertificates
-New in version 2.6.
-
+Bypasses the validation checks for TLS/SSL certificates on other
+servers in the cluster and allows the use of invalid certificates to
+connect.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.UNINDENT
+.UNINDENT
 .sp
-Bypasses the validation checks for SSL certificates on other servers
-in the cluster and allows the use of invalid certificates. When using
-the \fBallowInvalidCertificates\fP setting, MongoDB
-logs as a warning the use of the invalid certificate.
+When using
+the \fI\%\-\-sslAllowInvalidCertificates\fP setting, MongoDB
+logs a warning regarding the use of the invalid certificate.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -1332,28 +2299,20 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates, when
-connecting to other \fBmongod\fP instances for inter\-process
-authentication. This allows \fBmongod\fP to connect to other
-\fBmongod\fP instances if the hostnames in their certificates do not
-match their configured hostname.
+Disables the validation of the hostnames in TLS/SSL certificates,
+when connecting to other members of the replica set or sharded cluster
+for inter\-process authentication. This allows \fBmongod\fP to connect
+to other members if the hostnames in their certificates do not match
+their configured hostname.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslAllowConnectionsWithoutCertificates
-New in version 2.4.
-
-.sp
-Changed in version 3.0.0: \fB\-\-sslAllowConnectionsWithoutCertificates\fP became \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP\&. For
-compatibility, MongoDB processes continue to accept
-\fB\-\-sslAllowConnectionsWithoutCertificates\fP, but all users should
-update their configuration files.
-
-.sp
-Disables the requirement for SSL certificate validation that
+Disables the requirement for TLS/SSL certificate validation that
 \fB\-\-sslCAFile\fP enables. With the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option, the \fBmongod\fP
 will accept connections when the client does not present a certificate
 when establishing the connection.
@@ -1366,37 +2325,164 @@ with invalid certificates.
 Use the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option if you have a mixed deployment that includes
 clients that do not or cannot present certificates to the \fBmongod\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslFIPSMode
-New in version 2.4.
+.B \-\-sslDisabledProtocols <protocol(s)>
+New in version 3.0.7.
 
 .sp
+Prevents a MongoDB server running with TLS/SSL from accepting
+incoming connections that use a specific protocol or protocols. To
+specify multiple protocols, use a comma separated list of protocols.
+.sp
+\fI\%\-\-sslDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP,
+and \fBTLS1_2\fP\&.
+.INDENT 7.0
+.IP \(bu 2
+On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
+\fBTLS1_2\fP enabled. You must disable at least one of the other
+two, for example, \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+To list multiple protocols, specify as a comma separated list of
+protocols. For example \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+Specifying an unrecognized protocol will prevent the server from
+starting.
+.IP \(bu 2
+The specified disabled protocols overrides any default disabled
+protocols.
+.UNINDENT
+.sp
+Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
+1.1+ is available on the system. To enable the disabled TLS 1.0,
+specify \fBnone\fP to \fI\%\-\-sslDisabledProtocols\fP\&. 4.0\-disable\-tls
+.sp
+Members of replica sets and sharded clusters must speak at least one
+protocol in common.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+ssl\-disallow\-protocols
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslFIPSMode
 Directs the \fBmongod\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+library. Your system must have a FIPS
+compliant OpenSSL library to use the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Profiler Options
+.INDENT 0.0
+.TP
+.B \-\-profile <level>
+\fIDefault\fP: 0
+.sp
+Configures the database profiler level.
+The following profiler levels are available:
+.TS
+center;
+|l|l|.
+_
+T{
+Level
+T}	T{
+Description
+T}
+_
+T{
+\fB0\fP
+T}	T{
+The profiler is off and does not collect any data.
+This is the default profiler level.
+T}
+_
+T{
+\fB1\fP
+T}	T{
+The profiler collects data for operations that take longer
+than the value of \fBslowms\fP\&.
+T}
+_
+T{
+\fB2\fP
+T}	T{
+The profiler collects data for all operations.
+T}
+_
+.TE
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+Profiling can impact performance and shares settings with the system
+log. Carefully consider any performance and security implications
+before configuring and enabling the profiler on a production
+deployment.
+.sp
+See database\-profiling\-overhead for more information on
+potential performance degradation.
 .UNINDENT
 .UNINDENT
 .UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-slowms <integer>
+\fIDefault\fP: 100
+.sp
+The \fIslow\fP operation time threshold, in milliseconds. Operations
+that run for longer than this threshold are considered \fIslow\fP\&.
+.sp
+When \fBlogLevel\fP is set to \fB0\fP, MongoDB
+records \fIslow\fP operations to the diagnostic log at a rate determined by
+\fBslowOpSampleRate\fP\&. At higher
+\fBlogLevel\fP settings, all operations appear in the diagnostic
+log regardless of their latency.
+.sp
+For \fI\%mongod\fP instances, \fI\%\-\-slowms\fP affects the diagnostic log
+and, if enabled, the profiler.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+/tutorial/manage\-the\-database\-profiler
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-slowOpSampleRate <double>
+\fIDefault\fP: 1.0
+.sp
+The fraction of \fIslow\fP operations that should be profiled or logged.
+\fI\%\-\-slowOpSampleRate\fP accepts values between 0 and 1, inclusive.
+.sp
+For \fI\%mongod\fP instances, \fI\%\-\-slowOpSampleRate\fP affects the
+diagnostic log and, if enabled, the profiler.
+.UNINDENT
 .SS Audit Options
 .INDENT 0.0
 .TP
 .B \-\-auditDestination
-New in version 2.6.
-
+Enables auditing and specifies where
+\fBmongod\fP sends all audit events.
 .sp
-Enables \fBauditing\fP\&. The \fI\-\-auditDestination\fP option can
-have one of the following values:
+\fI\%\-\-auditDestination\fP can have one of the following values:
 .TS
 center;
 |l|l|.
@@ -1429,8 +2515,8 @@ T{
 \fBfile\fP
 T}	T{
 Output the audit events to the file specified in
-\fI\-\-auditPath\fP in the format specified in
-\fI\-\-auditFormat\fP\&.
+\fI\%\-\-auditPath\fP in the format specified in
+\fI\%\-\-auditFormat\fP\&.
 T}
 _
 .TE
@@ -1448,8 +2534,8 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 New in version 2.6.
 
 .sp
-Specifies the format of the output file for \fBauditing\fP if \fI\-\-auditDestination\fP is \fBfile\fP\&. The
-\fI\-\-auditFormat\fP option can have one of the following values:
+Specifies the format of the output file for auditing if \fI\%\-\-auditDestination\fP is \fBfile\fP\&. The
+\fI\%\-\-auditFormat\fP option can have one of the following values:
 .TS
 center;
 |l|l|.
@@ -1464,14 +2550,14 @@ T{
 \fBJSON\fP
 T}	T{
 Output the audit events in JSON format to the file specified
-in \fI\-\-auditPath\fP\&.
+in \fI\%\-\-auditPath\fP\&.
 T}
 _
 T{
 \fBBSON\fP
 T}	T{
 Output the audit events in BSON binary format to the file
-specified in \fI\-\-auditPath\fP\&.
+specified in \fI\%\-\-auditPath\fP\&.
 T}
 _
 .TE
@@ -1492,8 +2578,8 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 New in version 2.6.
 
 .sp
-Specifies the output file for \fBauditing\fP if
-\fI\-\-auditDestination\fP has value of \fBfile\fP\&. The \fI\-\-auditPath\fP
+Specifies the output file for auditing if
+\fI\%\-\-auditDestination\fP has value of \fBfile\fP\&. The \fI\%\-\-auditPath\fP
 option can take either a full path name or a relative path name.
 .sp
 \fBNOTE:\fP
@@ -1509,7 +2595,7 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 New in version 2.6.
 
 .sp
-Specifies the filter to limit the \fItypes of operations\fP the \fBaudit system\fP records. The option takes a string representation
+Specifies the filter to limit the types of operations the audit system records. The option takes a string representation
 of a query document of the form:
 .INDENT 7.0
 .INDENT 3.5
@@ -1522,14 +2608,14 @@ of a query document of the form:
 .UNINDENT
 .UNINDENT
 .sp
-The \fB<field>\fP can be \fBany field in the audit message\fP, including fields returned in the
-\fIparam\fP document. The
-\fB<expression>\fP is a \fIquery condition expression\fP\&.
+The \fB<field>\fP can be any field in the audit message, including fields returned in the
+param document. The
+\fB<expression>\fP is a query condition expression\&.
 .sp
 To specify an audit filter, enclose the filter document in single
 quotes to pass the document as a string.
 .sp
-To specify the audit filter in a \fBconfiguration file\fP, you must use the YAML format of
+To specify the audit filter in a configuration file, you must use the YAML format of
 the configuration file.
 .sp
 \fBNOTE:\fP
@@ -1540,21 +2626,284 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 .UNINDENT
 .UNINDENT
 .SS SNMP Options
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+MongoDB Enterprise on macOS does \fInot\fP include support for SNMP due
+to \fI\%SERVER\-29352\fP\&.
+.UNINDENT
+.UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-snmp\-subagent
 Runs SNMP as a subagent. For more information, see
-http://docs.mongodb.org/manual/tutorial/monitor\-with\-snmp\&.
+/tutorial/monitor\-with\-snmp\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-snmp\-master
 Runs SNMP as a master. For more information, see
-http://docs.mongodb.org/manual/tutorial/monitor\-with\-snmp\&.
+/tutorial/monitor\-with\-snmp\&.
+.UNINDENT
+.SS inMemory Options
+.INDENT 0.0
+.TP
+.B \-\-inMemorySizeGB <float>
+\fIDefault\fP: 50% of physical RAM less 1 GB
+.sp
+Changed in version 3.4: Values can range from 256MB to 10TB and can be a float.
+
+.sp
+Maximum amount of memory to allocate for in\-memory storage
+engine data, including indexes, oplog if the
+\fI\%mongod\fP is part of replica set, replica set or sharded
+cluster metadata, etc.
+.sp
+By default, the in\-memory storage engine uses 50% of physical RAM minus
+1 GB.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Encryption Key Management Options
+.INDENT 0.0
+.TP
+.B \-\-enableEncryption <boolean>
+\fIDefault\fP: False
+.sp
+New in version 3.2.
+
+.sp
+Enables encryption for the WiredTiger storage engine. You must set
+to \fBtrue\fP to pass in encryption keys and configurations.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-encryptionCipherMode <string>
+\fIDefault\fP: AES256\-CBC
+.sp
+New in version 3.2.
+
+.sp
+The cipher mode to use for encryption at rest:
+.TS
+center;
+|l|l|.
+_
+T{
+Mode
+T}	T{
+Description
+T}
+_
+T{
+\fBAES256\-CBC\fP
+T}	T{
+256\-bit Advanced Encryption Standard in Cipher Block Chaining
+Mode
+T}
+_
+T{
+\fBAES256\-GCM\fP
+T}	T{
+256\-bit Advanced Encryption Standard in Galois/Counter Mode
+.sp
+Available only on Linux.
+.sp
+Changed in version 4.0: MongoDB Enterprise on Windows no longer supports \fBAES256\-GCM\fP\&.
+T}
+_
+.TE
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-encryptionKeyFile <string>
+New in version 3.2.
+
+.sp
+The path to the local keyfile when managing keys via process \fIother
+than\fP KMIP. Only set when managing keys via process other than KMIP.
+If data is already encrypted using KMIP, MongoDB will throw an error.
+.sp
+Requires \fBenableEncryption\fP to be \fBtrue\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-kmipKeyIdentifier <string>
+New in version 3.2.
+
+.sp
+Unique KMIP identifier for an existing key within the KMIP server.
+Include to use the key associated with the identifier as the system
+key. You can only use the setting the first time you enable
+encryption for the \fI\%mongod\fP instance. Requires
+\fBenableEncryption\fP to be true.
+.sp
+If unspecified, MongoDB will request that the KMIP server create a
+new key to utilize as the system key.
+.sp
+If the KMIP server cannot locate a key with the specified identifier
+or the data is already encrypted with a key, MongoDB will throw an
+error
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-kmipRotateMasterKey <boolean>
+\fIDefault\fP: False
+.sp
+New in version 3.2.
+
+.sp
+If true, rotate the master key and re\-encrypt the internal
+keystore.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+kmip\-master\-key\-rotation
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-kmipServerName <string>
+New in version 3.2.
+
+.sp
+Hostname or IP address of key management solution running a KMIP
+server. Requires \fBenableEncryption\fP to be true.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-kmipPort <number>
+\fIDefault\fP: 5696
+.sp
+New in version 3.2.
+
+.sp
+Port number the KMIP server is listening on. Requires that a
+\fBkmipServerName\fP be provided. Requires
+\fBenableEncryption\fP to be true.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-kmipClientCertificateFile <string>
+New in version 3.2.
+
+.sp
+String containing the path to the client certificate used for
+authenticating MongoDB to the KMIP server. Requires that a
+\fBkmipServerName\fP be provided.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-kmipClientCertificatePassword <string>
+New in version 3.2.
+
+.sp
+The password (if one exists) for the client certificate passed into
+\fBkmipClientCertificateFile\fP\&. Is used for
+authenticating MongoDB to the KMIP server. Requires that a
+\fBkmipClientCertificateFile\fP be provided.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-kmipServerCAFile <string>
+New in version 3.2.
+
+.sp
+Path to CA File. Used for validating secure client connection to
+KMIP server.
+.UNINDENT
+.SS Text Search Options
+.INDENT 0.0
+.TP
+.B \-\-basisTechRootDirectory <path>
+New in version 3.2.
+
+.sp
+Specify the root directory of the Basis Technology Rosette
+Linguistics Platform installation to support additional languages for
+text search operations.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongodb-parameters.5 b/debian/mongodb-parameters.5
new file mode 100644
index 00000000000..729c7e1191d
--- /dev/null
+++ b/debian/mongodb-parameters.5
@@ -0,0 +1,2740 @@
+.\" Man page generated from reStructuredText.
+.
+.TH "MONGODB-PARAMETERS" "5" "Jun 21, 2018" "4.0" "mongodb-manual"
+.SH NAME
+mongodb-parameters \- MongoDB setParameter Options
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Parameters\fP
+.INDENT 2.0
+.IP \(bu 2
+\fI\%Authentication Parameters\fP
+.IP \(bu 2
+\fI\%General Parameters\fP
+.IP \(bu 2
+\fI\%Logging Parameters\fP
+.IP \(bu 2
+\fI\%Diagnostic Parameters\fP
+.IP \(bu 2
+\fI\%Logical Session Parameters\fP
+.IP \(bu 2
+\fI\%Replication Parameters\fP
+.IP \(bu 2
+\fI\%Sharding Parameters\fP
+.IP \(bu 2
+\fI\%Storage Parameters\fP
+.IP \(bu 2
+\fI\%WiredTiger Parameters\fP
+.IP \(bu 2
+\fI\%Auditing Parameters\fP
+.IP \(bu 2
+\fI\%Transaction Parameters\fP
+.UNINDENT
+.UNINDENT
+.SH SYNOPSIS
+.sp
+MongoDB provides a number of configuration options that you can set
+using:
+.INDENT 0.0
+.IP \(bu 2
+the \fBsetParameter\fP command:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, <parameter>: <value>  } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+the \fBsetParameter\fP configuration setting:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+setParameter:
+   <parameter1>: <value1>
+   ...
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+the \fB\-\-setParameter\fP command\-line option for \fBmongod\fP
+and \fBmongos\fP:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter <parameter>=<value>
+mongos \-\-setParameter <parameter>=<value>
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+For additional configuration options, see
+/reference/configuration\-options, \fBmongod\fP and
+\fBmongos\fP\&.
+.SH PARAMETERS
+.SS Authentication Parameters
+.INDENT 0.0
+.TP
+.B authenticationMechanisms
+Changed in version 4.0: Remove support for the deprecated \fBMONGODB\-CR\fP authentication mechanism.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Specifies the list of authentication mechanisms the server accepts. Set
+this to one or more of the following values. If you specify multiple
+values, use a comma\-separated list and no spaces. For descriptions
+of the authentication mechanisms, see /core/authentication\&.
+.TS
+center;
+|l|l|.
+_
+T{
+Value
+T}	T{
+Description
+T}
+_
+T{
+SCRAM\-SHA\-1
+T}	T{
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
+T}
+_
+T{
+SCRAM\-SHA\-256
+T}	T{
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
+T}
+_
+T{
+MONGODB\-X509
+T}	T{
+MongoDB TLS/SSL certificate authentication.
+T}
+_
+T{
+GSSAPI (Kerberos)
+T}	T{
+External authentication using Kerberos. This mechanism is
+available only in \fI\%MongoDB Enterprise\fP\&.
+T}
+_
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
+.TE
+.sp
+You can only set \fI\%authenticationMechanisms\fP during
+start\-up.
+.sp
+For example, to specify both \fBPLAIN\fP and \fBSCRAM\-SHA\-256\fP as the
+authentication mechanisms, use the following command:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter authenticationMechanisms=PLAIN,SCRAM\-SHA\-256 \-\-auth
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B clusterAuthMode
+New in version 2.6.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Set the \fBclusterAuthMode\fP to either \fBsendX509\fP or
+\fBx509\fP\&. Useful during rolling upgrade to use x509 for
+membership authentication
+to minimize downtime.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, clusterAuthMode: "sendX509" } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B enableLocalhostAuthBypass
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Specify \fB0\fP or \fBfalse\fP to disable localhost authentication
+bypass. Enabled by default.
+.sp
+\fI\%enableLocalhostAuthBypass\fP is not available using
+\fBsetParameter\fP database command. Use the
+\fBsetParameter\fP option in the configuration file or the
+\fB\-\-setParameter\fP option on the
+command line.
+.sp
+See localhost\-exception for more information.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B KeysRotationIntervalSec
+New in version 3.6.
+
+.sp
+\fIDefault\fP: 7776000 seconds (90 days)
+.sp
+Specifies the number of seconds for which an \fI\%HMAC signing key\fP
+is valid before rotating to the next one. This parameter is intended
+primarily to facilitate authentication testing.
+.sp
+You can only set \fI\%KeysRotationIntervalSec\fP during
+start\-up, and cannot change this setting with the
+\fBsetParameter\fP database command.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ldapUserCacheInvalidationInterval
+For use with MongoDB servers using security\-ldap\-external\&.
+.sp
+The interval (in seconds) MongoDB waits
+between external user cache flushes. After MongoDB flushes the external
+user cache, the next operation an LDAP\-authorized user, MongoDB
+reacquires authorization data from the LDAP server.
+.sp
+Increasing the value specified increases the amount of time
+MongoDB and the LDAP server can be out of sync, but reduces the load on
+the LDAP server. Conversely, decreasing the value specified
+decreases the time MongoDB and the LDAP server can be out of sync while
+increasing the load on the LDAP server.
+.sp
+Defaults to 30 seconds.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B opensslCipherConfig
+New in version 3.6.
+
+.sp
+Specify the cipher string for OpenSSL when using TLS/SSL encryption.
+For a list of cipher strings, see
+\fI\%https://wiki.openssl.org/index.php/Manual:Ciphers(1)#CIPHER_STRINGS\fP
+.sp
+You can only set \fI\%opensslCipherConfig\fP during start\-up, and
+cannot change this setting using the \fBsetParameter\fP
+database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter opensslCipherConfig=HIGH:!EXPORT:!aNULL@STRENGTH \-\-sslMode requireSSL \-\-sslPEMKeyFile Certs/server.pem
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B saslauthdPath
+.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Available only in MongoDB Enterprise (except MongoDB Enterprise for Windows).
+.UNINDENT
+.UNINDENT
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Specify the path to the Unix Domain Socket of the \fBsaslauthd\fP
+instance to use for proxy authentication.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B saslHostName
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+\fI\%saslHostName\fP overrides MongoDB’s default hostname
+detection for the purpose of configuring SASL and Kerberos
+authentication.
+.sp
+\fI\%saslHostName\fP does not affect the hostname of the
+\fBmongod\fP or \fBmongos\fP instance for any purpose
+beyond the configuration of SASL and Kerberos.
+.sp
+You can only set \fI\%saslHostName\fP during start\-up, and
+cannot change this setting using the \fBsetParameter\fP
+database command.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%saslHostName\fP supports Kerberos authentication and is
+only included in MongoDB Enterprise. For Linux systems, see
+/tutorial/control\-access\-to\-mongodb\-with\-kerberos\-authentication
+for more information.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B saslServiceName
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Allows users to override the default Kerberos
+service name component of the Kerberos
+principal name, on a per\-instance basis. If unspecified, the
+default value is \fBmongodb\fP\&.
+.sp
+MongoDB only permits setting \fI\%saslServiceName\fP at
+startup. The \fBsetParameter\fP command can not change
+this setting.
+.sp
+\fI\%saslServiceName\fP is only available in MongoDB
+Enterprise.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+Ensure that your driver supports alternate service names.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B scramIterationCount
+New in version 3.0.0.
+
+.sp
+\fIDefault\fP: \fB10000\fP
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Changes the number of hashing iterations used for all new
+\fBSCRAM\-SHA\-1\fP passwords. More iterations increase the amount of
+time required for clients to authenticate to MongoDB, but makes
+passwords less susceptible to brute\-force attempts. The default
+value is ideal for most common use cases and requirements.
+.sp
+If you modify this value, it does not change the iteration count for
+existing passwords. The \fI\%scramIterationCount\fP value must
+be \fB5000\fP or greater.
+.sp
+For example, the following sets the \fI\%scramIterationCount\fP
+to \fB12000\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter scramIterationCount=12000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Or, if using the \fBsetParameter\fP command within the
+\fBmongo\fP shell:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, scramIterationCount: 12000 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+\fBdb.changeUserPassword()\fP
+.IP \(bu 2
+\fBdb.createUser()\fP
+.IP \(bu 2
+\fBdb.updateUser()\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B scramSHA256IterationCount
+New in version 4.0.
+
+.sp
+\fIDefault\fP: \fB15000\fP
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Changes the number of hashing iterations used for all new
+\fBSCRAM\-SHA\-256\fP passwords. More iterations increase the amount of
+time required for clients to authenticate to MongoDB, but makes
+passwords less susceptible to brute\-force attempts. The default
+value is ideal for most common use cases and requirements.
+.sp
+If you modify this value, it does not change iteration count for
+existing passwords. The \fI\%scramSHA256IterationCount\fP value
+must be \fB5000\fP or greater.
+.sp
+For example, the following sets the \fI\%scramSHA256IterationCount\fP
+to \fB20000\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter scramSHA256IterationCount=20000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Or, if using the \fBsetParameter\fP command within the
+\fBmongo\fP shell:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, scramSHA256IterationCount: 20000 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+\fBdb.changeUserPassword()\fP
+.IP \(bu 2
+\fBdb.createUser()\fP
+.IP \(bu 2
+\fBdb.updateUser()\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B sslMode
+New in version 2.6.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Set the \fBnet.ssl.mode\fP to either \fBpreferSSL\fP or
+\fBrequireSSL\fP\&. Useful during rolling upgrade to TLS/SSL to minimize downtime.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, sslMode: "preferSSL" } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B userCacheInvalidationIntervalSecs
+\fIDefault\fP: 30
+.sp
+Available for \fBmongos\fP only.
+.sp
+On a \fBmongos\fP instance, specifies the interval (in seconds)
+at which the \fBmongos\fP instance checks to determine whether
+the in\-memory cache of user objects has stale data, and if so,
+clears the cache. If there are no changes to user objects,
+\fBmongos\fP will not clear the cache.
+.sp
+This parameter has a minimum value of \fB1\fP second and a maximum
+value of \fB86400\fP seconds (24 hours).
+.sp
+Changed in version 3.0: Default value has changed to \fB30\fP seconds, and the minimum
+value allowed has changed to \fB1\fP second. \fBmongos\fP
+only clears the user cache if there are changes.
+
+.UNINDENT
+.INDENT 0.0
+.TP
+.B authFailedDelayMs
+\fIDefault\fP: 0
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+New in version 3.4.
+
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.sp
+The number of milliseconds to wait before informing clients that their
+authentication attempt has failed. This parameter may be in the range
+\fB0\fP to \fB5000\fP, inclusive.
+.sp
+Setting this parameter makes brute\-force login attacks on a database
+more time\-consuming. However, clients waiting for a response from the
+MongoDB server still consume server resources, and this may adversely
+impact benign login attempts if the server is denying access to many
+other clients simultaneously.
+.UNINDENT
+.SS General Parameters
+.INDENT 0.0
+.TP
+.B connPoolMaxShardedConnsPerHost
+New in version 2.6.
+
+.sp
+\fIDefault\fP: 200
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the maximum size of the legacy connection pools for communication to the
+shards. The size of a pool does not prevent the creation of
+additional connections, but \fIdoes\fP prevent the connection pools from
+retaining connections above this limit.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The parameter is separate from the connections in TaskExecutor
+pools. See \fI\%ShardingTaskExecutorPoolMaxSize\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+Increase the \fI\%connPoolMaxShardedConnsPerHost\fP value
+\fBonly\fP if the number of connections in a connection pool has a
+high level of churn or if the total number of created connections
+increase.
+.sp
+You can only set \fI\%connPoolMaxShardedConnsPerHost\fP during
+startup in the config file or on the command line. For example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter connPoolMaxShardedConnsPerHost=250
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B connPoolMaxShardedInUseConnsPerHost
+New in version 3.6.3.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the maximum number of in\-use connections at any given time for
+the legacy sharded cluster connection pools.
+.sp
+By default, the parameter is unset.
+.sp
+You can only set \fI\%connPoolMaxShardedConnsPerHost\fP during
+startup in the config file or on the command line. For example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter connPoolMaxShardedInUseConnsPerHost=100
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%connPoolMaxShardedConnsPerHost\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B shardedConnPoolIdleTimeoutMinutes
+New in version 3.6.3.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the time limit that a connection in the legacy sharded cluster
+connection pool can remain idle before being closed.
+.sp
+By default, the parameter is unset.
+.sp
+You can only set \fI\%shardedConnPoolIdleTimeoutMinutes\fP during
+startup in the config file or on the command line. For example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter shardedConnPoolIdleTimeoutMinutes=10
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%connPoolMaxShardedConnsPerHost\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B connPoolMaxConnsPerHost
+New in version 2.6.
+
+.sp
+\fIDefault\fP: 200
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the maximum size of the legacy connection pools for outgoing connections
+to other \fBmongod\fP instances in the global connection pool. The size
+of a pool does not prevent the creation of additional connections,
+but \fIdoes\fP prevent a connection pool from retaining connections in
+excess of the value of \fI\%connPoolMaxConnsPerHost\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+The parameter is separate from the connections in TaskExecutor
+pools. See \fI\%ShardingTaskExecutorPoolMaxSize\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+\fBOnly\fP adjust this setting if your driver does \fInot\fP pool
+connections and you’re using authentication in the
+context of a sharded cluster.
+.sp
+You can only set \fI\%connPoolMaxConnsPerHost\fP during startup
+in the config file or on the command line. For example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter connPoolMaxConnsPerHost=250
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B connPoolMaxInUseConnsPerHost
+New in version 3.6.3.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the maximum number of in\-use connections at any given time for
+for outgoing connections to other \fBmongod\fP instances in
+the legacy global connection pool.
+.sp
+By default, the parameter is unset.
+.sp
+You can only set \fI\%connPoolMaxInUseConnsPerHost\fP during
+startup in the config file or on the command line. For example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter connPoolMaxInUseConnsPerHost=100
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%connPoolMaxConnsPerHost\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B globalConnPoolIdleTimeoutMinutes
+New in version 3.6.3.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the time limit that connection in the legacy global connection
+pool can remain idle before being closed.
+.sp
+By default, the parameter is unset.
+.sp
+You can only set \fI\%globalConnPoolIdleTimeoutMinutes\fP
+during startup in the config file or on the command line. For
+example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter globalConnPoolIdleTimeoutMinutes=10
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%connPoolMaxShardedConnsPerHost\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B cursorTimeoutMillis
+New in version 3.0.2.
+
+.sp
+\fIDefault\fP: 600000 (i.e. 10 minutes)
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the expiration threshold in milliseconds for idle cursors
+before MongoDB removes them; i.e. MongoDB removes cursors that have
+been idle for the specified \fI\%cursorTimeoutMillis\fP\&.
+.sp
+For example, the following sets the \fI\%cursorTimeoutMillis\fP
+to \fB300000\fP milliseconds (i.e. 5 minutes).
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter cursorTimeoutMillis=300000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Or, if using the \fBsetParameter\fP command within the
+\fBmongo\fP shell:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, cursorTimeoutMillis: 300000 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B failIndexKeyTooLong
+New in version 2.6.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+In MongoDB 2.6, if you attempt to insert or update a document so
+that the value of an indexed field is longer than the
+\fBIndex Key Length Limit\fP, the operation
+will fail and return an error to the client. In previous versions
+of MongoDB, these operations would successfully insert or modify a
+document but the index or indexes would not include references to
+the document.
+.sp
+To avoid this issue, consider using hashed indexes or indexing a computed value. If you have an
+existing data set and want to disable this behavior so you can
+upgrade and then gradually resolve these indexing issues, you can
+use \fI\%failIndexKeyTooLong\fP to disable this behavior.
+.sp
+\fI\%failIndexKeyTooLong\fP defaults to \fBtrue\fP\&. When
+\fBfalse\fP, a 2.6 \fBmongod\fP instance will provide the 2.4
+behavior.
+.sp
+Issue the following command to disable the index key length
+validation:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, failIndexKeyTooLong: false } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can also set \fI\%failIndexKeyTooLong\fP  at
+startup time with the following option:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter failIndexKeyTooLong=false
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B newCollectionsUsePowerOf2Sizes
+Deprecated since version 3.0.0: MongoDB deprecates the
+\fI\%newCollectionsUsePowerOf2Sizes\fP parameter such that
+you cannot set the \fI\%newCollectionsUsePowerOf2Sizes\fP to
+\fBfalse\fP and \fI\%newCollectionsUsePowerOf2Sizes\fP set to
+\fBtrue\fP is a no\-op. To disable the power of 2 allocation for a collection, use the
+\fBcollMod\fP command with the \fBnoPadding\fP flag
+or the \fBdb.createCollection()\fP method with the
+\fBnoPadding\fP option.
+
+.sp
+\fIDefault\fP: \fBtrue\fP\&.
+.sp
+Available for \fBmongod\fP only.
+.sp
+Available for the MMAPv1 storage engine only.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B notablescan
+Available for \fBmongod\fP only.
+.sp
+Specify whether \fBall\fP queries must use indexes. If \fB1\fP, MongoDB
+will not execute queries that require a collection scan and will return an
+error.
+.sp
+Consider the following example which sets \fI\%notablescan\fP to \fB1\fP
+or true:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, notablescan: 1 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Setting \fI\%notablescan\fP to \fB1\fP can be useful for testing
+application queries, for example, to identify queries that scan an
+entire collection and cannot use an index.
+.sp
+To detect unindexed queries without \fBnotablescan\fP, consider reading
+the /tutorial/evaluate\-operation\-performance and
+/tutorial/optimize\-query\-performance\-with\-indexes\-and\-projections
+sections and using the \fI\%logLevel\fP parameter,
+/reference/program/mongostat and profiling\&.
+.sp
+Don’t run production \fBmongod\fP instances with
+\fI\%notablescan\fP because preventing collection scans can potentially
+affect queries in all databases, including administrative queries.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ttlMonitorEnabled
+Available for \fBmongod\fP only.
+.sp
+To support TTL Indexes, \fBmongod\fP
+instances have a background thread that is responsible for deleting
+documents from collections with TTL indexes.
+.sp
+To disable this worker thread for a \fBmongod\fP, set
+\fI\%ttlMonitorEnabled\fP to \fBfalse\fP, as in the following
+operations:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, ttlMonitorEnabled: false } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Alternately, you may disable the thread at startup time by starting the
+\fBmongod\fP instance with the following option:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter ttlMonitorEnabled=false
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B disableJavaScriptJIT
+Changed in version 4.0: The JavaScript engine’s JIT compiler is now disabled by default.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+The MongoDB JavaScript engine uses SpiderMonkey, which implements
+Just\-in\-Time (JIT) compilation for improved performance when running scripts.
+.sp
+To enable the JIT, set \fI\%disableJavaScriptJIT\fP to \fBfalse\fP, as in
+the following example:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, disableJavaScriptJIT: false } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Be aware that \fBgroup\fP and \fB$where\fP will reuse existing
+JavaScript interpreter contexts, so changes to
+\fI\%disableJavaScriptJIT\fP may not take effect immediately for these
+operations.
+.sp
+Alternately, you may enable the JIT at startup time by starting the
+\fBmongod\fP instance with the following option:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter disableJavaScriptJIT=false
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B maxIndexBuildMemoryUsageMegabytes
+New in version 3.4.
+
+.sp
+\fIDefault\fP: 500
+.sp
+Limits the amount of memory that simultaneous foreground index
+builds on one collection may consume for the duration of the
+builds.
+.sp
+Foreground index builds may be initiated either by a user command
+such as Create Index
+or by an administrative process such as an
+initial sync\&.
+Both are subject to the limit set by
+\fI\%maxIndexBuildMemoryUsageMegabytes\fP\&.
+.sp
+An initial sync operation populates
+only one collection at a time and has no risk of exceeding the memory
+limit. However, it is possible for a user to start foreground index
+builds on multiple collections in multiple databases simultaneously
+and potentially consume an amount of memory greater than the limit
+set in \fI\%maxIndexBuildMemoryUsageMegabytes\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.SS Tip
+.sp
+To minimize the impact of building an index on replica sets and
+sharded clusters with replica set shards, use a rolling index build
+procedure as described on
+/tutorial/build\-indexes\-on\-replica\-sets\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B watchdogPeriodSeconds
+New in version 3.6.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: \-1 (disabled)
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Available only in MongoDB Enterprise. Not available on macOS.
+.UNINDENT
+.UNINDENT
+.sp
+Determines how often the
+Storage Node Watchdog checks the status of
+the monitored filesystems.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+If a filesystem on a monitored directory becomes unresponsive, it can
+take a maximum of nearly \fItwice\fP the value of
+\fI\%watchdogPeriodSeconds\fP to terminate the \fBmongod\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+Valid values are \-1, meaning the
+Storage Node Watchdog is disabled, or an
+integer greater than or equal to 60.
+.sp
+By default the Storage Node Watchdog is
+disabled. To enable it, \fI\%watchdogPeriodSeconds\fP must be set at
+startup time.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter watchdogPeriodSeconds=60
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can only enable the Storage Node Watchdog
+at startup.
+.sp
+However, once enabled, you can pause the Storage Node Watchdog or change the \fI\%watchdogPeriodSeconds\fP
+during runtime.
+.sp
+To pause the Storage Node Watchdog during
+runtime, set \fI\%watchdogPeriodSeconds\fP to \-1.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, watchdogPeriodSeconds: \-1 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+To resume or change the period during runtime, set
+\fI\%watchdogPeriodSeconds\fP to a number greater than or equal to 60.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, watchdogPeriodSeconds: 120 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+It is an error to set \fI\%watchdogPeriodSeconds\fP at runtime if the
+Storage Node Watchdog was not enabled at
+startup time.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Logging Parameters
+.INDENT 0.0
+.TP
+.B logLevel
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Specify an integer between \fB0\fP and \fB5\fP signifying the verbosity
+of the logging, where \fB5\fP is the most verbose.
+.sp
+Consider the following example which sets the
+\fI\%logLevel\fP to \fB2\fP:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, logLevel: 2 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The default \fI\%logLevel\fP is \fB0\fP\&.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBverbosity\fP\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B logComponentVerbosity
+New in version 3.0.0.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets the verbosity levels of various components for log messages\&. The verbosity level determines the
+amount of Informational and Debug
+messages MongoDB outputs.
+.sp
+The verbosity level can range from \fB0\fP to \fB5\fP:
+.INDENT 7.0
+.IP \(bu 2
+\fB0\fP is the MongoDB’s default log verbosity level, to include
+Informational messages.
+.IP \(bu 2
+\fB1\fP to \fB5\fP increases the verbosity level to include
+Debug messages.
+.UNINDENT
+.sp
+For a component, you can also specify \fB\-1\fP to inherit the parent’s
+verbosity level.
+.sp
+To specify the verbosity level, use a document similar to the
+following:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+{
+  verbosity: <int>,
+  <component1>: { verbosity: <int> },
+  <component2>: {
+     verbosity: <int>,
+     <component3>: { verbosity: <int> }
+  },
+  ...
+}
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For the components, you can specify just the \fB<component>: <int>\fP
+in the document, unless you are setting both the parent verbosity
+level and that of the child component(s) as well:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+{
+  verbosity: <int>,
+  <component1>: <int> ,
+  <component2>: {
+     verbosity: <int>,
+     <component3>: <int>
+  }
+  ...
+}
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The top\-level \fBverbosity\fP field corresponds to
+\fBsystemLog.verbosity\fP which sets the default level for all
+components. The default value of \fBsystemLog.verbosity\fP is
+\fB0\fP\&.
+.sp
+The components correspond to the following settings:
+.INDENT 7.0
+.IP \(bu 2
+\fBaccessControl\fP
+.IP \(bu 2
+\fBcommand\fP
+.IP \(bu 2
+\fBcontrol\fP
+.IP \(bu 2
+\fBgeo\fP
+.IP \(bu 2
+\fBindex\fP
+.IP \(bu 2
+\fBnetwork\fP
+.IP \(bu 2
+\fBquery\fP
+.IP \(bu 2
+\fBreplication\fP
+.IP \(bu 2
+\fBrecovery\fP
+.IP \(bu 2
+\fBsharding\fP
+.IP \(bu 2
+\fBstorage\fP
+.IP \(bu 2
+\fBstorage.journal\fP
+.IP \(bu 2
+\fBwrite\fP
+.UNINDENT
+.sp
+Unless explicitly set, the component has the verbosity level of its
+parent. For example, \fBstorage\fP is the parent of
+\fBstorage.journal\fP\&. That is, if you specify a \fBstorage\fP verbosity level, this level
+also applies to:
+.INDENT 7.0
+.IP \(bu 2
+\fBstorage.journal\fP components
+\fIunless\fP you specify the verbosity level for
+\fBstorage.journal\fP\&.
+.IP \(bu 2
+\fBstorage.recovery\fP components
+\fIunless\fP you specify the verbosity level for
+\fBstorage.recovery\fP\&.
+.UNINDENT
+.sp
+For example, the following sets the \fBdefault verbosity
+level\fP to \fB1\fP, the \fBquery\fP to \fB2\fP, the
+\fBstorage\fP to \fB2\fP,
+and the \fBstorage.journal\fP to \fB1\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( {
+   setParameter: 1,
+   logComponentVerbosity: {
+      verbosity: 1,
+      query: { verbosity: 2 },
+      storage: {
+         verbosity: 2,
+         journal: {
+            verbosity: 1
+         }
+      }
+   }
+} )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can also set parameter \fI\%logComponentVerbosity\fP at
+startup time, passing the verbosity level document as a string.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter "logComponentVerbosity={command: 3}"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The \fBmongo\fP shell also provides the \fBdb.setLogLevel()\fP
+to set the log level for a single component. For various ways to set
+the log verbosity level, see log\-messages\-configure\-verbosity\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B maxLogSizeKB
+New in version 3.4.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 10
+.sp
+Specifies the maximum size, in kilobytes, for a log line. Lines exceeding
+this limit print only the beginning and end of the line, excising the middle
+portion.
+.sp
+For example, the following sets the maximum size to \fB20\fP kilobytes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter maxLogSizeKB=20
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Using a large value for \fI\%maxLogSizeKB\fP may adversely affect
+system performance and negatively impact database operations.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B quiet
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Sets quiet logging mode. If
+\fB1\fP, \fBmongod\fP will go into a quiet logging
+mode which will not log the following events/activities:
+.INDENT 7.0
+.IP \(bu 2
+connection events;
+.IP \(bu 2
+the \fBdrop\fP command, the
+\fBdropIndexes\fP command, the
+\fBdiagLogging\fP command, the
+\fBvalidate\fP command, and the
+\fBclean\fP command; and
+.IP \(bu 2
+replication synchronization activities.
+.UNINDENT
+.sp
+Consider the following example which sets the
+\fBquiet\fP to \fB1\fP:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, quiet: 1 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBquiet\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B traceExceptions
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Configures \fBmongod\fP to log full source code stack traces
+for every database and socket C++ exception, for use with debugging.
+If \fBtrue\fP, \fBmongod\fP will log full stack traces.
+.sp
+Consider the following example which sets the
+\fBtraceExceptions\fP to \fBtrue\fP:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, traceExceptions: true } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBsystemLog.traceAllExceptions\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Diagnostic Parameters
+.sp
+To facilitate analysis of the MongoDB server behavior by MongoDB
+engineers, MongoDB logs server statistics to diagnostic files at
+periodic intervals.
+.sp
+For \fBmongod\fP, the diagnostic data files are stored in the
+\fBdiagnostic.data\fP directory under the \fBmongod\fP instance’s
+\fB\-\-dbpath\fP or \fBstorage.dbPath\fP\&.
+.sp
+For \fBmongos\fP, the diagnostic data files, by default, are
+stored in a directory under the \fBmongos\fP instance’s
+\fB\-\-logpath\fP or \fBsystemLog.path\fP directory. The diagnostic
+data directory is computed by truncating the logpath’s file
+extension(s) and concatenating \fBdiagnostic.data\fP to the remaining
+name.
+.sp
+For example, if \fBmongos\fP has \fB\-\-logpath
+/var/log/mongos.log.201708015\fP, then the diagnostic data directory is
+\fB/var/log/mongos.diagnostic.data/\fP directory. To specify a different
+diagnostic data directory for \fBmongos\fP, set the
+\fI\%diagnosticDataCollectionDirectoryPath\fP parameter.
+.sp
+The following parameters support diagnostic data capture (FTDC):
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+The default values for the diagnostic data capture interval and the
+maximum sizes are chosen to provide useful data to MongoDB engineers
+with minimal impact on performance and storage size. Typically, these
+values will only need modifications as requested by MongoDB engineers
+for specific diagnostic purposes.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B diagnosticDataCollectionEnabled
+New in version 3.2.
+
+.sp
+Changed in version 3.6: Available for both \fBmongod\fP and \fBmongos\fP\&.
+
+.sp
+\fIType\fP: boolean
+.sp
+\fIDefault\fP: true
+.sp
+Determines whether to enable the collecting and logging of data for
+diagnostic purposes. Diagnostic logging is enabled by default.
+.sp
+For example, the following disables the diagnostic collection:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter diagnosticDataCollectionEnabled=false
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B diagnosticDataCollectionDirectoryPath
+New in version 3.6.
+
+.sp
+\fIType\fP: String
+.sp
+Available for \fBmongos\fP only.
+.sp
+Specify the directory for the diagnostic directory for
+\fBmongos\fP\&. If the directory does not exist,
+\fBmongos\fP creates the directory.
+.sp
+If unspecified, the diagnostic data directory is computed by
+truncating the \fBmongos\fP instance’s \fB\-\-logpath\fP or
+\fBsystemLog.path\fP file extension(s) and concatenating
+\fBdiagnostic.data\fP\&.
+.sp
+For example, if \fBmongos\fP has \fB\-\-logpath
+/var/log/mongos.log.201708015\fP, then the diagnostic data directory is
+\fB/var/log/mongos.diagnostic.data/\fP\&.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+If \fBmongos\fP cannot create the specified directory, e.g.
+a file exists with the same name in the path or the process does
+not have permissions to create the directory, the diagnostic data
+capture will be disabled for that instance.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B diagnosticDataCollectionDirectorySizeMB
+New in version 3.2.
+
+.sp
+Changed in version 3.4: Increased default size to 200 megabytes.
+
+.sp
+Changed in version 3.6: Available for both \fBmongod\fP and \fBmongos\fP\&.
+
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 200
+.sp
+Specifies the maximum size, in megabytes, of the \fBdiagnostic.data\fP
+directory. If directory size exceeds this number, the oldest
+diagnostic files in the directory are automatically deleted based on
+the timestamp in the file name.
+.sp
+For example, the following sets the maximum size of the directory to
+\fB250\fP megabytes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter diagnosticDataCollectionDirectorySizeMB=250
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The minimum value for
+\fI\%diagnosticDataCollectionDirectorySizeMB\fP is \fB10\fP
+megabytes. \fI\%diagnosticDataCollectionDirectorySizeMB\fP must
+be greater than maximum diagnostic file size
+\fI\%diagnosticDataCollectionFileSizeMB\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B diagnosticDataCollectionFileSizeMB
+New in version 3.2.
+
+.sp
+Changed in version 3.6: Available for both \fBmongod\fP and \fBmongos\fP\&.
+
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 10
+.sp
+Specifies the maximum size, in megabytes, of each diagnostic
+file\&. If the file exceeds the maximum
+file size, MongoDB creates a new file.
+.sp
+For example, the following sets the maximum size of each diagnostic
+file to \fB20\fP megabytes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter diagnosticDataCollectionFileSizeMB=20
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The minimum value for
+\fI\%diagnosticDataCollectionFileSizeMB\fP is \fB1\fP megabyte.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B diagnosticDataCollectionPeriodMillis
+New in version 3.2.
+
+.sp
+Changed in version 3.6: Available for both \fBmongod\fP and \fBmongos\fP\&.
+
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 1000
+.sp
+Specifies the interval, in milliseconds, at which to collect
+diagnostic data.
+.sp
+For example, the following sets the interval to
+\fB5000\fP milliseconds or 5 seconds:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter diagnosticDataCollectionPeriodMillis=5000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The minimum value for
+\fI\%diagnosticDataCollectionPeriodMillis\fP is \fB100\fP
+milliseconds.
+.UNINDENT
+.SS Logical Session Parameters
+.INDENT 0.0
+.TP
+.B logicalSessionRefreshMinutes
+New in version 3.6.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 5
+.sp
+The interval (in minutes) at which the cache refreshes its logical
+session records against the main session store.
+.sp
+You can only set \fI\%logicalSessionRefreshMinutes\fP at
+startup and cannot change this setting with the
+\fBsetParameter\fP command.
+.sp
+For example, to set the \fI\%logicalSessionRefreshMinutes\fP
+for a \fBmongod\fP instance to 10 minutes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter logicalSessionRefreshMinutes=10
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B localLogicalSessionTimeoutMinutes
+New in version 3.6.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 30
+.INDENT 7.0
+.INDENT 3.5
+.IP "For testing purposes only"
+.sp
+This parameter is intended for testing purposes only and not for
+production use.
+.UNINDENT
+.UNINDENT
+.sp
+The time in minutes that a session remains active
+after its most recent use. Sessions that have not received a new
+read/write operation from the client or been refreshed with
+\fBrefreshSessions\fP within this threshold are cleared from the
+cache. State associated with an expired session may be cleaned up by the
+server at any time.
+.sp
+This parameter applies only to the instance on which it is set. To
+set this parameter on replica sets and sharded clusters, you must
+specify the same value on every member; otherwise, sessions will
+not function properly.
+.sp
+You can only set \fI\%localLogicalSessionTimeoutMinutes\fP at
+startup and cannot change this setting with the
+\fBsetParameter\fP command.
+.sp
+For example, to set the \fI\%localLogicalSessionTimeoutMinutes\fP
+for a test \fBmongod\fP instance to 20 minutes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter localLogicalSessionTimeoutMinutes=20
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B maxAcceptableLogicalClockDriftSecs
+New in version 3.6.
+
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 31536000 (1 year)
+.sp
+The maximum amount by which the current cluster time can be advanced;
+i.e., \fI\%maxAcceptableLogicalClockDriftSecs\fP is the maximum
+difference between the new value of the cluster time and the current
+cluster time. Cluster time is a logical time used for ordering of
+operations.
+.sp
+You cannot advance the cluster time to a new value if the new
+cluster time differs from the current cluster time by more than
+\fI\%maxAcceptableLogicalClockDriftSecs\fP,
+.sp
+You can only set \fI\%maxAcceptableLogicalClockDriftSecs\fP at
+startup and cannot change this setting with the
+\fBsetParameter\fP command.
+.sp
+For example, to set the \fI\%maxAcceptableLogicalClockDriftSecs\fP
+for a \fBmongod\fP instance to 15 minutes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter maxAcceptableLogicalClockDriftSecs=900
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B TransactionRecordMinimumLifetimeMinutes
+New in version 3.6.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 30
+.sp
+The minimum lifetime a transaction record exists in the
+\fBtransactions\fP collection before the record becomes
+eligible for cleanup.
+.sp
+You can only set \fI\%TransactionRecordMinimumLifetimeMinutes\fP at
+startup and cannot change this setting with the
+\fBsetParameter\fP command.
+.sp
+For example, to set the \fI\%TransactionRecordMinimumLifetimeMinutes\fP
+for a \fBmongod\fP instance to 20 minutes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter TransactionRecordMinimumLifetimeMinutes=20
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%localLogicalSessionTimeoutMinutes\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B maxTransactionLockRequestTimeoutMillis
+New in version 4.0.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 5
+.sp
+The amount of time in milliseconds that multi\-document
+transactions should wait to aquire locks
+required by the operations in the transaction.
+.sp
+If the transaction cannot aquire the locks after waiting
+\fI\%maxTransactionLockRequestTimeoutMillis\fP, the transaction
+aborts.
+.sp
+By default, multi\-document transactions
+wait \fB5\fP milliseconds. That is, if the transaction cannot acquire
+the locks within \fB5\fP milliseconds, the transaction aborts. If an
+operation provides a greater timeout in a lock request,
+\fI\%maxTransactionLockRequestTimeoutMillis\fP overrides the
+operation\-specific timeout.
+.sp
+You can set \fI\%maxTransactionLockRequestTimeoutMillis\fP to:
+.INDENT 7.0
+.IP \(bu 2
+\fB0\fP such that if the transaction cannot acquire the required
+locks immediately, the transaction aborts.
+.IP \(bu 2
+A number greater than \fB0\fP to wait the specified time to acquire
+the required locks. This can help obviate transaction aborts on
+momentary concurrent lock acquisitions, like fast\-running metadata
+operations. However, this could possibly delay the abort of
+deadlocked transaction operations.
+.IP \(bu 2
+\fB\-1\fP to use the operation specific timeout.
+.UNINDENT
+.sp
+The following sets the
+\fI\%maxTransactionLockRequestTimeoutMillis\fP to \fB20\fP
+milliseconds:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, maxTransactionLockRequestTimeoutMillis: 20 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can also set this parameter during start\-up:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter maxTransactionLockRequestTimeoutMillis=20
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Replication Parameters
+.INDENT 0.0
+.TP
+.B oplogInitialFindMaxSeconds
+New in version 3.6.
+
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 60
+.sp
+Available for \fBmongod\fP only.
+.sp
+Maximum time in seconds for a member of a replica set to wait
+for the \fBfind\fP command to finish during
+data synchronization\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B replIndexPrefetch
+Available for \fBmongod\fP only.
+.sp
+Use \fI\%replIndexPrefetch\fP in conjunction with
+\fBreplSetName\fP when configuring a replica
+set. The default value is \fBall\fP and available
+options are:
+.INDENT 7.0
+.IP \(bu 2
+\fBnone\fP
+.IP \(bu 2
+\fBall\fP
+.IP \(bu 2
+\fB_id_only\fP
+.UNINDENT
+.sp
+By default secondary members of a replica set will
+load all indexes related to an operation into memory before
+applying operations from the oplog. You can modify this behavior so
+that the secondaries will only load the \fB_id\fP index. Specify
+\fB_id_only\fP or \fBnone\fP to prevent the \fBmongod\fP from
+loading \fIany\fP index into memory.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B replWriterThreadCount
+New in version 3.2.
+
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 16
+.sp
+Available for \fBmongod\fP only.
+.sp
+Number of threads to use to apply replicated operations in parallel.
+Values can range from 1 to 256 inclusive. You can only set
+\fI\%replWriterThreadCount\fP at startup and cannot change this
+setting with the \fBsetParameter\fP command.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B rollbackTimeLimitSecs
+New in version 4.0.
+
+.sp
+\fIType\fP: 64\-bit integer
+.sp
+\fIDefault\fP: 1800
+.sp
+Maximum age of data that will be rolled back in the event of a
+replication operations failure. If the time between the end of the
+rolled back instance oplog and the common point (the last point where
+the source node and the rolled back node had the same data) exceeds
+this value, the rollback will fail. Note that negative values for
+this parameter are not valid.
+.sp
+To set an effectively unlimited rollback period, set the value to
+\fB2147483647\fP which is the maximum value allowed and equivalent to
+roughly 68 years.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B waitForSecondaryBeforeNoopWriteMS
+New in version 3.6.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+\fIType\fP: integer
+.sp
+\fIDefault\fP: 10
+.sp
+The length of time (in milliseconds) that a secondary must wait if
+the \fBafterClusterTime\fP is greater than the last applied time from
+the oplog. After the \fBwaitForSecondaryBeforeNoopWriteMS\fP passes,
+if the \fBafterClusterTime\fP is still greater than the last applied
+time, the secondary makes a no\-op write to advance the last applied
+time.
+.sp
+The following example sets the
+\fI\%waitForSecondaryBeforeNoopWriteMS\fP to 20 seconds:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter waitForSecondaryBeforeNoopWriteMS=20
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+During runtime, you can also set the parameter with the
+\fBsetParameter\fP command:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, waitForSecondaryBeforeNoopWriteMS: 20 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B createRollbackDataFiles
+Available for \fBmongod\fP only.
+.sp
+\fIType\fP: boolean
+.sp
+\fIDefault\fP: true
+.sp
+New in version 4.0.
+
+.sp
+Flag that determines whether MongoDB creates rollback files that contains documents affected during a
+rollback.
+.sp
+By default, \fI\%createRollbackDataFiles\fP is \fBtrue\fP and
+MongoDB creates the rollback files.
+.sp
+The following example sets \fI\%createRollbackDataFiles\fP
+to false so that the rollback files are not created:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter createRollbackDataFiles=false
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+During runtime, you can also set the parameter with the
+\fBsetParameter\fP command:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, createRollbackDataFiles: false } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For more information, see rollback\-data\-files\&.
+.UNINDENT
+.SS Sharding Parameters
+.INDENT 0.0
+.TP
+.B AsyncRequestsSenderUseBaton
+Type: boolean
+.sp
+Default: true
+.sp
+A flag that enables performance optimization on Linux for
+scatter/gather operations on \fBmongos\fP when using a
+single \fI\%Task Executor connection pool\fP\&.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%taskExecutorPoolSize\fP
+.UNINDENT
+.UNINDENT
+.sp
+New in version 4.0.
+
+.UNINDENT
+.INDENT 0.0
+.TP
+.B recoverShardingState
+Available for \fBmongod\fP only.
+.sp
+Specify a boolean to check or ignore sharding state recovery
+information. Default is \fBtrue\fP to check the sharding state
+recovery information.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B replMonitorMaxFailedChecks
+\fIAvailable in MongoDB 3.2 only\fP
+.sp
+Type: integer
+.sp
+Default: 30
+.sp
+The number of times the \fBmongod\fP or \fBmongos\fP
+instance tries to reach the replica sets in the sharded cluster
+(e.g. shard replica sets, config server replica set) to monitor the
+replica set status and topology.
+.sp
+When the number of consecutive unsuccessful attempts exceeds this
+parameter value, the \fBmongod\fP or \fBmongos\fP instance
+denotes the monitored replica set as unavailable. If the monitored
+replica set is the config server replica set:
+.INDENT 7.0
+.IP \(bu 2
+For MongoDB 3.2.0\-3.2.9, the monitoring \fBmongod\fP or
+\fBmongos\fP instance will become unusable and needs to be
+restarted. See the troubleshooting guide for more details.
+.IP \(bu 2
+For MongoDB 3.2.10 and later 3.2\-series, see also
+\fI\%timeOutMonitoringReplicaSets\fP\&.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B timeOutMonitoringReplicaSets
+\fIAvailable in MongoDB 3.2.10 and later 3.2\-series only\fP
+.sp
+Type: integer
+.sp
+Default: false
+.sp
+The flag that determines whether the \fBmongod\fP or
+\fBmongos\fP instance should stop its attempt to reach the
+monitored replica set after unsuccessfully trying
+\fI\%replMonitorMaxFailedChecks\fP number of times.
+.sp
+If the monitored replica set is the config server replica set and
+\fI\%timeOutMonitoringReplicaSets\fP is set to \fBtrue\fP, you
+must restart \fBmongod\fP or \fBmongos\fP if the
+\fBmongod\fP or \fBmongos\fP instance cannot reach any of
+the config servers for the specified number of times. See the
+troubleshooting guide for more details.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ShardingTaskExecutorPoolHostTimeoutMS
+Type: integer
+.sp
+Default: 300000 (i.e. 5 minutes)
+.sp
+Available for \fBmongos\fP only.
+.sp
+Maximum time that \fBmongos\fP goes without communication to a
+host before \fBmongos\fP drops all connections to the host.
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.sp
+If set, \fI\%ShardingTaskExecutorPoolHostTimeoutMS\fP should be
+greater than the sum of
+:parameter\(gaShardingTaskExecutorPoolRefreshRequirementMS\(ga and
+\fI\%ShardingTaskExecutorPoolRefreshTimeoutMS\fP\&. Otherwise,
+\fBmongos\fP adjusts the value of
+\fI\%ShardingTaskExecutorPoolHostTimeoutMS\fP to be greater than the
+sum.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter ShardingTaskExecutorPoolHostTimeoutMS=120000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ShardingTaskExecutorPoolMaxConnecting
+New in version 3.6.
+
+.sp
+Type: integer
+.sp
+Default: 2
+.sp
+Available for \fBmongos\fP only.
+.sp
+Maximum number of simultaneous initiating connections (including
+pending connections in setup/refresh state) each TaskExecutor
+connection pool can have to a \fBmongod\fP instance. You can
+set this parameter to control the rate at which \fBmongos\fP
+adds connections to a \fBmongod\fP instance.
+.sp
+If set, \fI\%ShardingTaskExecutorPoolMaxConnecting\fP should be
+less than or equal to \fI\%ShardingTaskExecutorPoolMaxSize\fP\&.
+If it is greater, \fBmongos\fP ignores the
+\fI\%ShardingTaskExecutorPoolMaxConnecting\fP value.
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter ShardingTaskExecutorPoolMaxConnecting=20
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ShardingTaskExecutorPoolMaxSize
+Type: integer
+.sp
+Default: 2\s-2\u64\d\s0 \- 1
+.sp
+Available for \fBmongos\fP only.
+.sp
+Maximum number of outbound connections each TaskExecutor connection
+pool can open to any given \fBmongod\fP instance. The maximum
+possible connections to any given host across all TaskExecutor pools
+is:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+ShardingTaskExecutorPoolMaxSize * taskExecutorPoolSize
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter ShardingTaskExecutorPoolMaxSize=4
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBmongos\fP can have up to \fBn\fP TaskExecutor connection
+pools, where \fBn\fP is the number of cores. See
+\fI\%taskExecutorPoolSize\fP\&.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%ShardingTaskExecutorPoolMinSize\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ShardingTaskExecutorPoolMinSize
+Type: integer
+.sp
+Default: 1
+.sp
+Available for \fBmongos\fP only.
+.sp
+Minimum number of outbound connections each TaskExecutor connection
+pool can open to any given \fBmongod\fP instance.
+.sp
+\fBShardingTaskExecutorPoolMinSize\fP connections are created the
+first time a connection to a new host is requested from the pool.
+While the pool is idle, the pool maintains this number of
+connections until \fI\%ShardingTaskExecutorPoolHostTimeoutMS\fP
+milliseconds pass without the any application using that pool.
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter ShardingTaskExecutorPoolMinSize=2
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBmongos\fP can have up to \fBn\fP TaskExecutor connection
+pools, where \fBn\fP is the number of cores. See
+\fI\%taskExecutorPoolSize\fP\&.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%ShardingTaskExecutorPoolMaxSize\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ShardingTaskExecutorPoolRefreshRequirementMS
+Type: integer
+.sp
+Default: 60000 (1 minute)
+.sp
+Available for \fBmongos\fP only.
+.sp
+Maximum time the \fBmongos\fP waits before attempting to
+heartbeat a resting connection in the pool.
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.sp
+If set, \fI\%ShardingTaskExecutorPoolRefreshRequirementMS\fP should be
+greater than \fI\%ShardingTaskExecutorPoolRefreshTimeoutMS\fP\&.
+Otherwise, \fBmongos\fP adjusts the value of
+\fI\%ShardingTaskExecutorPoolRefreshTimeoutMS\fP to be less than
+\fI\%ShardingTaskExecutorPoolRefreshRequirementMS\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter ShardingTaskExecutorPoolRefreshRequirementMS=90000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B ShardingTaskExecutorPoolRefreshTimeoutMS
+Type: integer
+.sp
+Default: 20000 (20 seconds)
+.sp
+Available for \fBmongos\fP only.
+.sp
+Maximum time the \fBmongos\fP waits for a heartbeat before
+timing out the heartbeat.
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.sp
+If set, \fI\%ShardingTaskExecutorPoolRefreshTimeoutMS\fP should be
+less than \fI\%ShardingTaskExecutorPoolRefreshRequirementMS\fP\&.
+Otherwise, \fBmongos\fP adjusts the value of
+\fI\%ShardingTaskExecutorPoolRefreshTimeoutMS\fP to be less than
+\fI\%ShardingTaskExecutorPoolRefreshRequirementMS\fP\&.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter ShardingTaskExecutorPoolRefreshTimeoutMS=30000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B taskExecutorPoolSize
+Changed in version 4.0.
+
+.sp
+Type: integer
+.sp
+Default: 1
+.sp
+Available for \fBmongos\fP only.
+.sp
+The number of Task Executor connection pools to use for a given
+\fBmongos\fP\&.
+.sp
+If the parameter value is \fB0\fP or less, the number of Task Executor
+connection pools is the number of cores with the following
+exceptions:
+.INDENT 7.0
+.IP \(bu 2
+If the number of cores is less than 4, the number of Task Executor
+connection pools is 4.
+.IP \(bu 2
+If the number of cores is greater than 64, the number of Task
+Executor connection pools is 64.
+.UNINDENT
+.sp
+Starting in MongoDB 4.0, the default value of
+\fI\%taskExecutorPoolSize\fP is \fB1\fP\&. For the previous
+behavior, set \fI\%taskExecutorPoolSize\fP to 0 and, on Linux,
+set \fI\%AsyncRequestsSenderUseBaton\fP to \fBfalse\fP\&.
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongos \-\-setParameter taskExecutorPoolSize=6
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+\fI\%ShardingTaskExecutorPoolMaxSize\fP
+.IP \(bu 2
+\fI\%ShardingTaskExecutorPoolMinSize\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B orphanCleanupDelaySecs
+New in version 3.6.
+
+.sp
+Default: 900 (15 minutes)
+.sp
+Available for \fBmongod\fP only.
+.sp
+Minimum delay before a migrated chunk is deleted from the source
+shard.
+.sp
+Before deleting the chunk during chunk migration, MongoDB waits for
+\fI\%orphanCleanupDelaySecs\fP or for in\-progress queries involving
+the chunk to complete on the shard primary, whichever is longer.
+.sp
+However, because the shard primary has no knowledge of in\-progress queries
+run on the shard secondaries, queries that use the chunk but are run on
+secondaries may see documents disappear if these queries take longer than
+the time to complete the shard primary queries and the
+\fI\%orphanCleanupDelaySecs\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+This behavior only affects in\-progress queries that start before the
+chunk migration. Queries that start after the chunk migration starts
+will not use the migrating chunk.
+.UNINDENT
+.UNINDENT
+.sp
+If a shard has storage constraints, consider reducing this value
+temporarily. If running queries that exceed 15 minutes on shard
+secondaries, consider increasing this value.
+.sp
+The following sets the \fI\%orphanCleanupDelaySecs\fP to 20 minutes:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter orphanCleanupDelaySecs=1200
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+This may also be set using the \fBsetParameter\fP command:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, orphanCleanupDelaySecs: 1200 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Storage Parameters
+.INDENT 0.0
+.TP
+.B journalCommitInterval
+Available for \fBmongod\fP only.
+.sp
+Specify an integer between \fB1\fP and \fB500\fP signifying the number
+of milliseconds (ms) between journal commits.
+.sp
+Consider the following example which sets the
+\fI\%journalCommitInterval\fP to \fB200\fP ms:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, journalCommitInterval: 200 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBstorage.journal.commitIntervalMs\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B syncdelay
+Available for \fBmongod\fP only.
+.sp
+Specify the interval in seconds between fsync operations
+where \fBmongod\fP flushes its working memory to disk. By
+default, \fBmongod\fP flushes memory to disk every 60
+seconds. In almost every situation you should not set this value
+and use the default setting.
+.sp
+Consider the following example which sets the \fBsyncdelay\fP to
+\fB60\fP seconds:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, syncdelay: 60 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBsyncPeriodSecs\fP and
+\fI\%journalCommitInterval\fP\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B honorSystemUmask
+New in version 3.6.
+
+.sp
+\fIDefault\fP: \fBfalse\fP
+.sp
+If \fI\%honorSystemUmask\fP is set to \fBtrue\fP, new files
+created by MongoDB have permissions in accordance with the
+user’s \fBumask\fP settings.
+.sp
+If \fI\%honorSystemUmask\fP is set to \fBfalse\fP, new files
+created by MongoDB have permissions set to \fB600\fP, which gives
+read and write permissions only to the owner. New directories have
+permissions set to \fB700\fP\&.
+.sp
+You can only set this parameter during start\-up and cannot change
+this setting using the \fBsetParameter\fP database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter honorSystemUmask=true
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%honorSystemUmask\fP is not available on Windows systems.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS WiredTiger Parameters
+.INDENT 0.0
+.TP
+.B wiredTigerConcurrentReadTransactions
+New in version 3.0.0.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+Available for the WiredTiger storage engine only.
+.sp
+Specify the maximum number of concurrent read transactions allowed
+into the WiredTiger storage engine.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, wiredTigerConcurrentReadTransactions: <num> } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBwiredTiger.concurrentTransactions\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B wiredTigerConcurrentWriteTransactions
+New in version 3.0.0.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+Available for the WiredTiger storage engine only.
+.sp
+Specify the maximum number of concurrent write transactions allowed
+into the WiredTiger storage engine.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, wiredTigerConcurrentWriteTransactions: <num> } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBwiredTiger.concurrentTransactions\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B wiredTigerEngineRuntimeConfig
+New in version 3.0.0.
+
+.sp
+Available for \fBmongod\fP only.
+.sp
+Specify \fBwiredTiger\fP storage engine configuration options for a
+running \fBmongod\fP instance. You can \fIonly\fP set this
+parameter using the \fBsetParameter\fP command and \fInot\fP
+using the command line or configuration file option.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Avoid modifying the \fI\%wiredTigerEngineRuntimeConfig\fP
+unless under the direction from MongoDB engineers as this setting has
+major implication across both WiredTiger and MongoDB.
+.UNINDENT
+.UNINDENT
+.sp
+Consider the following operation prototype:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand({
+   "setParameter": 1,
+   "wiredTigerEngineRuntimeConfig": "<option>=<setting>,<option>=<setting>"
+})
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+See the WiredTiger documentation for all available \fI\%WiredTiger
+configuration options\fP\&.
+.UNINDENT
+.SS Auditing Parameters
+.INDENT 0.0
+.TP
+.B auditAuthorizationSuccess
+New in version 2.6.5.
+
+.sp
+\fIDefault\fP: \fBfalse\fP
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Available only in \fI\%MongoDB Enterprise\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+Available for both \fBmongod\fP and \fBmongos\fP\&.
+.sp
+Enables the auditing of authorization
+successes for the authCheck
+action.
+.sp
+When \fI\%auditAuthorizationSuccess\fP is \fBfalse\fP, the
+audit system only logs the authorization
+failures for \fBauthCheck\fP\&.
+.sp
+To enable the audit of authorization successes, issue the following
+command:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, auditAuthorizationSuccess: true } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Enabling \fI\%auditAuthorizationSuccess\fP degrades performance
+more than logging only the authorization failures.
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 0.0
+.INDENT 3.5
+\fBgetParameter\fP
+.UNINDENT
+.UNINDENT
+.SS Transaction Parameters
+.INDENT 0.0
+.TP
+.B transactionLifetimeLimitSeconds
+New in version 4.0.
+
+.sp
+\fIDefault\fP: 60
+.sp
+Specifies the lifetime of multi\-document transactions\&. Transactions that exceeds this limit are
+considered expired and will be aborted by a periodic cleanup
+process. The cleanup process runs every
+\fI\%transactionLifetimeLimitSeconds\fP/2 seconds or at least
+once per every 60 seconds.
+.sp
+The minimum value for transactionLifetimeLimitSeconds is \fB1\fP
+second.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand( { setParameter: 1, transactionLifetimeLimitSeconds: 30 } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You can also set parameter \fI\%transactionLifetimeLimitSeconds\fP at
+startup time.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongod \-\-setParameter "transactionLifetimeLimitSeconds=30"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SH AUTHOR
+MongoDB Documentation Project
+.SH COPYRIGHT
+2008-2018
+.\" Generated by docutils manpage writer.
+.
diff --git a/debian/mongodump.1 b/debian/mongodump.1
index fe94bb83f75..e1a3b0ed1ab 100644
--- a/debian/mongodump.1
+++ b/debian/mongodump.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGODUMP" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGODUMP" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongodump \- MongoDB Data Dump Utility
 .
@@ -30,92 +30,160 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Behavior\fP
+.IP \(bu 2
+\fI\%Required Access\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Examples\fP
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.sp
+Users running on Mac OSX Sierra require the 3.2.10 or newer version
+of  mongodump\&.
+.UNINDENT
+.UNINDENT
 .SH SYNOPSIS
 .sp
-\fBmongodump\fP is a utility for creating a binary export of the
-contents of a database. Consider using this utility as part of an
-effective \fBbackup strategy\fP\&. Use
-\fBmongodump\fP in conjunction with \fBmongorestore\fP to
-restore databases.
+\fI\%mongodump\fP is a utility for creating a binary export of the
+contents of a database. \fI\%mongodump\fP can export data from
+either \fBmongod\fP or \fBmongos\fP instances.
 .sp
-\fBmongodump\fP can read data from either \fBmongod\fP or \fBmongos\fP
-instances, in addition to reading directly from MongoDB data files
-without an active \fBmongod\fP\&.
+\fI\%mongodump\fP can be a part of a backup strategy with \fBmongorestore\fP for partial
+backups based on a query, syncing from production to staging or
+development environments, or changing the storage engine of a
+standalone. However, the use of \fI\%mongodump\fP and
+\fBmongorestore\fP as a backup strategy can be problematic for
+sharded clusters and replica sets.
+.sp
+Run \fI\%mongodump\fP from the system command line, not the \fBmongo\fP shell.
+.sp
+For an overview of \fI\%mongodump\fP in conjunction with
+\fBmongorestore\fP part of a backup and recovery strategy, see
+/tutorial/backup\-and\-restore\-tools\&.
 .sp
 \fBSEE ALSO:\fP
 .INDENT 0.0
 .INDENT 3.5
 \fBmongorestore\fP,
-http://docs.mongodb.org/manual/tutorial/backup\-sharded\-cluster\-with\-database\-dumps
-and http://docs.mongodb.org/manual/core/backups\&.
+/tutorial/backup\-sharded\-cluster\-with\-database\-dumps
+and /core/backups\&.
 .UNINDENT
 .UNINDENT
 .SH BEHAVIOR
+.SS Data Exclusion
 .sp
-\fBmongodump\fP does \fInot\fP dump the content of the \fBlocal\fP database.
+\fI\%mongodump\fP excludes the content of the \fBlocal\fP database in its output.
 .sp
-The data format used by \fBmongodump\fP from version 2.2 or
-later is \fIincompatible\fP with earlier versions of \fBmongod\fP\&.
-Do not use recent versions of \fBmongodump\fP to back up older
-data stores.
+\fI\%mongodump\fP only captures the documents in the database in its
+backup data and does not include index data. \fBmongorestore\fP or
+\fBmongod\fP must then rebuild the indexes after restoring data.
+.sp
+Changed in version 3.4: MongoDB 3.4 added support for
+read\-only views\&. By default,
+\fI\%mongodump\fP only captures a view’s metadata: it does not
+create a binary export of the documents included in the view. To
+capture the documents in a view use \fI\%\-\-viewsAsCollections\fP\&.
+
+.SS Read Preference
+.SS Replica Sets
 .sp
-When running \fBmongodump\fP against a \fBmongos\fP instance
-where the \fIsharded cluster\fP consists of \fIreplica sets\fP, the \fIread preference\fP of the operation will prefer reads
-from \fIsecondary\fP members of the set.
+Changed in version 3.2.0: The choice of target or targets for the \fI\%\-\-host\fP
+parameter affects the read preference of \fI\%mongodump\fP
+when connecting to a replica set.
+.INDENT 0.0
+.IP \(bu 2
+If the string passed to \fB\-\-host\fP is prefixed by the replica set name,
+\fI\%mongodump\fP reads from the \fBprimary\fP replica set
+member by default. For example:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-host "replSet/rep1.example.net:27017,rep2.example.net:27017,rep3.example.net:27017"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP \(bu 2
+If the string passed to \fB\-\-host\fP contains a list of
+\fBmongod\fP instances, but does not include the replica set
+name as a prefix to the host string, \fI\%mongodump\fP
+reads from the \fBnearest\fP node by default. For example:
+.INDENT 2.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+\-\-host "rep1.example.net:27017,rep2.example.net:27017,rep3.example.net:27017"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+
+.SS Sharded Clusters
 .sp
-Changed in version 2.2: When used in combination with \fBfsync\fP or
-\fBdb.fsyncLock()\fP, \fBmongod\fP will block
-reads, including those from \fBmongodump\fP, when
-queued write operation waits behind the \fBfsync\fP
-lock. Do not use \fBmongodump\fP with
-\fBdb.fsyncLock()\fP\&.
+Changed in version 3.0.5: For a sharded cluster where the shards are replica sets,
+\fI\%mongodump\fP no longer prefers reads from secondary
+members when run against the \fBmongos\fP instance.
 
 .sp
-\fBmongodump\fP overwrites output files if they exist in the
-backup data folder. Before running the \fBmongodump\fP command
+For sharded clusters, specify the hostname of a \fBmongos\fP
+for the \fB\-\-host\fP option.
+\fI\%mongodump\fP reads from the \fBprimary\fP replica set
+member on each shard replica set in the cluster.
+.sp
+Unsharded collections in a sharded cluster are stored on a
+primary shard\&.
+\fI\%mongodump\fP reads from the primary replica set member on
+the primary shard for any unsharded collections. Note: each
+database has its own primary shard.
+.SS Overwrite Files
+.sp
+\fI\%mongodump\fP overwrites output files if they exist in the
+backup data folder. Before running the \fI\%mongodump\fP command
 multiple times, either ensure that you no longer need the files in the
 output folder (the default is the \fBdump/\fP folder) or rename the
 folders or files.
-.SH REQUIRED ACCESS
-.SS Backup Collections
+.SS Data Compression Handling
 .sp
-To backup all the databases in a cluster via \fBmongodump\fP, you
-should have the \fBbackup\fP role. The \fBbackup\fP role provides
-the required privileges for backing up all databases. The role confers no
-additional access, in keeping with the policy of \fIleast privilege\fP\&.
+When run against a \fBmongod\fP instance that uses the
+WiredTiger storage engine,
+\fI\%mongodump\fP outputs uncompressed data.
+.SS Working Set
 .sp
-To backup a given database, you must have \fBread\fP access on the database.
-Several roles provide this access, including the \fBbackup\fP role.
+\fI\%mongodump\fP can adversely affect performance of the
+\fBmongod\fP\&. If your data is larger than system memory, the
+\fI\%mongodump\fP will push the working set out of memory.
+.SH REQUIRED ACCESS
 .sp
-To backup the \fBsystem.profile\fP
-collection, which is created when you activate \fIdatabase profiling\fP, you must have \fBadditional\fP
-\fBread\fP access on this collection. Several
-roles provide this access, including the \fBclusterAdmin\fP and
-\fBdbAdmin\fP roles.
-.SS Backup Users
+To run \fI\%mongodump\fP against a MongoDB deployment that has
+access control enabled, you must have
+privileges that grant \fBfind\fP action for each database to
+back up. The built\-in \fBbackup\fP role provides the required
+privileges to perform backup of any and all databases.
 .sp
-Changed in version 2.6.
+Changed in version 3.2.1: The \fBbackup\fP role provides additional privileges to back
+up the \fBsystem.profile\fP
+collection that exists when running with database profiling\&. Previously, users required
+\fBread\fP access on this collection.
 
-.sp
-To backup users and \fIuser\-defined roles\fP for a
-given database, you must have access to the \fBadmin\fP database. MongoDB
-stores the user data and role definitions for all databases in the
-\fBadmin\fP database.
-.sp
-Specifically, to backup a given database\(aqs users, you must have the
-\fBfind\fP \fIaction\fP on the \fBadmin\fP
-database\(aqs \fBadmin.system.users\fP collection. The \fBbackup\fP
-and \fBuserAdminAnyDatabase\fP roles both provide this privilege.
-.sp
-To backup the user\-defined roles on a database, you must have the
-\fBfind\fP action on the \fBadmin\fP database\(aqs
-\fBadmin.system.roles\fP collection. Both the \fBbackup\fP and
-\fBuserAdminAnyDatabase\fP roles provide this privilege.
 .SH OPTIONS
 .sp
-Changed in version 3.0.0: \fBmongodump\fP removed the \fB\-\-dbpath\fP as well as related
-\fB\-\-directoryperdb\fP and \fB\-\-journal\fP options. You must use
-\fBmongodump\fP while connected to a \fBmongod\fP instance.
+Changed in version 3.0.0: \fI\%mongodump\fP removed the \fB\-\-dbpath\fP as well as related
+\fB\-\-directoryperdb\fP and \fB\-\-journal\fP options. To use
+\fI\%mongodump\fP, you must run \fI\%mongodump\fP against a running
+\fBmongod\fP or \fBmongos\fP instance as appropriate.
 
 .INDENT 0.0
 .TP
@@ -123,10 +191,6 @@ Changed in version 3.0.0: \fBmongodump\fP removed the \fB\-\-dbpath\fP as well a
 .UNINDENT
 .INDENT 0.0
 .TP
-.B mongodump
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-help
 Returns information on the options and use of \fBmongodump\fP\&.
 .UNINDENT
@@ -140,13 +204,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBmongodump\fP in a quiet mode that attempts to limit the amount
+Runs \fBmongodump\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -162,6 +226,60 @@ Returns the \fBmongodump\fP release number.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-uri <connectionString>
+New in version 3.4.6.
+
+.sp
+Specify a resolvable URI
+connection string for the \fBmongod\fP to which to
+connect.
+.sp
+The following is the standard
+URI connection scheme:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For detailed explanations of the components of this string, refer to
+the
+Connection String URI Format
+documentation.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+The following \fI\%mongodump\fP options are incompatible with the
+\fB\-\-uri\fP option. Instead, specify these options as part of your
+\fB\-\-uri\fP connection string when applicable:
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-host\fP
+.IP \(bu 2
+\fB\-\-port\fP
+.IP \(bu 2
+\fB\-\-db\fP
+.IP \(bu 2
+\fB\-\-username\fP
+.IP \(bu 2
+\fB\-\-password\fP (when specifying the password as part of the
+URI connection string)
+.IP \(bu 2
+\fB\-\-authenticationDatabase\fP
+.IP \(bu 2
+\fB\-\-authenticationMechanism\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-host <hostname><:port>, \-h <hostname><:port>
 \fIDefault\fP: localhost:27017
 .sp
@@ -202,9 +320,12 @@ client connections.
 .INDENT 0.0
 .TP
 .B \-\-ipv6
-Enables IPv6 support and allows the \fBmongodump\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+\fIRemoved in version 3.0.\fP
+.sp
+Enables IPv6 support and allows \fBmongodump\fP to connect to the
+MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
+had to specify \fI\%\-\-ipv6\fP to use IPv6. In MongoDB 3.0 and later, IPv6
+is always enabled.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -213,10 +334,11 @@ New in version 2.6.
 
 .sp
 Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+TLS/SSL support enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -228,23 +350,32 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
 \fBWARNING:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
+\fBVersion 3.2 and earlier:\fP For TLS/SSL connections (\fB\-\-ssl\fP) to
+\fBmongod\fP and \fBmongos\fP, if the \fBmongodump\fP runs without the
+\fI\%\-\-sslCAFile\fP, \fBmongodump\fP will not attempt
+to validate the server certificates. This creates a vulnerability
+to expired \fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid \fBmongod\fP or
+\fBmongos\fP instances. Ensure that you \fIalways\fP specify the
+CA file to validate the server certificates in cases where
+intrusion is a possibility.
 .UNINDENT
 .UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -252,17 +383,18 @@ possibility.
 New in version 2.6.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
-This option is required when using the \fI\-\-ssl\fP option to connect
+This option is required when using the \fI\%\-\-ssl\fP option to connect
 to a \fBmongod\fP or \fBmongos\fP that has
 \fBCAFile\fP enabled \fIwithout\fP
 \fBallowConnectionsWithoutCertificates\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -271,16 +403,17 @@ New in version 2.6.
 
 .sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongodump\fP will
 redact the password from all logging and reporting output.
 .sp
 If the private key in the PEM file is encrypted and you do not specify
-the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongodump\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongodump\fP will prompt for a passphrase. See
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -292,8 +425,9 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -306,8 +440,36 @@ the use of invalid certificates. When using the
 \fBallowInvalidCertificates\fP setting, MongoDB logs as a
 warning the use of the invalid certificate.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL connections to \fBmongod\fP and
+\fBmongos\fP, avoid using
+\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
+\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
+not possible.
+.sp
+If the \fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -315,9 +477,13 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongodump\fP to connect to MongoDB instances if the hostname their
+Disables the validation of the hostnames in TLS/SSL certificates. Allows
+\fBmongodump\fP to connect to MongoDB instances even if the hostname in their
 certificates do not match the specified hostname.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -327,14 +493,14 @@ New in version 2.6.
 .sp
 Directs the \fBmongodump\fP to use the FIPS mode of the installed OpenSSL
 library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -352,29 +518,43 @@ Specifies a password with which to authenticate to a MongoDB database
 that uses authentication. Use in conjunction with the \fB\-\-username\fP and
 \fB\-\-authenticationDatabase\fP options.
 .sp
-If you do not specify an argument for \fI\-\-password\fP, \fBmongodump\fP will
-prompt interactively for a password on the console.
+Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongodump\fP returns
+an error.
+
+.sp
+Changed in version 3.0.2: If you wish \fBmongodump\fP to prompt the user
+for the password, pass the \fI\%\-\-username\fP option without
+\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
+as in \fB\-\-password ""\fP .
+
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationDatabase <dbname>
+Specifies the database in which the user is created.
+See user\-authentication\-database\&.
+.sp
 If you do not specify an authentication database, \fBmongodump\fP
-assumes that the database specified to export holds the user\(aqs credentials.
+assumes that the database specified to export holds the user’s credentials.
+.sp
+If you do not specify an authentication database or a database to
+export, \fBmongodump\fP assumes the \fBadmin\fP database holds the user’s
+credentials.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
-
-.sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+\fIDefault\fP: SCRAM\-SHA\-1
 .sp
 Specifies the authentication mechanism the \fBmongodump\fP instance uses to
 authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.sp
+Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
+Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
+.sp
+MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
+function (\fBSCRAM\-SHA\-256\fP).
+
 .TS
 center;
 |l|l|.
@@ -386,33 +566,47 @@ Description
 T}
 _
 T{
-MONGODB\-CR
+SCRAM\-SHA\-1
 T}	T{
-MongoDB challenge/response authentication.
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
 T}
 _
 T{
-MONGODB\-X509
+SCRAM\-SHA\-256
 T}	T{
-MongoDB SSL certificate authentication.
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
 T}
 _
 T{
-PLAIN
+MONGODB\-X509
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+MongoDB TLS/SSL certificate authentication.
 T}
 _
 T{
-GSSAPI
+GSSAPI (Kerberos)
 T}	T{
 External authentication using Kerberos. This mechanism is
 available only in \fI\%MongoDB Enterprise\fP\&.
 T}
 _
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
 .TE
 .UNINDENT
 .INDENT 0.0
@@ -421,7 +615,7 @@ _
 New in version 2.6.
 
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
+Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
 default name of \fBmongodb\fP\&.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -432,7 +626,7 @@ This option is available only in MongoDB Enterprise.
 New in version 2.6.
 
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
+Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
 not match the hostname resolved by DNS.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -441,7 +635,7 @@ This option is available only in MongoDB Enterprise.
 .TP
 .B \-\-db <database>, \-d <database>
 Specifies a database to backup. If you do not specify a database,
-\fBmongodump\fP copies all databases in this instance into the dump
+\fI\%mongodump\fP copies all databases in this instance into the dump
 files.
 .UNINDENT
 .INDENT 0.0
@@ -454,18 +648,57 @@ to the dump files.
 .INDENT 0.0
 .TP
 .B \-\-query <json>, \-q <json>
-Provides a \fIJSON document\fP as a query that optionally limits the
-documents included in the output of \fBmongodump\fP\&.
+Provides a JSON document as a query that optionally limits the
+documents included in the output of \fI\%mongodump\fP\&.
+.sp
+You must enclose the query in single quotes (e.g. \fB\(aq\fP) to ensure that it does
+not interact with your shell environment.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-queryFile <path>
+New in version 3.2.
+
+.sp
+Specifies the path to a file containing a JSON document as a query
+filter that limits the documents included in the output of
+\fI\%mongodump\fP\&. \fI\%\-\-queryFile\fP enables you to create query filters that
+are too large to fit in your terminal’s buffer.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-readPreference <string>
+Specify the read preference for
+\fBmongodump\fP\&.
+.sp
+See replica\-set\-read\-preference\-modes\&.
+.sp
+\fBmongodump\fP defaults to \fBprimary\fP
+read preference when connected to a
+\fBmongos\fP or a replica set\&.
+.sp
+Otherwise, \fBmongodump\fP defaults to \fBnearest\fP\&.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Using a read preference other than
+\fBprimary\fP with a connection to a \fBmongos\fP may produce
+inconsistencies, duplicates, or result in missed documents.
+.UNINDENT
+.UNINDENT
+.sp
+See \fI\%Read Preference\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-forceTableScan
-Forces \fBmongodump\fP to scan the data store directly: typically,
-\fBmongodump\fP saves entries as they appear in the index of
-the \fB_id\fP field. If you specify a query \fI\-\-query\fP,
+Forces \fI\%mongodump\fP to scan the data store directly: typically,
+\fI\%mongodump\fP saves entries as they appear in the index of
+the \fB_id\fP field. If you specify a query \fI\%\-\-query\fP,
 \fBmongodump\fP will use the most appropriate index to support that query.
 .sp
-Use \fI\-\-forceTableScan\fP to skip the index and scan the data directly. Typically
+Use \fI\%\-\-forceTableScan\fP to skip the index and scan the data directly. Typically
 there are two cases where this behavior is preferable to the
 default:
 .INDENT 7.0
@@ -476,114 +709,203 @@ If you have key sizes over 800 bytes that would not be present in the
 Your database uses a custom \fB_id\fP field.
 .UNINDENT
 .sp
-When you run with \fI\-\-forceTableScan\fP, \fBmongodump\fP does
-not use \fB$snapshot\fP\&. As a result, the dump produced by
-\fBmongodump\fP can reflect the state of the database at many
+When you run with \fI\%\-\-forceTableScan\fP, the dump produced by
+\fI\%mongodump\fP can reflect the state of the database at many
 different points in time.
 .sp
 \fBIMPORTANT:\fP
 .INDENT 7.0
 .INDENT 3.5
-Use \fI\-\-forceTableScan\fP with extreme caution and
+Use \fI\%\-\-forceTableScan\fP with extreme caution and
 consideration.
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-gzip
+New in version 3.2.
+
+.sp
+Compresses the output. If \fI\%mongodump\fP outputs to the dump
+directory, the new feature compresses the individual files. The files
+have the suffix \fB\&.gz\fP\&.
+.sp
+If \fI\%mongodump\fP outputs to an archive file or the standard
+out stream, the new feature compresses the archive file or the data
+output to the stream.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-out <path>, \-o <path>
-Specifies the directory where \fBmongodump\fP will write
-\fIBSON\fP files for the dumped databases. By default,
-\fBmongodump\fP saves output files in a directory named
+Specifies the directory where \fI\%mongodump\fP will write
+BSON files for the dumped databases. By default,
+\fI\%mongodump\fP saves output files in a directory named
 \fBdump\fP in the current working directory.
 .sp
-To send the database dump to standard output, specify "\fB\-\fP" instead of
+To send the database dump to standard output, specify “\fB\-\fP” instead of
 a path. Write to standard output if you want process the output before
 saving it, such as to use \fBgzip\fP to compress the dump. When writing
-standard output, \fBmongodump\fP does not write the metadata that
+standard output, \fI\%mongodump\fP does not write the metadata that
 writes in a \fB<dbname>.metadata.json\fP file when writing to files
 directly.
+.sp
+You cannot use the \fB\-\-archive\fP option with the
+\fI\%\-\-out\fP option.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-archive <file or null>
+New in version 3.2.
+
+.sp
+Writes the output to a single archive file or to the standard output
+(\fBstdout\fP).
+.sp
+To output the dump to an archive file, run \fI\%mongodump\fP with the new
+\fB\-\-archive\fP option and the archive filename.
+.sp
+To output the dump to the standard output stream in order to pipe to
+another process, run \fI\%mongodump\fP with the \fBarchive\fP option
+but \fIomit\fP the filename.
+.sp
+You cannot use the \fB\-\-archive\fP option with the
+\fI\%\-\-out\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-repair
-Runs a repair option in addition to dumping the
-database. The repair option changes the behavior of \fBmongodump\fP to
-only write valid data and exclude data that may be in
-an invalid state as a result of an improper shutdown or
-\fBmongod\fP crash.
+.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+When repairing a database, you should use \fBmongod \-\-repair\fP
+rather than this option. For instructions on repairing a database,
+refer to
+/tutorial/recover\-data\-following\-unexpected\-shutdown\&.
+.UNINDENT
+.UNINDENT
 .sp
-The \fI\%\-\-repair\fP option uses aggressive data\-recovery algorithms
-that may produce a large amount of duplication.
+Changes the behavior of \fBmongodump\fP to only write valid data and
+exclude data that may be in an invalid state as a result of an
+improper shutdown or \fBmongod\fP crash.
 .sp
-\fI\%\-\-repair\fP is only available for use with \fBmongod\fP
-instances using the \fBmmapv1\fP storage engine. You cannot run
-\fI\%\-\-repair\fP with \fBmongos\fP or with \fBmongod\fP instances
-that use the \fBwiredTiger\fP storage engine. To repair data in a
-\fBmongod\fP instance using \fBwiredTiger\fP use
-\fImongod \-\-repair\fP\&.
+\fI\%\-\-repair\fP is different from \fBmongod \-\-repair\fP, and may produce
+a large amount of duplicate documents. It is only available for use
+against \fBmongod\fP instances using the \fBmmapv1\fP storage
+engine. You cannot run \fI\%\-\-repair\fP against \fBmongos\fP, or against
+\fBmongod\fP instances that use the \fBwiredTiger\fP storage
+engine.
+.sp
+For instructions on repairing a database, refer to
+/tutorial/recover\-data\-following\-unexpected\-shutdown\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-oplog
-Ensures that \fBmongodump\fP creates a dump of
-the database that includes a partial \fIoplog\fP containing operations
-from the duration of the \fBmongodump\fP operation. This oplog
-produces an effective point\-in\-time snapshot of the state of a
+Creates a file named \fBoplog.bson\fP as part of the
+\fI\%mongodump\fP output. The \fBoplog.bson\fP file, located in
+the top level of the output directory, contains oplog entries that
+occur during the \fI\%mongodump\fP operation. This file provides
+an effective point\-in\-time snapshot of the state of a
 \fBmongod\fP instance. To restore to a specific point\-in\-time
 backup, use the output created with this option in conjunction with
-\fImongorestore \-\-oplogReplay\fP\&.
+\fBmongorestore \-\-oplogReplay\fP\&.
 .sp
 Without \fI\%\-\-oplog\fP, if there are write operations during the dump
 operation, the dump will not reflect a single moment in time. Changes
 made to the database during the update process can affect the output of
 the backup.
 .sp
-\fI\%\-\-oplog\fP has no effect when running \fBmongodump\fP
+\fI\%\-\-oplog\fP has no effect when running \fI\%mongodump\fP
 against a \fBmongos\fP instance to dump the entire contents of a
 sharded cluster. However, you can use \fI\%\-\-oplog\fP to dump
 individual shards.
 .sp
 \fI\%\-\-oplog\fP only works against nodes that maintain an
-\fIoplog\fP\&. This includes all members of a replica set, as well as
-\fImaster\fP nodes in master/slave replication deployments.
+oplog\&. This includes all members of a replica set.
 .sp
 \fI\%\-\-oplog\fP does not dump the oplog collection.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+To use \fI\%mongodump\fP with \fI\%\-\-oplog\fP, you must create a full dump of
+a replica set member. \fI\%mongodump\fP with  \fI\%\-\-oplog\fP fails
+if you use any of the following options to limit the data to be dumped:
+.INDENT 0.0
+.IP \(bu 2
+\fI\%\-\-db\fP
+.IP \(bu 2
+\fI\%\-\-collection\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBmongorestore \-\-oplogReplay\fP
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-dumpDbUsersAndRoles
-Includes user and role definitions when performing \fBmongodump\fP
-on a specific database. This option applies only when you specify a
-database in the \fI\-\-db\fP option. MongoDB always includes user and
-role definitions when \fBmongodump\fP applies to an entire instance
+Includes user and role definitions in the database’s dump directory
+when performing \fI\%mongodump\fP on a specific database. This
+option applies only when you specify a database in the
+\fI\%\-\-db\fP option. MongoDB always includes user and role
+definitions when \fI\%mongodump\fP applies to an entire instance
 and not just a specific database.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-excludeCollection array of strings
-New in version 3.0.0.
+.B \-\-excludeCollection string
+New in version 3.0.
 
 .sp
-Specifies collections to exclude from the output of \fBmongodump\fP output.
+Excludes the specified collection from the \fBmongodump\fP output.
+To exclude multiple collections, specify the \fI\%\-\-excludeCollection\fP multiple times.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-excludeCollectionsWithPrefix array of strings
-New in version 3.0.0.
+.B \-\-excludeCollectionsWithPrefix string
+New in version 3.0.
 
 .sp
-Excludes all collections from the output of \fBmongodump\fP with a specified prefix.
+Excludes all collections with a specified prefix from the \fBmongodump\fP
+outputs. To specify multiple prefixes, specify the \fI\%\-\-excludeCollectionsWithPrefix\fP multiple
+times.
 .UNINDENT
-.SH USE
+.INDENT 0.0
+.TP
+.B \-\-numParallelCollections int, \-j int
+\fIDefault\fP: 4
 .sp
-See the http://docs.mongodb.org/manual/tutorial/backup\-with\-mongodump
-for a larger overview of \fBmongodump\fP usage. Also see the
-\fBmongorestore\fP document for an overview of the
-\fBmongorestore\fP, which provides the related inverse
-functionality.
+Number of collections \fBmongodump\fP should export
+in parallel.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-viewsAsCollections
+New in version 3.4.
+
+.sp
+When specified, \fBmongodump\fP exports read\-only views as collections. For each view, \fBmongodump\fP will
+produce a BSON file containing the documents in the view. If you
+\fBmongorestore\fP the produced BSON file, the view will be
+restored as a collection\&.
 .sp
-The following command creates a dump file that contains only the
+If you do \fInot\fP include \fI\%\-\-viewsAsCollections\fP,
+\fBmongodump\fP captures each view’s metadata. If you include a
+view’s metadata file in a \fBmongorestore\fP operation, the view
+is recreated.
+.UNINDENT
+.SH EXAMPLES
+.SS \fBmongodump\fP a Collection
+.sp
+The following operation creates a dump file that contains only the
 collection named \fBcollection\fP in the database named \fBtest\fP\&. In
 this case the database is running on the local interface on port
 \fB27017\fP:
@@ -597,8 +919,23 @@ mongodump  \-\-db test \-\-collection collection
 .fi
 .UNINDENT
 .UNINDENT
+.SS \fBmongodump\fP a Database Excluding Specified Collections
+.sp
+The following operation dumps all collections in the \fBtest\fP database
+except for \fBusers\fP and \fBsalaries\fP:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump  \-\-db test \-\-excludeCollection=users \-\-excludeCollection=salaries
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS \fBmongodump\fP with Access Control
 .sp
-In the next example, \fBmongodump\fP creates a database dump
+In the next example, \fI\%mongodump\fP creates a database dump
 located at \fB/opt/backup/mongodump\-2011\-10\-24\fP, from a database
 running on port \fB37017\fP on the host \fBmongodb1.example.net\fP and
 authenticating using the username \fBuser\fP and the password
@@ -608,7 +945,82 @@ authenticating using the username \fBuser\fP and the password
 .sp
 .nf
 .ft C
-mongodump \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password pass \-\-out /opt/backup/mongodump\-2011\-10\-24
+mongodump \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password "pass" \-\-out /opt/backup/mongodump\-2011\-10\-24
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Output to an Archive File
+.sp
+New in version 3.2.
+
+.sp
+To output the dump to an archive file, run \fI\%mongodump\fP with the
+\fB\-\-archive\fP option and the archive filename. For example, the following
+operation creates a file \fBtest.20150715.archive\fP that contains the dump
+of the \fBtest\fP database.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-archive=test.20150715.archive \-\-db test
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Output an Archive to Standard Output
+.sp
+New in version 3.2.
+
+.sp
+To output the archive to the standard output stream in order to pipe to
+another process, run \fI\%mongodump\fP with the \fBarchive\fP
+option but \fIomit\fP the filename:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-archive \-\-db test \-\-port 27017 | mongorestore \-\-archive \-\-port 27018
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+You cannot use the \fB\-\-archive\fP option with the
+\fI\%\-\-out\fP option.
+.UNINDENT
+.UNINDENT
+.SS Compress the Output
+.sp
+To compress the files in the output dump directory, run
+\fI\%mongodump\fP with the new \fB\-\-gzip\fP option. For example,
+the following operation outputs compressed files into the default
+\fBdump\fP directory.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-gzip \-\-db test
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+To compress the archive file output by \fI\%mongodump\fP, use the
+\fB\-\-gzip\fP option in conjunction with the \fI\%\-\-archive\fP
+option, specifying the name of the compressed file.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-archive=test.20150715.gz \-\-gzip \-\-db test
 .ft P
 .fi
 .UNINDENT
@@ -616,6 +1028,6 @@ mongodump \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-pas
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongoexport.1 b/debian/mongoexport.1
index e74a5124d4b..80decfae323 100644
--- a/debian/mongoexport.1
+++ b/debian/mongoexport.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGOEXPORT" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGOEXPORT" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongoexport \- MongoDB Export Utility
 .
@@ -30,30 +30,142 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Considerations\fP
+.IP \(bu 2
+\fI\%Required Access\fP
+.IP \(bu 2
+\fI\%Read Preference\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Use\fP
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.sp
+Users running on Mac OSX Sierra require the 3.2.10 or newer version
+of  mongoexport\&.
+.UNINDENT
+.UNINDENT
 .SH SYNOPSIS
 .sp
-\fBmongoexport\fP is a utility that produces a JSON or CSV export
-of data stored in a MongoDB instance. See the
-http://docs.mongodb.org/manual/core/import\-export document for a more in depth
-usage overview, and the \fBmongoimport\fP document for more
+\fI\%mongoexport\fP is a utility that produces a JSON or CSV export
+of data stored in a MongoDB instance.
+.sp
+See the mongoimport document for more
 information regarding the \fBmongoimport\fP utility, which
-provides the inverse "importing" capability.
+provides the inverse “importing” capability.
+.sp
+Run \fI\%mongoexport\fP from the system command line, not the \fBmongo\fP shell.
 .SH CONSIDERATIONS
 .sp
-Do not use \fBmongoimport\fP and \fBmongoexport\fP for
-full\-scale production backups because they may not reliably capture
-data type information. Use \fBmongodump\fP and
-\fBmongorestore\fP as described in http://docs.mongodb.org/manual/core/backups for this
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+Avoid using \fBmongoimport\fP and \fI\%mongoexport\fP for
+full instance production backups. They do not reliably preserve all rich
+BSON data types, because JSON can only represent a subset
+of the types supported by BSON. Use \fBmongodump\fP
+and \fBmongorestore\fP as described in /core/backups for this
 kind of functionality.
+.UNINDENT
+.UNINDENT
+.sp
+\fI\%mongoexport\fP must be run directly from the system command line.
+.sp
+To preserve type information, \fI\%mongoexport\fP and \fBmongoimport\fP
+uses the strict mode representation
+for certain types.
+.sp
+For example, the following insert operation in the \fBmongo\fP
+shell uses the shell mode representation for the BSON types
+\fBdata_date\fP and \fBdata_numberlong\fP:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+use test
+db.traffic.insert( { _id: 1, volume: NumberLong(\(aq2980000\(aq), date: new Date() } )
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The argument to \fBdata_numberlong\fP must be quoted to avoid potential
+loss of accuracy.
+.sp
+Use \fI\%mongoexport\fP to export the data:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-db test \-\-collection traffic \-\-out traffic.json
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The exported data is in strict mode representation to preserve type information:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+{ "_id" : 1, "volume" : { "$numberLong" : "2980000" }, "date" : { "$date" : "2014\-03\-13T13:47:42.483\-0400" } }
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+See /reference/mongodb\-extended\-json for a complete list of
+these types and the representations used.
+.SH REQUIRED ACCESS
+.sp
+\fI\%mongoexport\fP requires read access on the target database.
+.sp
+Ensure that the connecting user possesses, at a minimum, the \fBread\fP
+role on the target database.
+.sp
+When connecting to a \fBmongod\fP or \fBmongos\fP that enforces
+/core/authentication, ensure you use the required security
+parameters based on the configured
+authentication mechanism\&.
+.SH READ PREFERENCE
+.sp
+\fI\%mongoexport\fP defaults to \fBprimary\fP read
+preference when connected to a \fBmongos\fP
+or a replica set\&.
+.sp
+You can override the default read preference using the
+\fI\%\-\-readPreference\fP option.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 0.0
+.INDENT 3.5
+Using a non\-primary read preference on a \fBmongos\fP may
+produce inconsistencies in data, including duplicates or missing
+documents.
+.UNINDENT
+.UNINDENT
 .SH OPTIONS
 .sp
-Changed in version 3.0.0: \fBmongoexport\fP removed the \fB\-\-dbpath\fP as well as related
-\fB\-\-directoryperdb\fP and \fB\-\-journal\fP options. You must use
-\fBmongoexport\fP while connected to a \fBmongod\fP instance.
+Changed in version 3.0.0: \fI\%mongoexport\fP removed the \fB\-\-dbpath\fP as well as related
+\fB\-\-directoryperdb\fP and \fB\-\-journal\fP options. To use
+\fI\%mongoexport\fP, you must run \fI\%mongoexport\fP against a running
+\fBmongod\fP or \fBmongos\fP instance as appropriate.
 
 .sp
-Changed in version 3.0.0: \fBmongoexport\fP also removed support for writing data to
-\fBtsv\fP files with the \fB\-\-tsv\fP option.
+Changed in version 3.0.0: \fI\%mongoexport\fP removed the \fB\-\-csv\fP option. Use the
+\fI\%\-\-type=csv\fP option to specify CSV format
+for the output.
 
 .INDENT 0.0
 .TP
@@ -61,10 +173,6 @@ Changed in version 3.0.0: \fBmongoexport\fP also removed support for writing dat
 .UNINDENT
 .INDENT 0.0
 .TP
-.B mongoexport
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-help
 Returns information on the options and use of \fBmongoexport\fP\&.
 .UNINDENT
@@ -78,13 +186,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBmongoexport\fP in a quiet mode that attempts to limit the amount
+Runs \fBmongoexport\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -100,6 +208,60 @@ Returns the \fBmongoexport\fP release number.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-uri <connectionString>
+New in version 3.4.6.
+
+.sp
+Specify a resolvable URI
+connection string for the \fBmongod\fP to which to
+connect.
+.sp
+The following is the standard
+URI connection scheme:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For detailed explanations of the components of this string, refer to
+the
+Connection String URI Format
+documentation.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+The following \fI\%mongoexport\fP options are incompatible with the
+\fB\-\-uri\fP option. Instead, specify these options as part of your
+\fB\-\-uri\fP connection string when applicable:
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-host\fP
+.IP \(bu 2
+\fB\-\-port\fP
+.IP \(bu 2
+\fB\-\-db\fP
+.IP \(bu 2
+\fB\-\-username\fP
+.IP \(bu 2
+\fB\-\-password\fP (when specifying the password as part of the
+URI connection string)
+.IP \(bu 2
+\fB\-\-authenticationDatabase\fP
+.IP \(bu 2
+\fB\-\-authenticationMechanism\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-host <hostname><:port>, \-h <hostname><:port>
 \fIDefault\fP: localhost:27017
 .sp
@@ -140,9 +302,12 @@ client connections.
 .INDENT 0.0
 .TP
 .B \-\-ipv6
-Enables IPv6 support and allows the \fBmongoexport\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+\fIRemoved in version 3.0.\fP
+.sp
+Enables IPv6 support and allows \fBmongoexport\fP to connect to the
+MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
+had to specify \fI\%\-\-ipv6\fP to use IPv6. In MongoDB 3.0 and later, IPv6
+is always enabled.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -151,10 +316,11 @@ New in version 2.6.
 
 .sp
 Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+TLS/SSL support enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -166,23 +332,32 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
 \fBWARNING:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
+\fBVersion 3.2 and earlier:\fP For TLS/SSL connections (\fB\-\-ssl\fP) to
+\fBmongod\fP and \fBmongos\fP, if the \fBmongoexport\fP runs without the
+\fI\%\-\-sslCAFile\fP, \fBmongoexport\fP will not attempt
+to validate the server certificates. This creates a vulnerability
+to expired \fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid \fBmongod\fP or
+\fBmongos\fP instances. Ensure that you \fIalways\fP specify the
+CA file to validate the server certificates in cases where
+intrusion is a possibility.
 .UNINDENT
 .UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -190,17 +365,18 @@ possibility.
 New in version 2.6.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
-This option is required when using the \fI\-\-ssl\fP option to connect
+This option is required when using the \fI\%\-\-ssl\fP option to connect
 to a \fBmongod\fP or \fBmongos\fP that has
 \fBCAFile\fP enabled \fIwithout\fP
 \fBallowConnectionsWithoutCertificates\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -209,16 +385,17 @@ New in version 2.6.
 
 .sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongoexport\fP will
 redact the password from all logging and reporting output.
 .sp
 If the private key in the PEM file is encrypted and you do not specify
-the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongoexport\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongoexport\fP will prompt for a passphrase. See
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -230,8 +407,9 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -244,8 +422,36 @@ the use of invalid certificates. When using the
 \fBallowInvalidCertificates\fP setting, MongoDB logs as a
 warning the use of the invalid certificate.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL connections to \fBmongod\fP and
+\fBmongos\fP, avoid using
+\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
+\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
+not possible.
+.sp
+If the \fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -253,9 +459,13 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongoexport\fP to connect to MongoDB instances if the hostname their
+Disables the validation of the hostnames in TLS/SSL certificates. Allows
+\fBmongoexport\fP to connect to MongoDB instances even if the hostname in their
 certificates do not match the specified hostname.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -265,14 +475,14 @@ New in version 2.6.
 .sp
 Directs the \fBmongoexport\fP to use the FIPS mode of the installed OpenSSL
 library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -290,29 +500,39 @@ Specifies a password with which to authenticate to a MongoDB database
 that uses authentication. Use in conjunction with the \fB\-\-username\fP and
 \fB\-\-authenticationDatabase\fP options.
 .sp
-If you do not specify an argument for \fI\-\-password\fP, \fBmongoexport\fP will
-prompt interactively for a password on the console.
+Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongoexport\fP returns
+an error.
+
+.sp
+Changed in version 3.0.2: If you wish \fBmongoexport\fP to prompt the user
+for the password, pass the \fI\%\-\-username\fP option without
+\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
+as in \fB\-\-password ""\fP .
+
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationDatabase <dbname>
+Specifies the database in which the user is created.
+See user\-authentication\-database\&.
+.sp
 If you do not specify an authentication database, \fBmongoexport\fP
-assumes that the database specified to export holds the user\(aqs credentials.
+assumes that the database specified to export holds the user’s credentials.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
-
-.sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+\fIDefault\fP: SCRAM\-SHA\-1
 .sp
 Specifies the authentication mechanism the \fBmongoexport\fP instance uses to
 authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.sp
+Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
+Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
+.sp
+MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
+function (\fBSCRAM\-SHA\-256\fP).
+
 .TS
 center;
 |l|l|.
@@ -324,33 +544,47 @@ Description
 T}
 _
 T{
-MONGODB\-CR
+SCRAM\-SHA\-1
 T}	T{
-MongoDB challenge/response authentication.
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
 T}
 _
 T{
-MONGODB\-X509
+SCRAM\-SHA\-256
 T}	T{
-MongoDB SSL certificate authentication.
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
 T}
 _
 T{
-PLAIN
+MONGODB\-X509
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+MongoDB TLS/SSL certificate authentication.
 T}
 _
 T{
-GSSAPI
+GSSAPI (Kerberos)
 T}	T{
 External authentication using Kerberos. This mechanism is
 available only in \fI\%MongoDB Enterprise\fP\&.
 T}
 _
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
 .TE
 .UNINDENT
 .INDENT 0.0
@@ -359,7 +593,7 @@ _
 New in version 2.6.
 
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
+Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
 default name of \fBmongodb\fP\&.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -370,7 +604,7 @@ This option is available only in MongoDB Enterprise.
 New in version 2.6.
 
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
+Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
 not match the hostname resolved by DNS.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -391,36 +625,48 @@ Specifies the collection to export.
 Specifies a field or fields to \fIinclude\fP in the export. Use a comma
 separated list of fields to specify multiple fields.
 .sp
-For \fIcsv\fP output formats,
-\fBmongoexport\fP includes only the specified field(s), and the
+If any of your field names include white space, use
+quotation marks to enclose the field list. For example, if you wished
+to export two fields, \fBphone\fP and \fBuser number\fP, you would
+specify \fB\-\-fields "phone,user number"\fP\&.
+.sp
+For \fI\%csv\fP output formats,
+\fI\%mongoexport\fP includes only the specified field(s), and the
 specified field(s) can be a field within a sub\-document.
 .sp
-For \fIJSON\fP output formats, \fBmongoexport\fP includes
+For JSON output formats, \fI\%mongoexport\fP includes
 only the specified field(s) \fBand\fP the \fB_id\fP field, and if the
 specified field(s) is a field within a sub\-document, the
-\fBmongoexport\fP includes the sub\-document with all
+\fI\%mongoexport\fP includes the sub\-document with all
 its fields, not just the specified field within the document.
+.sp
+See: \fI\%Export Data in CSV Format using \-\-fields option\fP for sample usage.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-fieldFile <filename>
-An alternative to \fI\-\-fields\fP\&. The
-\fI\-\-fieldFile\fP option allows you to
+An alternative to \fI\%\-\-fields\fP\&. The
+\fI\%\-\-fieldFile\fP option allows you to
 specify in a file the field or fields to \fIinclude\fP in the export and is
-\fBonly valid\fP with the \fI\-\-type\fP option
+\fBonly valid\fP with the \fI\%\-\-type\fP option
 with value \fBcsv\fP\&. The
 file must have only one field per line, and the line(s) must end with
 the LF character (\fB0x0A\fP).
 .sp
-\fBmongoexport\fP includes only the specified field(s). The
+\fI\%mongoexport\fP includes only the specified field(s). The
 specified field(s) can be a field within a sub\-document.
+.sp
+See \fI\%Use a File to Specify the Fields to Export in CSV Format\fP for sample usage.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-query <JSON>, \-q <JSON>
-Provides a \fIJSON document\fP as a query that optionally limits
-the documents returned in the export. Specify JSON in \fBstrict
-format\fP\&.
+Provides a JSON document as a query that optionally limits
+the documents returned in the export. Specify JSON in strict
+format\&.
+.sp
+You must enclose the query in single quotes (e.g. \fB\(aq\fP) to ensure that it does
+not interact with your shell environment.
 .sp
 For example, given a collection named \fBrecords\fP in the database
 \fBtest\fP with the following documents:
@@ -439,7 +685,7 @@ For example, given a collection named \fBrecords\fP in the database
 .UNINDENT
 .UNINDENT
 .sp
-The following \fBmongoexport\fP uses the \fI\%\-q\fP option to
+The following \fI\%mongoexport\fP uses the \fI\%\-q\fP option to
 export only the documents with the field \fBa\fP greater than or equal to
 (\fB$gte\fP) to \fB3\fP:
 .INDENT 7.0
@@ -447,7 +693,7 @@ export only the documents with the field \fBa\fP greater than or equal to
 .sp
 .nf
 .ft C
-mongoexport \-d test \-c records \-q "{ a: { \e$gte: 3 } }" \-\-out exportdir/myRecords.json
+mongoexport \-d test \-c records \-q \(aq{ a: { $gte: 3 } }\(aq \-\-out exportdir/myRecords.json
 .ft P
 .fi
 .UNINDENT
@@ -467,36 +713,36 @@ The resulting file contains the following documents:
 .UNINDENT
 .sp
 You can sort the results with the \fI\%\-\-sort\fP option to
-\fBmongoexport\fP\&.
+\fI\%mongoexport\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-type <string>
 \fIDefault\fP: json
 .sp
-New in version 3.0.0.
+New in version 3.0.
 
 .sp
-Specifies the file type to export. The default format is \fIJSON\fP,
-bit it is possible to export \fIcsv\fP files.
+Specifies the file type to export. Specify \fBcsv\fP for CSV
+format or \fBjson\fP for JSON format.
 .sp
 If you specify \fBcsv\fP, then you must also use either
-the \fI\-\-fields\fP or the \fI\-\-fieldFile\fP option to
+the \fI\%\-\-fields\fP or the \fI\%\-\-fieldFile\fP option to
 declare the fields to export from the collection.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-out <file>, \-o <file>
 Specifies a file to write the export to. If you do not specify a file
-name, the \fBmongoexport\fP writes data to standard output
+name, the \fI\%mongoexport\fP writes data to standard output
 (e.g. \fBstdout\fP).
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-jsonArray
-Modifies the output of \fBmongoexport\fP to write the
-entire contents of the export as a single \fIJSON\fP array. By
-default \fBmongoexport\fP writes data using one JSON document
+Modifies the output of \fI\%mongoexport\fP to write the
+entire contents of the export as a single JSON array. By
+default \fI\%mongoexport\fP writes data using one JSON document
 for every MongoDB document.
 .UNINDENT
 .INDENT 0.0
@@ -509,26 +755,70 @@ Outputs documents in a pretty\-printed format JSON.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-slaveOk, \-k
-Allows \fBmongoexport\fP to read data from secondary or slave
-nodes when using \fBmongoexport\fP with a replica set. This
-option is only available if connected to a \fBmongod\fP or
-\fBmongos\fP and is not available when used with the
-"\fImongoexport \-\-dbpath\fP" option.
+.B \-\-noHeaderLine
+New in version 3.4.
+
+.sp
+By default, \fBmongoexport\fP includes the exported field names as the first
+line in a CSV output. \fI\%\-\-noHeaderLine\fP directs \fBmongoexport\fP to export the
+data without the list of field names.
+\fI\%\-\-noHeaderLine\fP is \fBonly valid\fP with the
+\fI\%\-\-type\fP option with value \fBcsv\fP\&.
 .sp
-This is the default behavior.
+See \fI\%Exclude Field Names from CSV Output\fP for sample usage.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-forceTableScan
-New in version 2.2.
+.B \-\-slaveOk, \-k
+Deprecated since version 3.2.
 
 .sp
-Forces \fBmongoexport\fP to scan the data store directly:
-typically, \fBmongoexport\fP saves entries as they appear in the
-index of the \fB_id\fP field. Use \fI\%\-\-forceTableScan\fP to skip
-the index and scan the data directly. Typically there are two cases
-where this behavior is preferable to the default:
+Sets the replica\-set\-read\-preference to \fBnearest\fP,
+allowing \fI\%mongoexport\fP to read data from secondary
+replica set members.
+.sp
+\fI\%\-\-readPreference\fP replaces \fB\-\-slaveOk\fP in MongoDB 3.2. You cannot
+specify \fB\-\-slaveOk\fP when \fI\%\-\-readPreference\fP is specified.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Using a read preference other than
+\fBprimary\fP with a connection to a \fBmongos\fP may produce
+inconsistencies, duplicates, or result in missed documents.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-readPreference <string>
+Specify the read preference for
+\fBmongoexport\fP\&.
+.sp
+See replica\-set\-read\-preference\-modes\&.
+.sp
+\fBmongoexport\fP defaults to \fBprimary\fP
+read preference when connected to a
+\fBmongos\fP or a replica set\&.
+.sp
+Otherwise, \fBmongoexport\fP defaults to \fBnearest\fP\&.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Using a read preference other than
+\fBprimary\fP with a connection to a \fBmongos\fP may produce
+inconsistencies, duplicates, or result in missed documents.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-forceTableScan
+Forces \fI\%mongoexport\fP to scan the data store directly instead
+of traversing the \fB_id\fP field index. Use \fI\%\-\-forceTableScan\fP to skip the
+index. Typically there are two cases where this behavior is
+preferable to the default:
 .INDENT 7.0
 .IP 1. 3
 If you have key sizes over 800 bytes that would not be present
@@ -537,10 +827,9 @@ in the \fB_id\fP index.
 Your database uses a custom \fB_id\fP field.
 .UNINDENT
 .sp
-When you run with \fI\%\-\-forceTableScan\fP, \fBmongoexport\fP
-does not use \fB$snapshot\fP\&. As a result, the export produced
-by \fBmongoexport\fP can reflect the state of the database at
-many different points in time.
+When you run with \fI\%\-\-forceTableScan\fP, \fI\%mongoexport\fP may return a
+document more than once if a write operation interleaves with the
+operation to cause the document to move.
 .sp
 \fBWARNING:\fP
 .INDENT 7.0
@@ -553,7 +842,7 @@ and consideration.
 .INDENT 0.0
 .TP
 .B \-\-skip <number>
-Use \fI\%\-\-skip\fP to control where \fBmongoexport\fP begins
+Use \fI\%\-\-skip\fP to control where \fI\%mongoexport\fP begins
 exporting documents. See \fBskip()\fP for information about
 the underlying operation.
 .UNINDENT
@@ -592,118 +881,169 @@ operation.
 .SH USE
 .SS Export in CSV Format
 .sp
-In the following example, \fBmongoexport\fP exports the
-collection \fBcontacts\fP from the \fBusers\fP database from the
-\fBmongod\fP instance running on the localhost port number
-\fB27017\fP\&. This command writes the export data in \fICSV\fP format
-into a file located at \fB/opt/backups/contacts.csv\fP\&.  The
-\fBfields.txt\fP file contains a line\-separated list of fields to
-export.
+Changed in version 3.0.0: \fI\%mongoexport\fP removed the \fB\-\-csv\fP option. Use the
+\fI\%\-\-type=csv\fP option to specify CSV format
+for the output.
+
+.SS Export Data in CSV Format using \fB\-\-fields\fP option
+.sp
+In the following example, \fI\%mongoexport\fP exports data from the
+collection \fBcontacts\fP collection in the \fBusers\fP database in CSV
+format to the file \fB/opt/backups/contacts.csv\fP\&.
+.sp
+The \fBmongod\fP instance that \fI\%mongoexport\fP connects to is
+running on the localhost port number \fB27017\fP\&.
+.sp
+When you export in CSV format, you must specify the fields in the documents
+to export. The operation specifies the \fBname\fP and \fBaddress\fP fields
+to export.
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-mongoexport \-\-db users \-\-collection contacts \-\-csv \-\-fieldFile fields.txt \-\-out /opt/backups/contacts.csv
+mongoexport \-\-db users \-\-collection contacts \-\-type=csv \-\-fields name,address \-\-out /opt/backups/contacts.csv
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
-.SS Export in JSON Format
 .sp
-The next example creates an export of the collection \fBcontacts\fP
-from the MongoDB instance running on the localhost port number \fB27017\fP,
-with journaling explicitly enabled. This writes the export to the
-\fBcontacts.json\fP file in \fIJSON\fP format.
+The output would then resemble:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-mongoexport \-\-db sales \-\-collection contacts \-\-out contacts.json \-\-journal
+name, address
+Sophie Monroe, 123 Example Road
+Charles Yu, 345 Sample Street
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
-.SS Export from Remote Host Running with Authentication
+.SS Use a File to Specify the Fields to Export in CSV Format
+.sp
+For CSV exports only, you can also specify the fields in a file
+containing the line\-separated list of fields to export. The file must
+have only one field per line.
 .sp
-The following example exports the collection \fBcontacts\fP from the
-database \fBmarketing\fP . This data resides on the MongoDB instance
-located on the host \fBmongodb1.example.net\fP running on port \fB37017\fP,
-which requires the username \fBuser\fP and the password \fBpass\fP\&.
+For example, you can specify the \fBname\fP and \fBaddress\fP fields in a
+file \fBfields.txt\fP:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-mongoexport \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password pass \-\-collection contacts \-\-db marketing \-\-out mdb1\-examplenet.json
+name
+address
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
-.SH TYPE FIDELITY
 .sp
-\fBWARNING:\fP
+Then, using the \fI\%\-\-fieldFile\fP option, specify the fields to export with
+the file:
 .INDENT 0.0
 .INDENT 3.5
-\fBmongoimport\fP and \fBmongoexport\fP do not reliably
-preserve all rich \fIBSON\fP data types because \fIJSON\fP can
-only represent a subset of the types supported by BSON. As a result,
-data exported or imported with these tools may lose some measure of
-fidelity. See the \fBExtended JSON\fP
-reference for more information.
+.sp
+.nf
+.ft C
+mongoexport \-\-db users \-\-collection contacts \-\-type=csv \-\-fieldFile fields.txt \-\-out /opt/backups/contacts.csv
+.ft P
+.fi
 .UNINDENT
 .UNINDENT
+.SS Exclude Field Names from CSV Output
 .sp
-JSON can only represent a subset of the types supported by BSON. To
-preserve type information, \fBmongoexport\fP uses the \fBstrict
-mode representation\fP for certain
-types.
+New in version 3.4.
+
 .sp
-For example, the following insert operation in the \fBmongo\fP
-shell uses the \fBmongoShell mode representation\fP for the BSON types
-\fBdata_date\fP and \fBdata_numberlong\fP:
+MongoDB 3.4 added the \fI\%\-\-noHeaderLine\fP option for excluding the
+field names in a CSV export. The following example exports the \fBname\fP
+and \fBaddress\fP fields in the \fBcontacts\fP collection in the \fBusers\fP
+database and uses \fI\%\-\-noHeaderLine\fP to suppress the output
+of the field names as the first line:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-use test
-db.traffic.insert( { _id: 1, volume: NumberLong(2980000), date: new Date() } )
+mongoexport \-\-db users \-\-collection contacts \-\-type csv \-\-fields name,address \-\-noHeaderLine \-\-out /opt/backups/contacts.csv
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-Use \fBmongoexport\fP to export the data:
+The CSV output would then resemble:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-mongoexport \-\-db test \-\-collection traffic \-\-out traffic.json
+Sophie Monroe, 123 Example Road
+Charles Yu, 345 Sample Street
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
+.SS Export in JSON Format
 .sp
-The exported data is in \fBstrict mode representation\fP to preserve type information:
+This example creates an export of the \fBcontacts\fP collection from the
+MongoDB instance running on the localhost port number \fB27017\fP\&. This
+writes the export to the \fBcontacts.json\fP file in JSON format.
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-{ "_id" : 1, "volume" : { "$numberLong" : "2980000" }, "date" : { "$date" : "2014\-03\-13T13:47:42.483\-0400" } }
+mongoexport \-\-db sales \-\-collection contacts \-\-out contacts.json
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
+.SS Export from Remote Host Running with Authentication
 .sp
-See http://docs.mongodb.org/manual/reference/mongodb\-extended\-json for a complete list of
-these types and the representations used.
+The following example exports the \fBcontacts\fP collection from the
+\fBmarketing\fP database, which requires authentication.
+.sp
+This data resides on the MongoDB instance located on the host
+\fBmongodb1.example.net\fP running on port \fB37017\fP, which requires the username
+\fBuser\fP and the password \fBpass\fP\&.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password "pass" \-\-collection contacts \-\-db marketing \-\-out mdb1\-examplenet.json
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Export Query Results
+.sp
+You can export only the results of a query by supplying a query filter with
+the \fI\%\-\-query\fP option, and limit the results to a single
+database using the “\fI\%\-\-db\fP” option.
+.sp
+For instance, this command returns all documents in the \fBsales\fP database’s
+\fBcontacts\fP collection that contain a field named \fBfield\fP with a value
+of \fB1\fP\&.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongoexport \-\-db sales \-\-collection contacts \-\-query \(aq{"field": 1}\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You must enclose the query in single quotes (e.g. \fB\(aq\fP) to ensure that it does
+not interact with your shell environment.
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongofiles.1 b/debian/mongofiles.1
index 5ef1a35d9d9..2926b7ec090 100644
--- a/debian/mongofiles.1
+++ b/debian/mongofiles.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGOFILES" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGOFILES" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongofiles \- MongoDB GridFS Utility
 .
@@ -30,14 +30,35 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Required Access\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Commands\fP
+.IP \(bu 2
+\fI\%Examples\fP
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.sp
+Users running on Mac OSX Sierra require the 3.2.10 or newer version
+of  mongofiles\&.
+.UNINDENT
+.UNINDENT
 .SH SYNOPSIS
 .sp
-The \fBmongofiles\fP utility makes it possible to manipulate files
-stored in your MongoDB instance in \fIGridFS\fP objects from the
+The \fI\%mongofiles\fP utility makes it possible to manipulate files
+stored in your MongoDB instance in GridFS objects from the
 command line. It is particularly useful as it provides an interface
 between objects stored in your file system and GridFS.
 .sp
-All \fBmongofiles\fP commands have the following form:
+All \fI\%mongofiles\fP commands have the following form:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -49,42 +70,50 @@ mongofiles <options> <commands> <filename>
 .UNINDENT
 .UNINDENT
 .sp
-The components of the \fBmongofiles\fP command are:
+The components of the \fI\%mongofiles\fP command are:
 .INDENT 0.0
 .IP 1. 3
 \fI\%Options\fP\&. You may use one or more of
-these options to control the behavior of \fBmongofiles\fP\&.
+these options to control the behavior of \fI\%mongofiles\fP\&.
 .IP 2. 3
 \fI\%Commands\fP\&. Use one of these commands to
-determine the action of \fBmongofiles\fP\&.
+determine the action of \fI\%mongofiles\fP\&.
 .IP 3. 3
-A filename which is either: the name of a file on your local\(aqs file
+A filename which is either: the name of a file on your local’s file
 system, or a GridFS object.
 .UNINDENT
 .sp
-\fBmongofiles\fP, like \fBmongodump\fP, \fBmongoexport\fP,
-\fBmongoimport\fP, and \fBmongorestore\fP, can access data
-stored in a MongoDB data directory without requiring a running
-\fBmongod\fP instance, if no other \fBmongod\fP is running.
+Run \fI\%mongofiles\fP from the system command line, not the \fBmongo\fP shell.
 .sp
 \fBIMPORTANT:\fP
 .INDENT 0.0
 .INDENT 3.5
-For \fIreplica sets\fP,
-\fBmongofiles\fP can only read from the set\(aqs
-\(aq\fIprimary\fP\&.
+For replica sets,
+\fI\%mongofiles\fP can only read from the set’s
+primary\&.
 .UNINDENT
 .UNINDENT
-.SH OPTIONS
+.SH REQUIRED ACCESS
 .sp
-Changed in version 3.0.0: \fBmongofiles\fP removed the \fB\-\-dbpath\fP as well as related
-\fB\-\-directoryperdb\fP and \fB\-\-journal\fP options. You must use
-\fBmongofiles\fP while connected to a \fBmongod\fP instance.
-
+In order to connect to a \fBmongod\fP that enforces authorization
+with the \fB\-\-auth\fP option, you must use the
+\fI\%\-\-username\fP and \fI\%\-\-password\fP options. The connecting user must possess, at a
+minimum:
 .INDENT 0.0
-.TP
-.B mongofiles
+.IP \(bu 2
+the \fBread\fP role for the accessed database when using the
+\fBlist\fP, \fBsearch\fP or \fBget\fP commands,
+.IP \(bu 2
+the \fBreadWrite\fP role for the accessed database when using
+the \fBput\fP or \fBdelete\fP commands.
 .UNINDENT
+.SH OPTIONS
+.sp
+Changed in version 3.0.0: \fI\%mongofiles\fP removed the \fB\-\-dbpath\fP as well as related
+\fB\-\-directoryperdb\fP and \fB\-\-journal\fP options. To use
+\fI\%mongofiles\fP, you must run \fI\%mongofiles\fP against a running
+\fBmongod\fP or \fBmongos\fP instance as appropriate.
+
 .INDENT 0.0
 .TP
 .B \-\-help
@@ -100,13 +129,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBmongofiles\fP in a quiet mode that attempts to limit the amount
+Runs \fBmongofiles\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -122,9 +151,63 @@ Returns the \fBmongofiles\fP release number.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-uri <connectionString>
+New in version 3.4.6.
+
+.sp
+Specify a resolvable URI
+connection string for the \fBmongod\fP to which to
+connect.
+.sp
+The following is the standard
+URI connection scheme:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For detailed explanations of the components of this string, refer to
+the
+Connection String URI Format
+documentation.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+The following \fI\%mongofiles\fP options are incompatible with the
+\fB\-\-uri\fP option. Instead, specify these options as part of your
+\fB\-\-uri\fP connection string when applicable:
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-host\fP
+.IP \(bu 2
+\fB\-\-port\fP
+.IP \(bu 2
+\fB\-\-db\fP
+.IP \(bu 2
+\fB\-\-username\fP
+.IP \(bu 2
+\fB\-\-password\fP (when specifying the password as part of the
+URI connection string)
+.IP \(bu 2
+\fB\-\-authenticationDatabase\fP
+.IP \(bu 2
+\fB\-\-authenticationMechanism\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-host <hostname><:port>
 Specifies a resolvable hostname for the \fBmongod\fP that holds
-your GridFS system. By default \fBmongofiles\fP attempts to connect
+your GridFS system. By default \fI\%mongofiles\fP attempts to connect
 to a MongoDB process running on the localhost port number \fB27017\fP\&.
 .sp
 Optionally, specify a port number to connect a MongoDB instance running
@@ -141,9 +224,12 @@ client connections.
 .INDENT 0.0
 .TP
 .B \-\-ipv6
-Enables IPv6 support and allows the \fBmongofiles\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+\fIRemoved in version 3.0.\fP
+.sp
+Enables IPv6 support and allows \fBmongofiles\fP to connect to the
+MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
+had to specify \fI\%\-\-ipv6\fP to use IPv6. In MongoDB 3.0 and later, IPv6
+is always enabled.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -152,10 +238,11 @@ New in version 2.6.
 
 .sp
 Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+TLS/SSL support enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -167,23 +254,32 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
 \fBWARNING:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
+\fBVersion 3.2 and earlier:\fP For TLS/SSL connections (\fB\-\-ssl\fP) to
+\fBmongod\fP and \fBmongos\fP, if the \fBmongofiles\fP runs without the
+\fI\%\-\-sslCAFile\fP, \fBmongofiles\fP will not attempt
+to validate the server certificates. This creates a vulnerability
+to expired \fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid \fBmongod\fP or
+\fBmongos\fP instances. Ensure that you \fIalways\fP specify the
+CA file to validate the server certificates in cases where
+intrusion is a possibility.
 .UNINDENT
 .UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -191,17 +287,18 @@ possibility.
 New in version 2.6.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
-This option is required when using the \fI\-\-ssl\fP option to connect
+This option is required when using the \fI\%\-\-ssl\fP option to connect
 to a \fBmongod\fP or \fBmongos\fP that has
 \fBCAFile\fP enabled \fIwithout\fP
 \fBallowConnectionsWithoutCertificates\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -210,16 +307,17 @@ New in version 2.6.
 
 .sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongofiles\fP will
 redact the password from all logging and reporting output.
 .sp
 If the private key in the PEM file is encrypted and you do not specify
-the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongofiles\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongofiles\fP will prompt for a passphrase. See
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -231,8 +329,9 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -245,8 +344,36 @@ the use of invalid certificates. When using the
 \fBallowInvalidCertificates\fP setting, MongoDB logs as a
 warning the use of the invalid certificate.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL connections to \fBmongod\fP and
+\fBmongos\fP, avoid using
+\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
+\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
+not possible.
+.sp
+If the \fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -254,9 +381,13 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongofiles\fP to connect to MongoDB instances if the hostname their
+Disables the validation of the hostnames in TLS/SSL certificates. Allows
+\fBmongofiles\fP to connect to MongoDB instances even if the hostname in their
 certificates do not match the specified hostname.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -266,14 +397,14 @@ New in version 2.6.
 .sp
 Directs the \fBmongofiles\fP to use the FIPS mode of the installed OpenSSL
 library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -291,31 +422,36 @@ Specifies a password with which to authenticate to a MongoDB database
 that uses authentication. Use in conjunction with the \fB\-\-username\fP and
 \fB\-\-authenticationDatabase\fP options.
 .sp
-If you do not specify an argument for \fI\-\-password\fP, \fBmongofiles\fP will
-prompt interactively for a password on the console.
+Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongofiles\fP returns
+an error.
+
+.sp
+Changed in version 3.0.2: If you wish \fBmongofiles\fP to prompt the user
+for the password, pass the \fI\%\-\-username\fP option without
+\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
+as in \fB\-\-password ""\fP .
+
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationDatabase <dbname>
-New in version 2.4.
-
-.sp
-Specifies the database that holds the user\(aqs credentials.
+Specifies the database in which the user is created.
+See user\-authentication\-database\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
-
-.sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+\fIDefault\fP: SCRAM\-SHA\-1
 .sp
 Specifies the authentication mechanism the \fBmongofiles\fP instance uses to
 authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.sp
+Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
+Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
+.sp
+MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
+function (\fBSCRAM\-SHA\-256\fP).
+
 .TS
 center;
 |l|l|.
@@ -327,33 +463,47 @@ Description
 T}
 _
 T{
-MONGODB\-CR
+SCRAM\-SHA\-1
 T}	T{
-MongoDB challenge/response authentication.
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
 T}
 _
 T{
-MONGODB\-X509
+SCRAM\-SHA\-256
 T}	T{
-MongoDB SSL certificate authentication.
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
 T}
 _
 T{
-PLAIN
+MONGODB\-X509
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+MongoDB TLS/SSL certificate authentication.
 T}
 _
 T{
-GSSAPI
+GSSAPI (Kerberos)
 T}	T{
 External authentication using Kerberos. This mechanism is
 available only in \fI\%MongoDB Enterprise\fP\&.
 T}
 _
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
 .TE
 .UNINDENT
 .INDENT 0.0
@@ -362,7 +512,7 @@ _
 New in version 2.6.
 
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
+Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
 default name of \fBmongodb\fP\&.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -373,7 +523,7 @@ This option is available only in MongoDB Enterprise.
 New in version 2.6.
 
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
+Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
 not match the hostname resolved by DNS.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -397,15 +547,15 @@ operations.
 .sp
 In the \fBmongofiles put\fP and \fBmongofiles get\fP commands,
 the required \fB<filename>\fP modifier refers to the name the object will
-have in GridFS. \fBmongofiles\fP assumes that this reflects the
-file\(aqs name on the local file system. This setting overrides this
+have in GridFS. \fI\%mongofiles\fP assumes that this reflects the
+file’s name on the local file system. This setting overrides this
 default.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-type <MIME>
-Provides the ability to specify a \fIMIME\fP type to describe the file
-inserted into GridFS storage. \fBmongofiles\fP omits this option in
+Provides the ability to specify a MIME type to describe the file
+inserted into GridFS storage. \fI\%mongofiles\fP omits this option in
 the default operation.
 .sp
 Use only with \fBmongofiles put\fP operations.
@@ -432,10 +582,10 @@ GridFS prefix to use.
 .B \-\-writeConcern <document>
 \fIDefault\fP: majority
 .sp
-Specifies the \fIwrite concern\fP for each write operation that \fBmongofiles\fP
+Specifies the write concern for each write operation that \fBmongofiles\fP
 writes to the target database.
 .sp
-Specify the write concern as a document with \fIw options\fP\&.
+Specify the write concern as a document with w options\&.
 .UNINDENT
 .SH COMMANDS
 .INDENT 0.0
@@ -458,9 +608,9 @@ Copy the specified file from the local file system into GridFS
 storage.
 .sp
 Here, \fB<filename>\fP refers to the name the object will have in
-GridFS, and \fBmongofiles\fP assumes that this reflects the name the
+GridFS, and \fI\%mongofiles\fP assumes that this reflects the name the
 file has on the local file system. If the local filename is
-different use the \fImongofiles \-\-local\fP option.
+different use the \fI\%mongofiles \-\-local\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -469,18 +619,42 @@ Copy the specified file from GridFS storage to the local file
 system.
 .sp
 Here, \fB<filename>\fP refers to the name the object will have in
-GridFS, and \fBmongofiles\fP assumes that this reflects the name the
-file has on the local file system. If the local filename is
-different use the \fImongofiles \-\-local\fP option.
+GridFS. \fI\%mongofiles\fP writes the file to the local
+file system using the file’s \fBfilename\fP in GridFS. To choose a
+different location for the file on the local file system, use the
+\fI\%\-\-local\fP option.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B get_id "<ObjectId>"
+New in version 3.2.0.
+
+.sp
+Copy the specified file from GridFS storage to the local file system.
+.sp
+Here \fB<ObjectId>\fP refers to the extended JSON \fB_id\fP of the
+object in GridFS. \fI\%mongofiles\fP writes the file to the local
+file system using the file’s \fBfilename\fP in GridFS. To choose a
+different location for the file on the local file system, use the
+\fI\%\-\-local\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B delete <filename>
 Delete the specified file from GridFS storage.
 .UNINDENT
+.INDENT 0.0
+.TP
+.B delete_id "<ObjectId>"
+New in version 3.2.0.
+
+.sp
+Delete the specified file from GridFS storage. Specify the file using
+its \fB_id\fP\&.
+.UNINDENT
 .SH EXAMPLES
 .sp
-To return a list of all files in a \fIGridFS\fP collection in the
+To return a list of all files in a GridFS collection in the
 \fBrecords\fP database, use the following invocation at the system shell:
 .INDENT 0.0
 .INDENT 3.5
@@ -493,7 +667,7 @@ mongofiles \-d records list
 .UNINDENT
 .UNINDENT
 .sp
-This \fBmongofiles\fP instance will connect to the
+This \fI\%mongofiles\fP instance will connect to the
 \fBmongod\fP instance running on the \fB27017\fP localhost
 interface to specify the same operation on a different port or
 hostname, and issue a command that resembles one of the following:
@@ -503,14 +677,14 @@ hostname, and issue a command that resembles one of the following:
 .nf
 .ft C
 mongofiles \-\-port 37017 \-d records list
-mongofiles \-\-hostname db1.example.net \-d records list
-mongofiles \-\-hostname db1.example.net \-\-port 37017 \-d records list
+mongofiles \-\-host db1.example.net \-d records list
+mongofiles \-\-host db1.example.net \-\-port 37017 \-d records list
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-Modify any of the following commands as needed if you\(aqre connecting
+Modify any of the following commands as needed if you’re connecting
 the \fBmongod\fP instances on different ports or hosts.
 .sp
 To upload a file named \fB32\-corinth.lp\fP to the GridFS collection in
@@ -578,9 +752,25 @@ mongofiles \-d records get 32\-corinth.lp
 .fi
 .UNINDENT
 .UNINDENT
+.sp
+To fetch the file from the GridFS collection in the \fBrecords\fP database
+with \fB_id: ObjectId("56feac751f417d0357e7140f")\fP, you can use
+the following command:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongofiles \-d records get_id \(aqObjectId("56feac751f417d0357e7140f")\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+You must include quotation marks around the \fB_id\fP\&.
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongoimport.1 b/debian/mongoimport.1
index 3f2113dd286..bcd607690fc 100644
--- a/debian/mongoimport.1
+++ b/debian/mongoimport.1
@@ -1,8 +1,8 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGOIMPORT" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGOIMPORT" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
-mongoimport \- MongoDB Import Utility
+mongoimport \- MongoDB LDAP Configuration Testing Utility
 .
 .nr rst2man-indent-level 0
 .
@@ -30,629 +30,689 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Usage\fP
+.IP \(bu 2
+\fI\%Options\fP
+.UNINDENT
+.sp
+New in version 3.4: MongoDB Enterprise
+
 .SH SYNOPSIS
 .sp
-The \fBmongoimport\fP tool provides a route to import content from a
-JSON, CSV, or TSV export created by \fBmongoexport\fP, or
-potentially, another third\-party export tool. See the
-http://docs.mongodb.org/manual/core/import\-export document for a more in depth
-usage overview, and the \fBmongoexport\fP document for more
-information regarding \fBmongoexport\fP, which
-provides the inverse "exporting" capability.
-.SH CONSIDERATIONS
-.sp
-Do not use \fBmongoimport\fP and \fBmongoexport\fP for
-full instance, production backups because they will not reliably capture data type
-information. Use \fBmongodump\fP and \fBmongorestore\fP as
-described in http://docs.mongodb.org/manual/core/backups for this kind of
-functionality.
-.sp
-\fBmongoimport\fP is single\-threaded and inserts one document at
-a time into MongoDB. Custom import tools for data ingestion may have
-better performance for specific workloads.
-.SH OPTIONS
+Starting in version 3.4, MongoDB Enterprise provides
+\fI\%mongoldap\fP for testing MongoDB’s LDAP configuration
+options against a running LDAP server or set
+of servers.
 .sp
-Changed in version 3.0.0: \fBmongoimport\fP removed the \fB\-\-dbpath\fP as well as related
-\fB\-\-directoryperdb\fP and \fB\-\-journal\fP options. You must use
-\fBmongoimport\fP while connected to a \fBmongod\fP instance.
-
+To validate the LDAP options in the configuration file, set the
+\fI\%mongoldap\fP \fI\%\-\-config\fP option to the configuration file’s
+path.
+.sp
+To test the LDAP configuration options, you must specify a \fI\%\-\-user\fP
+and \fB\-\-password\fP\&. \fI\%mongoldap\fP simulates authentication to a
+MongoDB server running with the provided configuration options and credentials.
+.sp
+\fI\%mongoldap\fP returns a report that includes the success or failure of
+any step in the LDAP authentication or authorization procedure. Error messages
+include information on specific errors encountered and potential advice for
+resolving the error.
+.sp
+When configuring options related to LDAP authorization, \fI\%mongoldap\fP executes an LDAP query
+constructed using the provided configuration options and username, and returns
+a list of roles on the \fBadmin\fP database which the user is authorized for.
+.sp
+You can use this information when configuring LDAP authorization roles for user access control. For example, use
+\fI\%mongoldap\fP to ensure your configuration allows privileged users to
+gain the necessary roles to perform their expected tasks. Similarly, use
+\fI\%mongoldap\fP to ensure your configuration disallows non\-privileged
+users from gaining roles for accessing the MongoDB server, or performing
+unauthorized actions.
+.sp
+When configuring options related to LDAP authentication, use \fI\%mongoldap\fP to ensure that the authentication
+operation works as expected.
+.sp
+Run \fI\%mongoldap\fP from the system command line, not the \fBmongo\fP shell.
+.sp
+This document provides a complete overview of all command line options for
+\fI\%mongoldap\fP\&.
+.SH USAGE
+.sp
+\fBNOTE:\fP
 .INDENT 0.0
-.TP
-.B mongoimport
+.INDENT 3.5
+A full description of LDAP or Active Directory is beyond the scope of
+this documentation.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B mongoimport
 .UNINDENT
+.sp
+Consider the following sample configuration file, designed to support
+LDAP authentication and authorization via Active Directory:
 .INDENT 0.0
-.TP
-.B \-\-help
-Returns information on the options and use of \fBmongoimport\fP\&.
+.INDENT 3.5
+.sp
+.nf
+.ft C
+security:
+   authorization: "enabled"
+   ldap:
+      servers: "activedirectory.example.net"
+      bind:
+         queryUser: "mongodbadmin@dba.example.com"
+         queryPassword: "secret123"
+      userToDNMapping:
+         \(aq[
+            {
+               match : "(.+)",
+               ldapQuery: "DC=example,DC=com??sub?(userPrincipalName={0})"
+            }
+         ]\(aq
+      authz:
+         queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))"
+setParameter:
+   authenticationMechanisms: "PLAIN"
+.ft P
+.fi
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-verbose, \-v
-Increases the amount of internal reporting returned on standard output
-or in log files. Increase the verbosity with the \fB\-v\fP form by
-including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .UNINDENT
+.sp
+You can use \fI\%mongoldap\fP to validate the configuration file, which
+returns a report of the procedure. You must specify a username and password
+for \fI\%mongoldap\fP\&.
 .INDENT 0.0
-.TP
-.B \-\-quiet
-Runs the \fBmongoimport\fP in a quiet mode that attempts to limit the amount
-of output.
+.INDENT 3.5
 .sp
-This option suppresses:
-.INDENT 7.0
-.IP \(bu 2
-output from \fIdatabase commands\fP
-.IP \(bu 2
-replication activity
-.IP \(bu 2
-connection accepted events
-.IP \(bu 2
-connection closed events
-.UNINDENT
+.nf
+.ft C
+mongoldap \-\-config <path\-to\-config> \-\-user "bob@dba.example.com" \-\-password "secret123"
+.ft P
+.fi
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-version
-Returns the \fBmongoimport\fP release number.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-host <hostname><:port>, \-h <hostname><:port>
-\fIDefault\fP: localhost:27017
-.sp
-Specifies a resolvable hostname for the \fBmongod\fP to which to
-connect. By default, the \fBmongoimport\fP attempts to connect to a MongoDB
-instance running on the localhost on port number \fB27017\fP\&.
 .sp
-To connect to a replica set, specify the
-\fBreplSetName\fP and a seed list of set members, as in
-the following:
-.INDENT 7.0
+If the provided credentials are valid, and the LDAP options in the
+configuration files are valid, the output might be as follows:
+.INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
+Checking that an LDAP server has been specified...
+[OK] LDAP server found
+
+Connecting to LDAP server...
+[OK] Connected to LDAP server
+
+Parsing MongoDB to LDAP DN mappings..
+[OK] MongoDB to LDAP DN mappings appear to be valid
+
+Attempting to authenticate against the LDAP server...
+[OK] Successful authentication performed
+
+Checking if LDAP authorization has been enabled by configuration...
+[OK] LDAP authorization enabled
+
+Parsing LDAP query template..
+[OK] LDAP query configuration template appears valid
+
+Executing query against LDAP server...
+[OK] Successfully acquired the following roles:
+\&...
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \-\-config <filename>, \-f <filename>
+Specifies a configuration file for runtime configuration options.
+The options are equivalent to the command\-line
+configuration options. See /reference/configuration\-options for
+more information.
 .sp
-You can always connect directly to a single MongoDB instance by
-specifying the host and port number directly.
+\fBmongoldap\fP uses any configuration options related to security\-ldap
+or security\-ldap\-external for testing LDAP authentication or
+authorization.
 .sp
-Changed in version 3.0.0: If you use IPv6 and use the \fB<address>:<port>\fP format, you must
-enclose the portion of an address and port combination in
-brackets (e.g. \fB[<address>]\fP).
-
+Requires specifying \fI\%\-\-user\fP\&. May accept \fI\%\-\-password\fP for
+testing LDAP authentication.
+.sp
+Ensure the configuration file uses ASCII encoding. The \fBmongoldap\fP
+instance does not support configuration files with non\-ASCII encoding,
+including UTF\-8.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-port <port>
-\fIDefault\fP: 27017
-.sp
-Specifies the TCP port on which the MongoDB instance listens for
-client connections.
+.B \-\-user <string>
+Username for \fBmongoldap\fP to use when attempting LDAP authentication or
+authorization.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-ipv6
-Enables IPv6 support and allows the \fBmongoimport\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+.B \-\-password <string>
+Password of the \fB\-\-user\fP for \fBmongoldap\fP to use when attempting LDAP
+authentication. Not required for LDAP authorization.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-ssl
-New in version 2.6.
+.B \-\-ldapServers <host1>:<port>,<host2>:<port>,...,<hostN>:<port>
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+The LDAP server against which the \fBmongoldap\fP executes LDAP operations
+against to authenticate users or determine what actions a user is authorized
+to perform on a given database. If the LDAP server specified has any
+replicated instances, you may specify the host and port of each replicated
+server in a comma\-delimited list.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
+servers, specify \fIone\fP LDAP server any of its replicated instances to
+\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
+4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
+for listing every LDAP server in your infrastucture.
+.sp
+This setting can be configured on a running \fBmongoldap\fP using
+\fBsetParameter\fP\&.
+.sp
+If unset, \fBmongoldap\fP cannot use LDAP authentication or authorization\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslCAFile <filename>
-New in version 2.6.
+.B \-\-ldapQueryUser <string>
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains the root certificate chain
-from the Certificate Authority. Specify the file name of the
-\fB\&.pem\fP file using relative or absolute paths.
+The identity with which \fBmongoldap\fP binds as, when connecting to or
+performing queries on an LDAP server.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Only required if any of the following are true:
+.INDENT 7.0
+.IP \(bu 2
+Using LDAP authorization\&.
+.IP \(bu 2
+Using an LDAP query for \fI\%username transformation\fP\&.
+.IP \(bu 2
+The LDAP server disallows anonymous binds
+.UNINDENT
 .sp
-\fBWARNING:\fP
+You must use \fI\%\-\-ldapQueryUser\fP with \fI\%\-\-ldapQueryPassword\fP\&.
+.sp
+If unset, \fBmongoldap\fP will not attempt to bind to the LDAP server.
+.sp
+This setting can be configured on a running \fBmongoldap\fP using
+\fBsetParameter\fP\&.
+.sp
+\fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
+Windows MongoDB deployments can use \fI\%\-\-ldapBindWithOSDefaults\fP
+instead of \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP\&. You cannot specify
+both \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the same time.
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslPEMKeyFile <filename>
-New in version 2.6.
+.B \-\-ldapQueryPassword <string>
+New in version 3.4: Available in MongoDB Enterprise only.
+.sp
+The password used to bind to an LDAP server when using
+\fI\%\-\-ldapQueryUser\fP\&. You must use \fI\%\-\-ldapQueryPassword\fP with
+\fI\%\-\-ldapQueryUser\fP\&.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
-and key. Specify the file name of the \fB\&.pem\fP file using relative
-or absolute paths.
+If unset, \fBmongoldap\fP will not attempt to bind to the LDAP server.
 .sp
-This option is required when using the \fI\-\-ssl\fP option to connect
-to a \fBmongod\fP or \fBmongos\fP that has
-\fBCAFile\fP enabled \fIwithout\fP
-\fBallowConnectionsWithoutCertificates\fP\&.
+This setting can be configured on a running \fBmongoldap\fP using
+\fBsetParameter\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Windows MongoDB deployments can use \fI\%\-\-ldapBindWithOSDefaults\fP
+instead of \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapQueryPassword\fP\&. You cannot specify
+both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the same time.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslPEMKeyPassword <value>
-New in version 2.6.
+.B \-\-ldapBindWithOSDefaults <bool>
+\fIDefault\fP: False
+.sp
+New in version 3.4: Available in MongoDB Enterprise for the Windows platform only.
 
 .sp
-Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
-certificate\-key file is encrypted. In all cases, the \fBmongoimport\fP will
-redact the password from all logging and reporting output.
+Allows \fBmongoldap\fP to authenticate, or bind, using your Windows login
+credentials when connecting to the LDAP server.
 .sp
-If the private key in the PEM file is encrypted and you do not specify
-the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongoimport\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+Only required if:
+.INDENT 7.0
+.IP \(bu 2
+Using LDAP authorization\&.
+.IP \(bu 2
+Using an LDAP query for \fI\%username transformation\fP\&.
+.IP \(bu 2
+The LDAP server disallows anonymous binds
+.UNINDENT
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Use \fI\%\-\-ldapBindWithOSDefaults\fP to replace \fI\%\-\-ldapQueryUser\fP and
+\fI\%\-\-ldapQueryPassword\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslCRLFile <filename>
-New in version 2.6.
+.B \-\-ldapBindMethod <string>
+\fIDefault\fP: simple
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
-List. Specify the file name of the \fB\&.pem\fP file using relative or
-absolute paths.
+The method \fBmongoldap\fP uses to authenticate to an LDAP server.
+Use with \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP to
+connect to the LDAP server.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+\fI\%\-\-ldapBindMethod\fP supports the following values:
+.INDENT 7.0
+.IP \(bu 2
+\fBsimple\fP \- \fBmongoldap\fP uses simple authentication.
+.IP \(bu 2
+\fBsasl\fP \- \fBmongoldap\fP uses SASL protocol for authentication
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-sslAllowInvalidCertificates
-New in version 2.6.
-
 .sp
-Bypasses the validation checks for server certificates and allows
-the use of invalid certificates. When using the
-\fBallowInvalidCertificates\fP setting, MongoDB logs as a
-warning the use of the invalid certificate.
-.sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+If you specify \fBsasl\fP, you can configure the available SASL mechanisms
+using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongoldap\fP defaults to
+using \fBDIGEST\-MD5\fP mechanism.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslAllowInvalidHostnames
-New in version 3.0.
+.B \-\-ldapBindSASLMechanisms <string>
+\fIDefault\fP: DIGEST\-MD5
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongoimport\fP to connect to MongoDB instances if the hostname their
-certificates do not match the specified hostname.
+A comma\-separated list of SASL mechanisms \fBmongoldap\fP can
+use when authenticating to the LDAP server. The \fBmongoldap\fP and the
+LDAP server must agree on at least one mechanism. The \fBmongoldap\fP
+dynamically loads any SASL mechanism libraries installed on the host
+machine at runtime.
+.sp
+Install and configure the appropriate libraries for the selected
+SASL mechanism(s) on both the \fBmongoldap\fP host and the remote
+LDAP server host. Your operating system may include certain SASL
+libraries by default. Defer to the documentation associated with each
+SASL mechanism for guidance on installation and configuration.
+.sp
+If using the \fBGSSAPI\fP SASL mechanism for use with
+security\-kerberos, verify the following for the
+\fBmongoldap\fP host machine:
+.INDENT 7.0
+.TP
+.B \fBLinux\fP
+.INDENT 7.0
+.IP \(bu 2
+The \fBKRB5_CLIENT_KTNAME\fP environment
+variable resolves to the name of the client keytab\-files
+for the host machine. For more on Kerberos environment
+variables, please defer to the
+\fI\%Kerberos documentation\fP\&.
+.IP \(bu 2
+The client keytab includes a
+kerberos\-user\-principal for the \fBmongoldap\fP to use when
+connecting to the LDAP server and execute LDAP queries.
 .UNINDENT
-.INDENT 0.0
 .TP
-.B \-\-sslFIPSMode
-New in version 2.6.
-
+.B \fBWindows\fP
+If connecting to an Active Directory server, the Windows
+Kerberos configuration automatically generates a
+\fI\%Ticket\-Granting\-Ticket\fP
+when the user logs onto the system. Set \fI\%\-\-ldapBindWithOSDefaults\fP to
+\fBtrue\fP to allow \fBmongoldap\fP to use the generated credentials when
+connecting to the Active Directory server and execute queries.
+.UNINDENT
 .sp
-Directs the \fBmongoimport\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+Set \fI\%\-\-ldapBindMethod\fP to \fBsasl\fP to use this option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
-available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+For a complete list of SASL mechanisms see the
+\fI\%IANA listing\fP\&.
+Defer to the documentation for your LDAP or Active Directory
+service for identifying the SASL mechanisms compatible with the
+service.
+.sp
+MongoDB is not a source of SASL mechanism libraries, nor
+is the MongoDB documentation a definitive source for
+installing or configuring any given SASL mechanism. For
+documentation and support, defer to the SASL mechanism
+library vendor or owner.
+.sp
+For more information on SASL, defer to the following resources:
+.INDENT 0.0
+.IP \(bu 2
+For Linux, please see the \fI\%Cyrus SASL documentation\fP\&.
+.IP \(bu 2
+For Windows, please see the \fI\%Windows SASL documentation\fP\&.
 .UNINDENT
 .UNINDENT
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-username <username>, \-u <username>
-Specifies a username with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-password\fP and
-\fB\-\-authenticationDatabase\fP options.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-password <password>, \-p <password>
-Specifies a password with which to authenticate to a MongoDB database
-that uses authentication. Use in conjunction with the \fB\-\-username\fP and
-\fB\-\-authenticationDatabase\fP options.
+.B \-\-ldapTransportSecurity <string>
+\fIDefault\fP: tls
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+By default, \fBmongoldap\fP creates a TLS/SSL secured connection to the LDAP
+server.
 .sp
-If you do not specify an argument for \fI\-\-password\fP, \fBmongoimport\fP will
-prompt interactively for a password on the console.
+For Linux deployments, you must configure the appropriate TLS Options in
+\fB/etc/openldap/ldap.conf\fP file. Your operating system’s package manager
+creates this file as part of the MongoDB Enterprise installation, via the
+\fBlibldap\fP dependency. See the documentation for \fBTLS Options\fP in the
+\fI\%ldap.conf OpenLDAP documentation\fP
+for more complete instructions.
+.sp
+For Windows deployment, you must add the LDAP server CA certificates to the
+Windows certificate management tool. The exact name and functionality of the
+tool may vary depending on operating system version. Please see the
+documentation for your version of Windows for more information on
+certificate management.
+.sp
+Set \fI\%\-\-ldapTransportSecurity\fP to \fBnone\fP to disable TLS/SSL between \fBmongoldap\fP and the LDAP
+server.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Setting \fI\%\-\-ldapTransportSecurity\fP to \fBnone\fP transmits plaintext information and possibly
+credentials between \fBmongoldap\fP and the LDAP server.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-authenticationDatabase <dbname>
-New in version 2.4.
+.B \-\-ldapTimeoutMS <long>
+\fIDefault\fP: 10000
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Specifies the database that holds the user\(aqs credentials.
+The amount of time in milliseconds \fBmongoldap\fP should wait for an LDAP server
+to respond to a request.
+.sp
+Increasing the value of \fI\%\-\-ldapTimeoutMS\fP may prevent connection failure between the
+MongoDB server and the LDAP server, if the source of the failure is a
+connection timeout. Decreasing the value of \fI\%\-\-ldapTimeoutMS\fP reduces the time
+MongoDB waits for a response from the LDAP server.
+.sp
+This setting can be configured on a running \fBmongoldap\fP using
+\fBsetParameter\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
+.B \-\-ldapUserToDNMapping <string>
+New in version 3.4: Available in MongoDB Enterprise only.
 
 .sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+Maps the username provided to \fBmongoldap\fP for authentication to a LDAP
+Distinguished Name (DN). You may need to use \fI\%\-\-ldapUserToDNMapping\fP to transform a
+username into an LDAP DN in the following scenarios:
+.INDENT 7.0
+.IP \(bu 2
+Performing LDAP authentication with simple LDAP binding, where users
+authenticate to MongoDB with usernames that are not full LDAP DNs.
+.IP \(bu 2
+Using an \fBLDAP authorization query template\fP that requires a DN.
+.IP \(bu 2
+Transforming the usernames of clients authenticating to Mongo DB using
+different authentication mechanisms (e.g. x.509, kerberos) to a full LDAP
+DN for authorization.
+.UNINDENT
+.sp
+\fI\%\-\-ldapUserToDNMapping\fP expects a quote\-enclosed JSON\-string representing an ordered array
+of documents. Each document contains a regular expression \fBmatch\fP and
+either a \fBsubstitution\fP or \fBldapQuery\fP template used for transforming the
+incoming username.
+.sp
+Each document in the array has the following form:
+.INDENT 7.0
+.INDENT 3.5
 .sp
-Specifies the authentication mechanism the \fBmongoimport\fP instance uses to
-authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.nf
+.ft C
+{
+  match: "<regex>"
+  substitution: "<LDAP DN>" | ldapQuery: "<LDAP Query>"
+}
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .TS
 center;
-|l|l|.
+|l|l|l|.
 _
 T{
-Value
+Field
 T}	T{
 Description
-T}
-_
-T{
-MONGODB\-CR
 T}	T{
-MongoDB challenge/response authentication.
+Example
 T}
 _
 T{
-MONGODB\-X509
+\fBmatch\fP
+T}	T{
+An ECMAScript\-formatted regular expression (regex) to match against a
+provided username. Each parenthesis\-enclosed section represents a
+regex capture group used by \fBsubstitution\fP or \fBldapQuery\fP\&.
 T}	T{
-MongoDB SSL certificate authentication.
+\fB"(.+)ENGINEERING"\fP
+\fB"(.+)DBA"\fP
 T}
 _
 T{
-PLAIN
+\fBsubstitution\fP
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+An LDAP distinguished name (DN) formatting template that converts the
+authentication name matched by the \fBmatch\fP regex into a LDAP DN.
+Each curly bracket\-enclosed numeric value is replaced by the
+corresponding \fI\%regex capture group\fP extracted
+from the authentication username via the \fBmatch\fP regex.
+T}	T{
+\fB"cn={0},ou=engineering,
+dc=example,dc=com"\fP
 T}
 _
 T{
-GSSAPI
+\fBldapQuery\fP
+T}	T{
+A LDAP query formatting template that inserts the authentication
+name matched by the \fBmatch\fP regex into an LDAP query URI encoded
+respecting RFC4515 and RFC4516. Each curly bracket\-enclosed numeric
+value is replaced by the corresponding \fI\%regex capture group\fP extracted
+from the authentication username via the \fBmatch\fP expression.
+\fBmongoldap\fP executes the query against the LDAP server to retrieve
+the LDAP DN for the authenticated user. \fBmongoldap\fP requires
+exactly one returned result for the transformation to be
+successful, or \fBmongoldap\fP skips this transformation.
 T}	T{
-External authentication using Kerberos. This mechanism is
-available only in \fI\%MongoDB Enterprise\fP\&.
+\fB"ou=engineering,dc=example,
+dc=com??one?(user={0})"\fP
 T}
 _
 .TE
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-gssapiServiceName
-New in version 2.6.
-
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
-default name of \fBmongodb\fP\&.
-.sp
-This option is available only in MongoDB Enterprise.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-gssapiHostName
-New in version 2.6.
-
+For each document in the array, you must use either \fBsubstitution\fP or
+\fBldapQuery\fP\&. You \fIcannot\fP specify both in the same document.
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
-not match the hostname resolved by DNS.
+When performing authentication or authorization, \fBmongoldap\fP steps through
+each document in the array in the given order, checking the authentication
+username against the \fBmatch\fP filter.  If a match is found,
+\fBmongoldap\fP applies the transformation and uses the output for
+authenticating the user. \fBmongoldap\fP does not check the remaining documents
+in the array.
 .sp
-This option is available only in MongoDB Enterprise.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-db <database>, \-d <database>
-Specifies the name of the database on which to run the \fBmongoimport\fP\&.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-collection <collection>, \-c <collection>
-Specifies the collection to import.
+If the given document does not match the provided authentication name, or
+the transformation described by the document fails, \fBmongoldap\fP continues
+through the list of documents to find additional matches. If no matches are
+found in any document, \fBmongoldap\fP returns an error.
+.INDENT 7.0
+.INDENT 3.5
+.SH EXAMPLE
 .sp
-New in version 2.6: If you do not specify \fI\-\-collection\fP,
-\fBmongoimport\fP takes the collection name from the input
-filename. MongoDB omits the extension of the file from the
-collection name, if the input file has an extension.
-
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-fields <field1[,field2]>, \-f <field1[,field2]>
-Specify a comma separated list of field names when importing \fIcsv\fP
-or \fItsv\fP files that do not have field names in the first (i.e.
-header) line of the file.
+The following shows two transformation documents. The first
+document matches against any string ending in \fB@ENGINEERING\fP, placing
+anything preceeding the suffix into a regex capture group. The
+second document matches against any string ending in \fB@DBA\fP, placing
+anything preceeding the suffix into a regex capture group.
 .sp
-If you attempt to include \fI\%\-\-fields\fP when importing JSON data,
-\fBmongoimport\fP will return an error. \fI\%\-\-fields\fP is only for \fIcsv\fP
-or \fItsv\fP imports.
-.UNINDENT
+\fBIMPORTANT:\fP
 .INDENT 0.0
-.TP
-.B \-\-fieldFile <filename>
-As an alternative to \fI\%\-\-fields\fP, the \fI\%\-\-fieldFile\fP
-option allows you to specify a file that holds a list of field names if
-your \fIcsv\fP or \fItsv\fP file does not include field names in the
-first line of the file (i.e. header). Place one field per line.
-.sp
-If you attempt to include \fI\%\-\-fieldFile\fP when importing JSON data,
-\fBmongoimport\fP will return an error. \fI\%\-\-fieldFile\fP is only for \fIcsv\fP
-or \fItsv\fP imports.
+.INDENT 3.5
+You must pass the array to \fI\%\-\-ldapUserToDNMapping\fP as a string.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-ignoreBlanks
-Ignores empty fields in \fIcsv\fP and \fItsv\fP exports. If not
-specified, \fBmongoimport\fP creates fields without values in
-imported documents.
-.sp
-If you attempt to include \fI\%\-\-ignoreBlanks\fP when importing JSON data,
-\fBmongoimport\fP will return an error. \fI\%\-\-ignoreBlanks\fP is only for \fIcsv\fP
-or \fItsv\fP imports.
 .UNINDENT
 .INDENT 0.0
-.TP
-.B \-\-type <json|csv|tsv>
-Specifies the file type to import. The default format is \fIJSON\fP,
-but it\(aqs possible to import \fIcsv\fP and \fItsv\fP files.
+.INDENT 3.5
 .sp
-The \fBcsv\fP parser accepts that data that complies with RFC
-\fI\%RFC 4180\fP\&. As a result, backslashes are \fInot\fP a valid escape
-character. If you use double\-quotes to enclose fields in the CSV
-data, you must escape internal double\-quote marks by prepending
-another double\-quote.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-file <filename>
-Specifies the location and name of a file containing the data to import.
-If you do not specify a file, \fBmongoimport\fP reads data from
-standard input (e.g. "stdin").
+.nf
+.ft C
+"[
+   {
+      match: "(.+)@ENGINEERING.EXAMPLE.COM",
+      substitution: "cn={0},ou=engineering,dc=example,dc=com"
+   },
+   {
+      match: "(.+)@DBA.EXAMPLE.COM",
+      ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})"
+
+   }
+
+]"
+.ft P
+.fi
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-drop
-Modifies the import process so that the target instance drops
-the collection before importing the data from the input.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-headerline
-If using \fI\-\-type csv\fP or \fI\-\-type
-tsv\fP, uses the first line as field names.
-Otherwise, \fBmongoimport\fP will import the first line as a
-distinct document.
 .sp
-If you attempt to include \fI\%\-\-headerline\fP when importing JSON data,
-\fBmongoimport\fP will return an error. \fI\%\-\-headerline\fP is only for \fIcsv\fP
-or \fItsv\fP imports.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-upsert
-Modifies the import process to update existing objects in the
-database if they match an imported object, while inserting all
-other objects.
-.sp
-If you do not specify a field or fields using the
-\fI\%\-\-upsertFields\fP \fBmongoimport\fP will upsert on the
-basis of the \fB_id\fP field.
-.INDENT 7.0
-.TP
-.B \&..versionchanged:: 3.0.0
-\fI\%\-\-upsert\fP is no longer needed when specifying upserts. Use
-\fI\%\-\-upsertFields\fP, which produces the same behavior.
-.UNINDENT
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-upsertFields <field1[,field2]>
-Specifies a list of fields for the query portion of the
-\fIupsert\fP\&. Use this option if the \fB_id\fP fields in the
-existing documents don\(aqt match the field in the document, but
-another field or field combination can uniquely identify
-documents as a basis for performing upsert operations.
-.INDENT 7.0
-.TP
-.B \&..versionchanged:: 3.0.0
-Modifies the import process to update existing objects in the
-database if they match based on the specified fields, while
-inserting all other objects.
+A user with username \fBalice@ENGINEERING.EXAMPLE.COM\fP matches the first
+document. The regex capture group \fB{0}\fP corresponds to the string
+\fBalice\fP\&. The resulting output is the DN
+\fB"cn=alice,ou=engineering,dc=example,dc=com"\fP\&.
 .sp
-If you do not specify a field, \fI\%\-\-upsertFields\fP will upsert on the basis of
-the \fB_id\fP field.
+A user with username \fBbob@DBA.EXAMPLE.COM\fP matches the second document.
+The regex capture group \fB{0}\fP corresponds to the string \fBbob\fP\&.  The
+resulting output is the LDAP query
+\fB"ou=dba,dc=example,dc=com??one?(user=bob)"\fP\&. \fBmongoldap\fP executes this
+query against the LDAP server, returning the result
+\fB"cn=bob,ou=dba,dc=example,dc=com"\fP\&.
 .UNINDENT
-.sp
-To ensure adequate performance, indexes should exist for this
-field or fields.
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-stopOnError
-New in version 2.2.
-
 .sp
-Forces \fBmongoimport\fP to halt the import operation at the
-first error rather than continuing the operation despite errors.
+If \fI\%\-\-ldapUserToDNMapping\fP is unset, \fBmongoldap\fP applies no transformations to the username
+when attempting to authenticate or authorize a user against the LDAP server.
 .sp
-Changed in version 3.0.0: \fI\%\-\-stopOnError\fP interrupts the import operation when \fBmongoimport\fP encounters
-an insert or upsert error. Other error types will not stop
-the import.
-
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-jsonArray
-Accepts the import of data expressed with multiple MongoDB documents
-within a single \fIJSON\fP array. Limited to
-imports of 16 MB or smaller.
+This setting can be configured on a running \fBmongoldap\fP using the
+\fBsetParameter\fP database command.
 .sp
-Use \fI\%\-\-jsonArray\fP in conjunction with \fImongoexport \-\-jsonArray\fP\&.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+An explanation of \fI\%RFC4515\fP,
+\fI\%RFC4516\fP or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
 .UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-maintainInsertionOrder
-\fIDefault\fP: False
-.sp
-If specified, \fBmongoimport\fP inserts the documents in the order of
-their appearance in the input source, otherwise \fBmongoimport\fP may
-perform the insertions in an arbitrary order.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-writeConcern <document>
-\fIDefault\fP: majority
+.B \-\-ldapAuthzQueryTemplate <string>
+New in version 3.4: Available in MongoDB Enterprise only.
+
 .sp
-Specifies the \fIwrite concern\fP for each write operation that \fBmongoimport\fP
-writes to the target database.
+A relative LDAP query URL formatted conforming to \fI\%RFC4515\fP and \fI\%RFC4516\fP that \fBmongoldap\fP executes to obtain
+the LDAP groups to which the authenticated user belongs to. The query is
+relative to the host or hosts specified in \fI\%\-\-ldapServers\fP\&.
 .sp
-Specify the write concern as a document with \fIw options\fP\&.
-.UNINDENT
-.SH USE
+Use the \fB{USER}\fP placeholder in the URL to substitute the authenticated
+username, or the transformed username if a \fI\%username mapping\fP is specified.
 .sp
-In this example, \fBmongoimport\fP imports the \fIcsv\fP
-formatted data in the \fB/opt/backups/contacts.csv\fP into the
-collection \fBcontacts\fP in the \fBusers\fP database on the MongoDB
-instance running on the localhost port numbered
-\fB27017\fP\&. \fBmongoimport\fP determines the name of files using
-the first line in the CSV file, because of the \fI\-\-headerline\fP:
-.INDENT 0.0
+When constructing the query URL, ensure that the order of LDAP parameters
+respects RFC4516:
+.INDENT 7.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-mongoimport \-\-db users \-\-collection contacts \-\-type csv \-\-headerline \-\-file /opt/backups/contacts.csv
+[ dn  [ ? [attributes] [ ? [scope] [ ? [filter] [ ? [Extensions] ] ] ] ] ]
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-Since \fBmongoimport\fP uses the input file name, without the
-extension, as the collection name if \fB\-c\fP or \fB\-\-collection\fP is
-unspecified. The following example is equivalent:
-.INDENT 0.0
-.INDENT 3.5
+If your query includes an attribute, \fBmongoldap\fP assumes that the query
+retrieves a the DNs which this entity is member of.
 .sp
-.nf
-.ft C
-mongoimport \-\-db users \-\-type csv \-\-headerline \-\-file /opt/backups/contacts.csv
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
+If your query does not include an attribute, \fBmongoldap\fP assumes
+the query retrieves all entities which the user is member of.
 .sp
-In the following example, \fBmongoimport\fP imports the data in
-the \fIJSON\fP formatted file \fBcontacts.json\fP into the collection
-\fBcontacts\fP on the MongoDB instance running on the localhost port
-number 27017.
-.INDENT 0.0
+For each LDAP DN returned by the query, \fBmongoldap\fP assigns the authorized
+user a corresponding role on the \fBadmin\fP database. If a role on the on the
+\fBadmin\fP database exactly matches the DN, \fBmongoldap\fP grants the user the
+roles and privileges assigned to that role. See the
+\fBdb.createRole()\fP method for more information on creating roles.
+.INDENT 7.0
 .INDENT 3.5
+.SH EXAMPLE
 .sp
-.nf
-.ft C
-mongoimport \-\-db users \-\-collection contacts \-\-file contacts.json
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-In the next example, \fBmongoimport\fP imports data from the
-file \fB/opt/backups/mdb1\-examplenet.json\fP into the collection
-\fBcontacts\fP within the database \fBmarketing\fP on a remote MongoDB
-database. This \fBmongoimport\fP accesses the \fBmongod\fP
-instance running on the host \fBmongodb1.example.net\fP over port
-\fB37017\fP, which requires the username \fBuser\fP and the password
-\fBpass\fP\&.
+This LDAP query returns any groups listed in the LDAP user object’s
+\fBmemberOf\fP attribute.
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-mongoimport \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password pass \-\-collection contacts \-\-db marketing \-\-file /opt/backups/mdb1\-examplenet.json
+"{USER}?memberOf?base"
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
-.SH TYPE FIDELITY
 .sp
-\fBWARNING:\fP
-.INDENT 0.0
-.INDENT 3.5
-\fBmongoimport\fP and \fBmongoexport\fP do not reliably
-preserve all rich \fIBSON\fP data types because \fIJSON\fP can
-only represent a subset of the types supported by BSON. As a result,
-data exported or imported with these tools may lose some measure of
-fidelity. See the \fBExtended JSON\fP
-reference for more information.
+Your LDAP configuration may not include the \fBmemberOf\fP attribute as part
+of the user schema, may possess a different attribute for reporting group
+membership, or may not track group membership through attributes.
+Configure your query with respect to your own unique LDAP configuration.
 .UNINDENT
 .UNINDENT
 .sp
-JSON can only represent a subset of the types supported by BSON. To
-preserve type information, \fBmongoimport\fP accepts \fBstrict
-mode representation\fP for certain
-types.
+If unset, \fBmongoldap\fP cannot authorize users using LDAP.
 .sp
-For example, to preserve type information for BSON types
-\fBdata_date\fP and \fBdata_numberlong\fP during
-\fBmongoimport\fP, the data should be in strict mode
-representation, as in the following:
-.INDENT 0.0
-.INDENT 3.5
+This setting can be configured on a running \fBmongoldap\fP using the
+\fBsetParameter\fP database command.
 .sp
-.nf
-.ft C
-{ "_id" : 1, "volume" : { "$numberLong" : "2980000" }, "date" : { "$date" : "2014\-03\-13T13:47:42.483\-0400" } }
-.ft P
-.fi
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+An explanation of \fI\%RFC4515\fP,
+\fI\%RFC4516\fP or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
 .UNINDENT
 .UNINDENT
-.sp
-For the \fBdata_numberlong\fP type, \fBmongoimport\fP
-converts into a float during the import.
-.sp
-See http://docs.mongodb.org/manual/reference/mongodb\-extended\-json for a complete list of
-these types and the representations used.
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongorestore.1 b/debian/mongorestore.1
index 7d891f15021..d3180931a7e 100644
--- a/debian/mongorestore.1
+++ b/debian/mongorestore.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGORESTORE" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGORESTORE" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongorestore \- MongoDB Data Restoration Tool
 .
@@ -30,72 +30,104 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Behavior\fP
+.IP \(bu 2
+\fI\%Required Access\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Examples\fP
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.sp
+Users running on Mac OSX Sierra require the 3.2.10 or newer version
+of  mongorestore\&.
+.UNINDENT
+.UNINDENT
 .SH SYNOPSIS
 .sp
-The \fBmongorestore\fP program writes data from a binary database
-dump created by \fBmongodump\fP to a MongoDB
-instance. \fBmongorestore\fP can create a new database or add
-data to an existing database.
+The \fI\%mongorestore\fP program loads data from either a binary
+database dump created by \fBmongodump\fP or the standard input
+(starting in version 3.0.0) into a \fBmongod\fP or
+\fBmongos\fP instance.
+.sp
+Run \fI\%mongorestore\fP from the system command line, not the \fBmongo\fP shell.
 .sp
-\fBmongorestore\fP can write data to either \fImongod\fP or \fBmongos\fP
-instances, in addition to writing directly to MongoDB data files
-without an active \fBmongod\fP\&.
+For an overview of \fI\%mongorestore\fP usage, see
+/tutorial/backup\-and\-restore\-tools\&.
 .SH BEHAVIOR
+.SS Insert Only
 .sp
-If you restore to an existing database, \fBmongorestore\fP will
-only insert into the existing database, and does not perform updates
-of any kind. If existing documents have the same value \fB_id\fP field
-in the target database and collection,
-\fBmongorestore\fP will \fInot\fP overwrite those documents.
+\fI\%mongorestore\fP can create a new database or add data to an
+existing database. However, \fI\%mongorestore\fP performs inserts
+only and does not perform updates. That is, if restoring documents to
+an existing database and collection and existing documents have the
+same value \fB_id\fP field as the to\-be\-restored documents,
+\fI\%mongorestore\fP will \fInot\fP overwrite those documents.
+.SS Rebuild Indexes
 .sp
-Remember the following properties of \fBmongorestore\fP behavior:
-.INDENT 0.0
-.IP \(bu 2
-\fBmongorestore\fP recreates indexes recorded by
+\fI\%mongorestore\fP recreates indexes recorded by
 \fBmongodump\fP\&.
-.IP \(bu 2
-all operations are inserts, not updates.
-.IP \(bu 2
-\fBmongorestore\fP does not wait for a response from a
-\fBmongod\fP to ensure that the MongoDB process has received or
-recorded the operation.
 .sp
-The \fBmongod\fP will record any errors to its log that occur
-during a restore operation, but \fBmongorestore\fP will not
-receive errors.
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Starting in MongoDB 2.6, creating indexes will error if an
+index key in an existing document exceeds the limit\&. See
+2.6\-index\-key\-length\-incompatibility for more information and
+solution.
+.sp
+If you have an existing data set that violates this limit but want
+to resolve the index issue after restoring the data, you can disable
+the default index key length validation on the target database by
+setting the \fBmongod\fP instance’s
+\fBfailIndexKeyTooLong\fP parameter to false.
+.UNINDENT
 .UNINDENT
+.SS Version Compatibility
 .sp
 The data format used by \fBmongodump\fP from version 2.2 or
 later is \fIincompatible\fP with earlier versions of \fBmongod\fP\&.
 Do not use recent versions of \fBmongodump\fP to back up older
 data stores.
+.SS Exclude \fBsystem.profile\fP Collection
+.sp
+\fI\%mongorestore\fP does not restore the \fBsystem.profile\fP collection data.
+.SH REQUIRED ACCESS
+.sp
+To restore data to a MongoDB deployment that has access control enabled, the \fBrestore\fP role provides
+access to restore any database if the backup data does not include
+\fBsystem.profile\fP collection data.
+.sp
+If the backup data includes \fBsystem.profile\fP collection data and the target database
+does not contain the \fBsystem.profile\fP
+collection, \fI\%mongorestore\fP attempts to create the collection
+even though the program does not actually restore \fBsystem.profile\fP
+documents. As such, the user requires additional privileges to perform
+\fBcreateCollection\fP and \fBconvertToCapped\fP
+actions on the \fBsystem.profile\fP
+collection for a database.
+.sp
+As of MongoDB 3.2.11, you can run \fI\%mongorestore\fP with
+\fI\%\-\-oplogReplay\fP if you have the
+\fBrestore\fP role. To replay the oplog on versions of MongoDB
+3.2.10 and earlier, you must create a
+user\-defined role that has
+\fBanyAction\fP on resource\-anyresource and grant only
+to users who must run \fI\%mongorestore\fP with
+\fI\%\-\-oplogReplay\fP\&.
+.SH OPTIONS
 .sp
-New in version 3.0.0: \fBmongorestore\fP also accepts input via standard input.
-
-.SH REQUIRED ACCESS TO RESTORE USER DATA
-.sp
-Changed in version 2.6.
+Changed in version 3.0.0: \fI\%mongorestore\fP removed the \fB\-\-filter\fP, \fB\-\-dbpath\fP, and the
+\fB\-\-noobjcheck\fP options.
 
-.sp
-To restore users and \fIuser\-defined roles\fP on a
-given database, you must have access to the \fBadmin\fP database. MongoDB
-stores the user data and role definitions for all databases in the
-\fBadmin\fP database.
-.sp
-Specifically, to restore users to a given database, you must have the
-\fBinsert\fP \fIaction\fP on the \fBadmin\fP
-database\(aqs \fBadmin.system.users\fP collection. The \fBrestore\fP
-role provides this privilege.
-.sp
-To restore user\-defined roles to a database, you must have the
-\fBinsert\fP action on the \fBadmin\fP database\(aqs
-\fBadmin.system.roles\fP collection. The \fBrestore\fP role
-provides this privilege.
-.SH OPTIONS
-.INDENT 0.0
-.TP
-.B mongorestore
-.UNINDENT
 .INDENT 0.0
 .TP
 .B mongorestore
@@ -115,13 +147,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBmongorestore\fP in a quiet mode that attempts to limit the amount
+Runs \fBmongorestore\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -137,6 +169,60 @@ Returns the \fBmongorestore\fP release number.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-uri <connectionString>
+New in version 3.4.6.
+
+.sp
+Specify a resolvable URI
+connection string for the \fBmongod\fP to which to
+connect.
+.sp
+The following is the standard
+URI connection scheme:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For detailed explanations of the components of this string, refer to
+the
+Connection String URI Format
+documentation.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+The following \fI\%mongorestore\fP options are incompatible with the
+\fB\-\-uri\fP option. Instead, specify these options as part of your
+\fB\-\-uri\fP connection string when applicable:
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-host\fP
+.IP \(bu 2
+\fB\-\-port\fP
+.IP \(bu 2
+\fB\-\-db\fP
+.IP \(bu 2
+\fB\-\-username\fP
+.IP \(bu 2
+\fB\-\-password\fP (when specifying the password as part of the
+URI connection string)
+.IP \(bu 2
+\fB\-\-authenticationDatabase\fP
+.IP \(bu 2
+\fB\-\-authenticationMechanism\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-host <hostname><:port>, \-h <hostname><:port>
 \fIDefault\fP: localhost:27017
 .sp
@@ -176,22 +262,16 @@ client connections.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-ipv6
-Enables IPv6 support and allows the \fBmongorestore\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-ssl
 New in version 2.6.
 
 .sp
 Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+TLS/SSL support enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -203,23 +283,32 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
 \fBWARNING:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
+\fBVersion 3.2 and earlier:\fP For TLS/SSL connections (\fB\-\-ssl\fP) to
+\fBmongod\fP and \fBmongos\fP, if the \fBmongorestore\fP runs without the
+\fI\%\-\-sslCAFile\fP, \fBmongorestore\fP will not attempt
+to validate the server certificates. This creates a vulnerability
+to expired \fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid \fBmongod\fP or
+\fBmongos\fP instances. Ensure that you \fIalways\fP specify the
+CA file to validate the server certificates in cases where
+intrusion is a possibility.
 .UNINDENT
 .UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -227,17 +316,18 @@ possibility.
 New in version 2.6.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
-This option is required when using the \fI\-\-ssl\fP option to connect
+This option is required when using the \fI\%\-\-ssl\fP option to connect
 to a \fBmongod\fP or \fBmongos\fP that has
 \fBCAFile\fP enabled \fIwithout\fP
 \fBallowConnectionsWithoutCertificates\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -246,16 +336,17 @@ New in version 2.6.
 
 .sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongorestore\fP will
 redact the password from all logging and reporting output.
 .sp
 If the private key in the PEM file is encrypted and you do not specify
-the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongorestore\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongorestore\fP will prompt for a passphrase. See
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -267,8 +358,9 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -281,8 +373,36 @@ the use of invalid certificates. When using the
 \fBallowInvalidCertificates\fP setting, MongoDB logs as a
 warning the use of the invalid certificate.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL connections to \fBmongod\fP and
+\fBmongos\fP, avoid using
+\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
+\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
+not possible.
+.sp
+If the \fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -290,9 +410,13 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongorestore\fP to connect to MongoDB instances if the hostname their
+Disables the validation of the hostnames in TLS/SSL certificates. Allows
+\fBmongorestore\fP to connect to MongoDB instances even if the hostname in their
 certificates do not match the specified hostname.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -302,14 +426,14 @@ New in version 2.6.
 .sp
 Directs the \fBmongorestore\fP to use the FIPS mode of the installed OpenSSL
 library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -327,31 +451,36 @@ Specifies a password with which to authenticate to a MongoDB database
 that uses authentication. Use in conjunction with the \fB\-\-username\fP and
 \fB\-\-authenticationDatabase\fP options.
 .sp
-If you do not specify an argument for \fI\-\-password\fP, \fBmongorestore\fP will
-prompt interactively for a password on the console.
+Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongorestore\fP returns
+an error.
+
+.sp
+Changed in version 3.0.2: If you wish \fBmongorestore\fP to prompt the user
+for the password, pass the \fI\%\-\-username\fP option without
+\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
+as in \fB\-\-password ""\fP .
+
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationDatabase <dbname>
-New in version 2.4.
-
-.sp
-Specifies the database that holds the user\(aqs credentials.
+Specifies the database in which the user is created.
+See user\-authentication\-database\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
-
-.sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+\fIDefault\fP: SCRAM\-SHA\-1
 .sp
 Specifies the authentication mechanism the \fBmongorestore\fP instance uses to
 authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.sp
+Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
+Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
+.sp
+MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
+function (\fBSCRAM\-SHA\-256\fP).
+
 .TS
 center;
 |l|l|.
@@ -363,33 +492,47 @@ Description
 T}
 _
 T{
-MONGODB\-CR
+SCRAM\-SHA\-1
 T}	T{
-MongoDB challenge/response authentication.
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
 T}
 _
 T{
-MONGODB\-X509
+SCRAM\-SHA\-256
 T}	T{
-MongoDB SSL certificate authentication.
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
 T}
 _
 T{
-PLAIN
+MONGODB\-X509
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+MongoDB TLS/SSL certificate authentication.
 T}
 _
 T{
-GSSAPI
+GSSAPI (Kerberos)
 T}	T{
 External authentication using Kerberos. This mechanism is
 available only in \fI\%MongoDB Enterprise\fP\&.
 T}
 _
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
 .TE
 .UNINDENT
 .INDENT 0.0
@@ -398,7 +541,7 @@ _
 New in version 2.6.
 
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
+Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
 default name of \fBmongodb\fP\&.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -409,7 +552,7 @@ This option is available only in MongoDB Enterprise.
 New in version 2.6.
 
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
+Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
 not match the hostname resolved by DNS.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -424,7 +567,7 @@ creates new databases that correspond to the databases where data
 originated and data may be overwritten. Use this option to restore data
 into a MongoDB instance that already has data.
 .sp
-\fI\%\-\-db\fP does \fInot\fP control which \fIBSON\fP files
+\fI\%\-\-db\fP does \fInot\fP control which BSON files
 \fBmongorestore\fP restores. You must use the
 \fBmongorestore\fP \fI\%path option\fP to
 limit that restored data.
@@ -440,56 +583,217 @@ name.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-objcheck
-Forces \fBmongorestore\fP to validate all requests from clients
-upon receipt to ensure that clients never insert invalid documents into
-the database. For objects with a high degree of sub\-document nesting,
-\fI\-\-objcheck\fP can have a small impact on performance. You can set
-\fI\%\-\-noobjcheck\fP to disable object checking at run\-time.
+.B \-\-nsExclude <namespace pattern>
+New in version 3.4.
+
 .sp
-Changed in version 2.4: MongoDB enables \fI\-\-objcheck\fP by default, to prevent any
-client from inserting malformed or invalid BSON into a MongoDB
-database.
+Excludes the specified namespaces from the
+restore operation.
+.sp
+\fI\%\-\-nsExclude\fP accepts a \fInamespace pattern\fP as its argument. The namespace
+pattern permits \fI\%\-\-nsExclude\fP to refer to any namespace that matches the
+specified pattern. \fI\%mongorestore\fP matches the smallest valid occurence
+of the namespace pattern.
+.sp
+Use asterisks (\fB*\fP) as wild cards. Escape all literal asterisks
+and backslashes with a backslash. \fI\%Restore Collections Using Wild Cards\fP
+provides an example of using asterisks as wild cards.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-nsInclude <namespace pattern>
+New in version 3.4.
+
+.sp
+Includes only the specified namespaces in the
+restore operation.
+By enabling you to specify multiple collections to restore,
+\fI\%\-\-nsInclude\fP offers a superset of the functionality of the
+\fI\%\-\-collection\fP option.
+.sp
+\fI\%\-\-nsInclude\fP accepts a \fInamespace pattern\fP as its argument. The namespace
+pattern permits \fI\%\-\-nsInclude\fP to refer to any namespace that matches the
+specified pattern. \fI\%mongorestore\fP matches the smallest valid occurence
+of the namespace pattern.
+.sp
+Use asterisks (\fB*\fP) as wild cards. Escape all literal asterisks
+and backslashes with a backslash. \fI\%Restore Collections Using Wild Cards\fP
+provides an example of using asterisks as wild cards.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-nsFrom <namespace pattern>
+New in version 3.4.
 
+.sp
+Use with \fI\%\-\-nsTo\fP to rename a namespace during the
+restore operation. \fI\%\-\-nsFrom\fP specifies the collection in the
+dump file, while \fI\%\-\-nsTo\fP specifies the name that should be
+used in the restored database.
+.sp
+\fI\%\-\-nsFrom\fP accepts a \fInamespace pattern\fP as its argument. The namespace
+pattern permits \fI\%\-\-nsFrom\fP to refer to any namespace that matches the
+specified pattern. \fI\%mongorestore\fP matches the smallest valid occurence
+of the namespace pattern.
+.sp
+For simple replacements, use asterisks (\fB*\fP) as wild cards.
+Escape all literal asterisks and backslashes with a backslash.
+Replacements correspond linearly to matches: each asterisk in
+\fB\-\-nsFrom\fP must correspond to an asterisk in \fB\-\-nsTo\fP, and the
+first asterisk in \fB\-\-nsFrom\fP matches the first asterisk in \fBnsTo\fP\&.
+.sp
+For more complex replacements, use dollar signs to delimit a “wild
+card” variable to use in the replacement.
+\fI\%Change Collections’ Namespaces during Restore\fP provides an example of complex
+replacements with dollar sign\-delimited wild cards.
+.sp
+Unlike replacements with asterisks, replacements with dollar
+sign\-delimited wild cards do \fBnot\fP need to be linear.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-noobjcheck
-New in version 2.4.
+.B \-\-nsTo <namespace pattern>
+New in version 3.4.
 
 .sp
-Disables the default document validation that MongoDB performs on all
-incoming BSON documents.
+Use with \fI\%\-\-nsFrom\fP to rename a namespace during the
+restore operation. \fI\%\-\-nsTo\fP specifies the new collection
+name to use in the restored database, while
+\fI\%\-\-nsFrom\fP specifies the name in the dump file.
+.sp
+\fI\%\-\-nsTo\fP accepts a \fInamespace pattern\fP as its argument. The namespace
+pattern permits \fI\%\-\-nsTo\fP to refer to any namespace that matches the
+specified pattern. \fI\%mongorestore\fP matches the smallest valid occurence
+of the namespace pattern.
+.sp
+For simple replacements, use asterisks (\fB*\fP) as wild cards.
+Escape all literal asterisks and backslashes with a backslash.
+Replacements correspond linearly to matches: each asterisk in
+\fB\-\-nsFrom\fP must correspond to an asterisk in \fB\-\-nsTo\fP, and the
+first asterisk in \fB\-\-nsFrom\fP matches the first asterisk in \fBnsTo\fP\&.
+.sp
+For more complex replacements, use dollar signs to delimit a “wild
+card” variable to use in the replacement.
+\fI\%Change Collections’ Namespaces during Restore\fP provides an example of complex
+replacements with dollar sign\-delimited wild cards.
+.sp
+Unlike replacements with asterisks, replacements with dollar
+sign\-delimited wild cards do \fBnot\fP need to be linear.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-objcheck
+Forces \fBmongorestore\fP to validate all requests from clients
+upon receipt to ensure that clients never insert invalid documents into
+the database. For objects with a high degree of sub\-document nesting,
+\fI\%\-\-objcheck\fP can have a small impact on performance.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-drop
-Modifies the restoration procedure to drop every collection from the
-target database before restoring the collection from the dumped backup.
+Before restoring the collections from the dumped backup, drops the
+collections from the target database. \fI\%\-\-drop\fP does not drop
+collections that are not in the backup.
+.sp
+When the restore includes the \fBadmin\fP database, \fBmongorestore\fP with
+\fI\%\-\-drop\fP removes all user credentials and replaces them with the
+users defined in the dump file. Therefore, in systems with
+\fBauthorization\fP enabled, \fBmongorestore\fP must be able
+to authenticate to an existing user \fIand\fP to a user defined in the
+dump file. If \fBmongorestore\fP can’t authenticate to a user defined in the
+dump file, the restoration process will fail, leaving an empty
+database.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-dryRun
+New in version 3.4.
+
 .sp
-With \fI\%\-\-drop\fP specified, \fBmongorestore\fP removes all user
-credentials and replaces them with users defined in the dump
-file. Therefore, in systems with \fBauthorization\fP
-enabled, \fBmongorestore\fP must be able to authenticate to an existing
-user \fIand\fP to a user defined in the dump file. If \fBmongorestore\fP can\(aqt
-authenticate to a user defined in the dump file, the restoration
-process will fail, leaving an empty database.
+Runs \fBmongorestore\fP without actually importing any data, returning the
+\fBmongorestore\fP summary information. Use with \fB\-\-verbose\fP to produce
+more detailed summary information.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-oplogReplay
-Replays the \fIoplog\fP after restoring the dump to ensure that the
-current state of the database reflects the point\-in\-time backup captured
-with the "\fImongodump \-\-oplog\fP" command. For an example of
-\fI\%\-\-oplogReplay\fP, see \fIbackup\-restore\-oplogreplay\fP\&.
+After restoring the database dump, replays the oplog entries
+from a bson file.
+When used in conjunction with \fBmongodump \-\-oplog\fP,
+\fB~bin.mongorestore \-\-oplogReplay\fP
+restores the database to the point\-in\-time backup captured with the
+\fBmongodump \-\-oplog\fP command.
+.sp
+\fBmongorestore\fP searches for any valid source  for the bson file
+in the following locations:
+.INDENT 7.0
+.IP \(bu 2
+The top level of the dump directory, as in the case of a dump created
+with \fBmongodump \-\-oplog\fP\&.
+.IP \(bu 2
+The path specified by \fI\%\-\-oplogFile\fP\&.
+.IP \(bu 2
+\fB<dump\-directory>/local/oplog.rs.bson\fP, as in the case of a dump
+of the \fBoplog.rs\fP collection in the \fBlocal\fP database
+on a \fBmongod\fP that is a member of a replica set.
+.UNINDENT
+.sp
+If there is an \fBoplog.bson\fP file at the top level of the dump
+directory \fBand\fP a path specified by \fI\%\-\-oplogFile\fP,
+\fBmongorestore\fP returns an error.
+.sp
+If there is an \fBoplog.bson\fP file at the top level of the dump directory,
+\fBmongorestore\fP restores that file as the oplog. If there are also bson
+files in the \fBdump/local\fP directory, \fBmongorestore\fP restores them like
+normal collections.
+.sp
+If you specify an oplog file using \fI\%\-\-oplogFile\fP,
+\fBmongorestore\fP restores that file as the oplog. If there are also bson
+files in the \fBdump/local\fP directory, \fBmongorestore\fP restores them like
+normal collections.
+.sp
+For an example of \fI\%\-\-oplogReplay\fP, see backup\-restore\-oplogreplay\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+When using \fI\%mongorestore\fP with \fI\%\-\-oplogReplay\fP to restore
+a replica set, you must
+restore a full dump of a replica set member created
+using \fB~bin.mongodump \-\-oplog\fP\&.
+\fI\%mongorestore\fP with \fI\%\-\-oplogReplay\fP fails if you use any of
+the following options to limit the data be restored:
+.INDENT 0.0
+.IP \(bu 2
+\fI\%\-\-db\fP
+.IP \(bu 2
+\fI\%\-\-collection\fP
+.IP \(bu 2
+\fI\%\-\-nsInclude\fP
+.IP \(bu 2
+\fI\%\-\-nsExclude\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fI\%mongorestore Required Access\fP
+.UNINDENT
+.UNINDENT
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fBmongodump \-\-oplog\fP
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-oplogLimit <timestamp>
-New in version 2.2.
-
-.sp
-Prevents \fBmongorestore\fP from applying \fIoplog\fP entries
+Prevents \fBmongorestore\fP from applying oplog entries
 with timestamp newer than or equal to \fB<timestamp>\fP\&. Specify
 \fB<timestamp>\fP values in the form of \fB<time_t>:<ordinal>\fP, where
 \fB<time_t>\fP is the seconds since the UNIX epoch, and \fB<ordinal>\fP
@@ -501,6 +805,19 @@ You must use \fI\%\-\-oplogLimit\fP in conjunction with the
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-oplogFile <path>
+New in version 3.4.
+
+.sp
+Specifies the path to the oplog file containing oplog data for the
+restore. Use with \fI\%\-\-oplogReplay\fP\&.
+.sp
+If you specify \fI\%\-\-oplogFile\fP and there is an \fBoplog.bson\fP
+file at the top level of the dump directory, \fBmongorestore\fP returns an
+error.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-keepIndexVersion
 Prevents \fBmongorestore\fP from upgrading the index to the latest
 version during the restoration process.
@@ -508,49 +825,32 @@ version during the restoration process.
 .INDENT 0.0
 .TP
 .B \-\-noIndexRestore
-New in version 2.2.
-
-.sp
 Prevents \fBmongorestore\fP from restoring and building indexes as
 specified in the corresponding \fBmongodump\fP output.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-noOptionsRestore
-New in version 2.2.
-
-.sp
 Prevents \fBmongorestore\fP from setting the collection options,
-such as those specified by the \fBcollMod\fP \fIdatabase
-command\fP, on restored collections.
+such as those specified by the \fBcollMod\fP database
+command, on restored collections.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-restoreDbUsersAndRoles
 Restore user and role definitions for the given database. See
-http://docs.mongodb.org/manual/reference/system\-roles\-collection and
-http://docs.mongodb.org/manual/reference/system\-users\-collection for more information.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-w <number of replicas per write>
-New in version 2.2.
-
-.sp
-Specifies the \fIwrite concern\fP for each write operation that
-\fBmongorestore\fP writes to the target database. By default,
-\fBmongorestore\fP does not wait for a response for \fIwrite
-acknowledgment\fP\&.
+/reference/system\-roles\-collection and
+/reference/system\-users\-collection for more information.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-writeConcern <document>
 \fIDefault\fP: majority
 .sp
-Specifies the \fIwrite concern\fP for each write operation that \fBmongorestore\fP
+Specifies the write concern for each write operation that \fBmongorestore\fP
 writes to the target database.
 .sp
-Specify the write concern as a document with \fIw options\fP\&.
+Specify the write concern as a document with w options\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -568,6 +868,57 @@ perform the insertions in an arbitrary order.
 .sp
 Number of collections \fBmongorestore\fP should restore
 in parallel.
+.sp
+If you specify \fB\-j\fP when restoring a \fIsingle\fP collection, \fB\-j\fP
+maps to the \fI\%\-\-numInsertionWorkersPerCollection\fP option rather than
+\fI\%\-\-numParallelCollections\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-numInsertionWorkersPerCollection int
+\fIDefault\fP: 1
+.sp
+New in version 3.0.0.
+
+.sp
+Specifies the number of insertion workers to run concurrently per collection.
+.sp
+For large imports, increasing the number of insertion workers
+may increase the speed of the import.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-stopOnError
+New in version 3.0.
+
+.sp
+Forces \fBmongorestore\fP to halt the restore when it encounters an
+error.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-bypassDocumentValidation
+Enables \fBmongorestore\fP to bypass document validation
+during the operation. This lets you insert documents that do not
+meet the validation requirements.
+.sp
+New in version 3.2.1.
+
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-gzip
+New in version 3.2.
+
+.sp
+Restores from compressed files or data stream created by
+\fB~bin.mongodump \-\-archive\fP
+.sp
+To restore from a dump directory that contains compressed files, run
+\fI\%mongorestore\fP with the new \fB\-\-gzip\fP option.
+.sp
+To restore from a compressed archive file, run \fI\%mongorestore\fP with
+the \fB\-\-gzip\fP option in conjunction with the \fB\-\-archive\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -575,19 +926,51 @@ in parallel.
 The final argument of the \fBmongorestore\fP command is a
 directory path. This argument specifies the location of the
 database dump from which to restore.
+.sp
+You cannot specify both the \fB<path>\fP argument and the \fB\-\-dir\fP
+option, which also specifies the dump directory, to \fBmongorestore\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-archive <=file|null>
+New in version 3.2.
+
+.sp
+Restores from an archive file or from the standard input (\fBstdin\fP).
+.sp
+To restore from an archive file, run \fBmongorestore\fP with the \fB\-\-archive\fP
+option and the archive filename.
+.sp
+To restore from the standard input, run \fBmongorestore\fP with the
+\fB\-\-archive\fP option but \fIomit\fP the filename.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.IP \(bu 2
+You cannot use the \fB\-\-archive\fP option with the \fB\-\-dir\fP option.
+.IP \(bu 2
+\fBmongorestore\fP still supports the positional \fB\-\fP parameter to
+restore a \fIsingle\fP collection from the standard input.
+.UNINDENT
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-dir string
 Specifies the dump directory.
+.INDENT 7.0
+.IP \(bu 2
+You cannot specify both the \fB\-\-dir\fP option and the \fB<path>\fP
+argument, which also specifies the dump directory, to \fBmongorestore\fP\&.
+.IP \(bu 2
+You cannot use the \fB\-\-archive\fP option with the \fB\-\-dir\fP option.
 .UNINDENT
-.SH USE
-.sp
-See http://docs.mongodb.org/manual/tutorial/backup\-with\-mongodump
-for a larger overview of \fBmongorestore\fP
-usage. Also see the \fBmongodump\fP document for an overview of the
-\fBmongodump\fP, which provides the related inverse
-functionality.
+.UNINDENT
+.SH EXAMPLES
+.SS Restore a Collection
 .sp
 Consider the following example:
 .INDENT 0.0
@@ -595,43 +978,216 @@ Consider the following example:
 .sp
 .nf
 .ft C
-mongorestore \-\-collection people \-\-db accounts dump/accounts/people.bson
+mongorestore \-\-collection people \-\-db accounts dump/
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-Here, \fBmongorestore\fP reads the database dump in the \fBdump/\fP
+Here, \fI\%mongorestore\fP reads the database dump in the \fBdump/\fP
 sub\-directory of the current directory, and restores \fIonly\fP the
 documents in the collection named \fBpeople\fP from the database named
-\fBaccounts\fP\&. \fBmongorestore\fP restores data to the instance
+\fBaccounts\fP\&. \fI\%mongorestore\fP restores data to the instance
 running on the localhost interface on port \fB27017\fP\&.
 .sp
-In the final example, \fBmongorestore\fP restores a database
-dump located at \fB/opt/backup/mongodump\-2011\-10\-24\fP, to a database
-running on port \fB37017\fP on the host
-\fBmongodb1.example.net\fP\&. The \fBmongorestore\fP command authenticates to
-the MongoDB instance using the username \fBuser\fP and the
-password \fBpass\fP, as follows:
+New in version 3.4.
+
+.sp
+You may alternatively use \fI\%\-\-nsInclude\fP to specify the canonical name of the collection that you
+wish to restore rather than \fI\%\-\-collection\fP\&. \fI\%\-\-nsInclude\fP
+enables you to specify the namespace of one or more collections
+that you wish to include in the restore operation. The following
+example restores the \fBpeople\fP collection from the \fBaccounts\fP
+database in the \fBdump/\fP sub\-directory of the current directory:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-nsInclude accounts.people dump/
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Restore Collections Using Wild Cards
+.sp
+New in version 3.4.
+
+.sp
+\fI\%\-\-nsInclude\fP and
+\fI\%\-\-nsExclude\fP support specifying the
+namespaces you wish to include or exclude from a
+restore operation using asterisks as \fIwild cards\fP\&.
+.sp
+The following example restores the documents in the \fBdump/\fP
+sub\-directory of the current directory that match the specified
+namespace pattern. The \fI\%\-\-nsInclude\fP
+statement specifies to only restore documents in the \fBtransactions\fP
+database while \fI\%\-\-nsExclude\fP
+instructs \fI\%mongorestore\fP to exclude collections whose
+names end with \fB_dev\fP\&. \fI\%mongorestore\fP restores data to
+the \fBmongod\fP instance running on the localhost interface
+on port \fB27017\fP\&.
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-mongorestore \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password pass /opt/backup/mongodump\-2011\-10\-24
+mongorestore \-\-nsInclude \(aqtransactions.*\(aq \-\-nsExclude \(aqtransactions.*_dev\(aq dump/
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
+.SS Change Collections’ Namespaces during Restore
 .sp
-You can also \fIpipe\fP data directly into to \fBmongorestore\fP
+New in version 3.4.
+
+.sp
+MongoDB 3.4 added the \fI\%\-\-nsFrom\fP and
+\fI\%\-\-nsTo\fP options, which enable you to
+change the namespace of a collection that you are restoring.
+\fI\%\-\-nsFrom\fP and \fI\%\-\-nsTo\fP support using asterisks as wild cards \fIand\fP
+support using dollar signs to delimit “wild card” variables to use in
+the replacement.
+.sp
+Consider a database \fBdata\fP that you have exported to a \fBdump/\fP
+directory using \fBmongodump\fP\&. The \fBdata\fP database
+contains the following collections:
+.INDENT 0.0
+.IP \(bu 2
+\fBsales_customer1\fP
+.IP \(bu 2
+\fBsales_customer2\fP
+.IP \(bu 2
+\fBsales_customer3\fP
+.IP \(bu 2
+\fBusers_customer1\fP
+.IP \(bu 2
+\fBusers_customer2\fP
+.IP \(bu 2
+\fBusers_customer3\fP
+.UNINDENT
+.sp
+Using \fI\%\-\-nsFrom\fP and \fI\%\-\-nsTo\fP, you can restore the data into different
+namespaces. The following operation
+.INDENT 0.0
+.IP \(bu 2
+restores the \fBsales_<customerName>\fP collections in the \fBdata\fP
+database to \fBsales\fP collections in the \fB<customerName>\fP database,
+and
+.IP \(bu 2
+restores the \fBusers_<customerName>\fP collections to \fBusers\fP
+collections in the \fB<customerName>\fP database.
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-nsInclude \(aqdata.*\(aq \-\-nsFrom \(aqdata.$prefix$_$customer$\(aq \-\-nsTo \(aq$customer$.$prefix$\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Restore with Access Control
+.sp
+In the following example, \fI\%mongorestore\fP restores a
+database dump located at \fB/opt/backup/mongodump\-2011\-10\-24\fP, to a
+database running on port \fB37017\fP on the host
+\fBmongodb1.example.net\fP\&. The \fI\%mongorestore\fP command
+authenticates to the MongoDB instance using the username \fBuser\fP and
+the password \fBpass\fP, as follows:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-host mongodb1.example.net \-\-port 37017 \-\-username user \-\-password "pass" /opt/backup/mongodump\-2011\-10\-24
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Restore a Collection from Standard Input
+.sp
+You can also \fIpipe\fP data directly into to \fI\%mongorestore\fP
 through standard input, as in the following example:
 .INDENT 0.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-zcat /opt/backup/mongodump\-2014\-12\-03/accounts.people.bson.gz | mongorestore \-\-collection people \-\-db accounts
+zcat /opt/backup/mongodump\-2014\-12\-03/accounts.people.bson.gz | mongorestore \-\-collection people \-\-db accounts \-
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Restore a Database from an Archive File
+.sp
+New in version 3.2.
+
+.sp
+To restore from an archive file, run \fBrestore\fP with the new
+\fB\-\-archive\fP option and the archive filename. For example, the
+following operation restores the \fBtest\fP database from the file
+\fBtest.20150715.archive\fP\&.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-archive=test.20150715.archive \-\-db test
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Restore a Database from Standard Input
+.sp
+New in version 3.2.
+
+.sp
+To restore from the standard input, run \fI\%mongorestore\fP
+with the \fBarchive\fP option but \fIomit\fP the filename. For example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodump \-\-archive \-\-db test \-\-port 27017 | mongorestore \-\-archive \-\-port 27018
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Restore from Compressed Data
+.sp
+New in version 3.2: With the \fB\-\-gzip\fP option, \fI\%mongorestore\fP can restore from
+compressed files or data stream created by \fBmongodump\fP\&.
+
+.sp
+To restore from a dump directory that contains compressed files, run
+\fI\%mongorestore\fP with the new \fB\-\-gzip\fP option. For
+example, the following operation restores the \fBtest\fP database from
+the compressed files located in the default \fBdump\fP directory:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-gzip \-\-db test
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+To restore from a compressed archive file, run \fI\%mongorestore\fP
+with the \fB\-\-gzip\fP option in conjunction with the new \fB\-\-archive\fP
+option. For example, the following operation restores the \fBtest\fP
+database from the archive file \fBtest.20150715.gz\fP\&.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongorestore \-\-gzip \-\-archive=test.20150715.gz \-\-db test
 .ft P
 .fi
 .UNINDENT
@@ -639,6 +1195,6 @@ zcat /opt/backup/mongodump\-2014\-12\-03/accounts.people.bson.gz | mongorestore
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongos.1 b/debian/mongos.1
index 6284a666473..72fb11495e8 100644
--- a/debian/mongos.1
+++ b/debian/mongos.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGOS" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGOS" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongos \- MongoDB Sharded Cluster Query Router
 .
@@ -30,26 +30,40 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Considerations\fP
+.IP \(bu 2
+\fI\%Options\fP
+.UNINDENT
 .SH SYNOPSIS
 .sp
-\fBmongos\fP for "MongoDB Shard," is a routing service for
+\fI\%mongos\fP for “MongoDB Shard,” is a routing service for
 MongoDB shard configurations that processes queries from the
 application layer, and determines the location of this data in the
-\fIsharded cluster\fP, in order to complete these operations.
+sharded cluster, in order to complete these operations.
 From the perspective of the application, a
-\fBmongos\fP instance behaves identically to any other MongoDB
+\fI\%mongos\fP instance behaves identically to any other MongoDB
 instance.
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Starting in version 4.0, MongoDB disables support for TLS 1.0
+encryption on systems where TLS 1.1+ is available. For
+more details, see 4.0\-disable\-tls\&.
+.UNINDENT
+.UNINDENT
 .SH CONSIDERATIONS
 .sp
-Never change the name of the \fBmongos\fP binary.
+Never change the name of the \fI\%mongos\fP binary.
 .SH OPTIONS
 .SS Core Options
 .INDENT 0.0
 .TP
-.B mongos
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-help, \-h
 Returns information on the options and use of \fBmongos\fP\&.
 .UNINDENT
@@ -64,7 +78,7 @@ Returns the \fBmongos\fP release number.
 Specifies a configuration file for runtime configuration options. The
 configuration file is the preferred method for runtime configuration of
 \fBmongos\fP\&. The options are equivalent to the command\-line
-configuration options. See http://docs.mongodb.org/manual/reference/configuration\-options for
+configuration options. See /reference/configuration\-options for
 more information.
 .sp
 Ensure the configuration file uses ASCII encoding. The \fBmongos\fP
@@ -81,13 +95,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBmongos\fP in a quiet mode that attempts to limit the amount
+Runs \fBmongos\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -107,44 +121,132 @@ client connections.
 .INDENT 0.0
 .TP
 .B \-\-bind_ip <ip address>
-\fIDefault\fP: All interfaces.
+\fIDefault\fP: localhost
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 3.6, \fBmongos\fP bind to localhost
+(\fB127.0.0.1\fP) by default. See 3.6\-bind\-to\-localhost\&.
+.UNINDENT
+.UNINDENT
+.sp
+The IP addresses and/or full Unix domain socket paths on which
+\fBmongos\fP should listen for client connections. You may attach
+\fBmongos\fP to any interface. To bind to multiple addresses, enter a
+list of comma\-separated values.
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
 .sp
-Changed in version 2.6.0: The \fBdeb\fP and \fBrpm\fP packages include a default
-configuration file that sets \fI\%\-\-bind_ip\fP to \fB127.0.0.1\fP\&.
+\fBlocalhost,/tmp/mongod.sock\fP
+.UNINDENT
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Before you bind to other ip addresses, consider enabling
+access control and other security measures listed
+in /administration/security\-checklist to prevent unauthorized
+access.
+.UNINDENT
+.UNINDENT
+.sp
+To bind to all IPv4 addresses, enter \fB0.0.0.0\fP\&.
+.sp
+To bind to all IPv4 and IPv6 addresses, enter \fB0.0.0.0,::\fP
+or alternatively, use the \fBnet.bindIpAll\fP setting.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. That
+is, you can specify one or the other, but not both.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-bind_ip_all
+New in version 3.6.
 
 .sp
-Specifies the IP address that \fBmongos\fP binds to in order to listen
-for connections from applications. You may attach \fBmongos\fP to any
-interface. When attaching \fBmongos\fP to a publicly accessible
-interface, ensure that you have implemented proper authentication and
-firewall restrictions to protect the integrity of your database.
+If specified, the \fBmongos\fP instance binds to all ip addresses. When
+attaching \fBmongos\fP to a publicly accessible interface, ensure
+that you have implemented proper authentication and firewall
+restrictions to protect the integrity of your database.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Before you bind to other ip addresses, consider enabling
+access control and other security measures listed
+in /administration/security\-checklist to prevent unauthorized
+access.
+.UNINDENT
+.UNINDENT
+.sp
+Alternatively, you can set the \fB\-\-bind_ip\fP option to
+\fB0.0.0.0,::\fP to bind to all IP addresses.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+\fB\-\-bind_ip\fP and \fB\-\-bind_ip_all\fP are mutually exclusive. That
+is, you can specify one or the other, but not both.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-maxConns <number>
-Specifies the maximum number of simultaneous connections that
-\fBmongos\fP will accept. This setting will have no effect if the
-value of this setting is higher than your operating system\(aqs configured
-maximum connection tracking threshold.
+The maximum number of simultaneous connections that \fBmongos\fP will
+accept. This setting has no effect if it is higher than your operating
+system’s configured maximum connection tracking threshold.
+.sp
+Do not assign too low of a value to this option, or you will
+encounter errors during normal application operation.
 .sp
-This setting is particularly useful for \fBmongos\fP if you
-have a client that creates a number of connections but allows them
-to timeout rather than close the connections. When you set
-\fBmaxIncomingConnections\fP, ensure the value is slightly
-higher than the size of the connection pool or the total number of
-connections to prevent erroneous connection spikes from propagating
-to the members of a \fIsharded cluster\fP\&.
+This is particularly useful for a \fI\%mongos\fP if you have a client
+that creates multiple connections and allows them to timeout rather
+than closing them.
 .sp
-Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP setting.
+In this case, set \fBmaxIncomingConnections\fP to a value slightly
+higher than the maximum number of connections that the client creates, or the
+maximum size of the connection pool.
+.sp
+This setting prevents the \fI\%mongos\fP from causing connection spikes on
+the individual shards\&. Spikes like these may disrupt the
+operation and memory allocation of the sharded cluster\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Changed in version 2.6: MongoDB removed the upward limit on the \fBmaxIncomingConnections\fP
+setting.
 
 .UNINDENT
+.UNINDENT
+.UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-syslog
-Sends all logging output to the host\(aqs \fIsyslog\fP system rather
+Sends all logging output to the host’s syslog system rather
 than to standard output or to a log file. , as with \fI\%\-\-logpath\fP\&.
 .sp
 The \fI\%\-\-syslog\fP option is not supported on Windows.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+The \fBsyslog\fP daemon generates timestamps when it logs a message, not
+when MongoDB issues the message. This can lead to misleading timestamps
+for log entries, especially when the system is under heavy load. We
+recommend using the \fI\%\-\-logpath\fP option for production systems to
+ensure accurate timestamps.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -153,24 +255,68 @@ The \fI\%\-\-syslog\fP option is not supported on Windows.
 .sp
 Specifies the facility level used when logging messages to syslog.
 The value you specify must be supported by your
-operating system\(aqs implementation of syslog. To use this option, you
-must enable the \fI\%\-\-syslog\fP option.
+operating system’s implementation of syslog. To use this option, you
+must  enable the \fI\%\-\-syslog\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-logpath <path>
 Sends all diagnostic logging information to a log file instead of to
-standard output or to the host\(aqs \fIsyslog\fP system. MongoDB creates
+standard output or to the host’s syslog system. MongoDB creates
 the log file at the path you specify.
 .sp
-By default, MongoDB overwrites the log file when the process restarts.
-To instead append to the log file, set the \fI\%\-\-logappend\fP option.
+By default, MongoDB will move any existing log file rather than overwrite
+it. To instead append to the log file, set the \fI\%\-\-logappend\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-logappend
-Appends new entries to the end of the log file rather than overwriting
-the content of the log when the \fBmongos\fP instance restarts.
+Appends new entries to the end of the existing log file when the \fBmongos\fP
+instance restarts. Without this option, \fBmongod\fP will back up the
+existing log and create a new file.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-redactClientLogData
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+A \fBmongos\fP running with \fI\%\-\-redactClientLogData\fP redacts any message accompanying a given
+log event before logging. This prevents the \fBmongos\fP from writing
+potentially sensitive data stored on the database to the diagnostic log.
+Metadata such as error or operation codes, line numbers, and source file
+names are still visible in the logs.
+.sp
+Use \fI\%\-\-redactClientLogData\fP in conjunction with encryption to assist compliance with regulatory
+requirements.
+.sp
+For example, a MongoDB deployment might store Personally Identifiable
+Information (PII) in one or more collections. The \fBmongos\fP logs events
+such as those related to CRUD operations, sharding metadata, etc. It is
+possible that the \fBmongos\fP may expose PII as a part of these logging
+operations. A \fBmongos\fP running with \fI\%\-\-redactClientLogData\fP removes any message
+accompanying these events before being output to the log, effectively
+removing the PII.
+.sp
+Diagnostics on a \fBmongos\fP running with \fI\%\-\-redactClientLogData\fP may be more difficult
+due to the lack of data related to a log event. See the
+process logging manual page for an
+example of the effect of \fI\%\-\-redactClientLogData\fP on log output.
+.sp
+You can enable or disable log redaction on a running \fBmongos\fP
+using the \fBsetParameter\fP database command.
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+db.adminCommand(
+  { setParameter: 1, redactClientLogData : true | false }
+)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -209,7 +355,7 @@ T{
 T}	T{
 Displays timestamps in local time in the ISO\-8601
 format. For example, for New York at the start of the Epoch:
-\fB1969\-12\-31T19:00:00.000+0500\fP
+\fB1969\-12\-31T19:00:00.000\-0500\fP
 T}
 _
 .TE
@@ -219,8 +365,8 @@ _
 .B \-\-pidfilepath <path>
 Specifies a file location to hold the process ID of the \fBmongos\fP
 process where \fBmongos\fP will write its PID. This is useful for
-tracking the \fBmongos\fP process in combination with the
-\fI\%\-\-fork\fP option. Without a specified \fI\%\-\-pidfilepath\fP option, the
+tracking the \fBmongos\fP process in combination with
+the \fI\%\-\-fork\fP option. Without a specified \fI\%\-\-pidfilepath\fP option, the
 process creates no PID file.
 .UNINDENT
 .INDENT 0.0
@@ -228,53 +374,35 @@ process creates no PID file.
 .B \-\-keyFile <file>
 Specifies the path to a key file that stores the shared secret
 that MongoDB instances use to authenticate to each other in a
-\fIsharded cluster\fP or \fIreplica set\fP\&. \fI\%\-\-keyFile\fP implies
-\fI\-\-auth\fP\&. See \fIinter\-process\-auth\fP for more
+sharded cluster or replica set\&. \fI\%\-\-keyFile\fP implies
+\fBclient authorization\fP\&. See inter\-process\-auth for more
 information.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-setParameter <options>
 Specifies one of the MongoDB parameters described in
-http://docs.mongodb.org/manual/reference/parameters\&. You can specify multiple \fBsetParameter\fP
+/reference/parameters\&. You can specify multiple \fBsetParameter\fP
 fields.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-httpinterface
-New in version 2.6.
-
-.sp
-Enables the HTTP interface. Enabling the interface can increase
-network exposure.
-.sp
-Leave the HTTP interface \fIdisabled\fP for production deployments. If you
-\fIdo\fP enable this interface, you should only allow trusted clients to
-access this port. See \fIsecurity\-firewalls\fP\&.
-.sp
-\fBNOTE:\fP
-.INDENT 7.0
-.INDENT 3.5
-In MongoDB Enterprise, the HTTP Console does not support Kerberos
-Authentication.
-.UNINDENT
-.UNINDENT
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-nounixsocket
-Disables listening on the UNIX domain socket. The \fBmongos\fP process
+Disables listening on the UNIX domain socket. \fI\%\-\-nounixsocket\fP applies only
+to Unix\-based systems.
+.sp
+The \fBmongos\fP process
 always listens on the UNIX socket unless one of the following is true:
 .INDENT 7.0
 .IP \(bu 2
 \fI\%\-\-nounixsocket\fP is set
 .IP \(bu 2
-\fBbindIp\fP is not set
+\fBnet.bindIp\fP is not set
 .IP \(bu 2
-\fBbindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
 .UNINDENT
 .sp
-New in version 2.6: \fBmongos\fP installed from official \fB\&.deb\fP and \fB\&.rpm\fP packages
+New in version 2.6: \fBmongos\fP installed from official \&.deb and \&.rpm packages
 have the \fBbind_ip\fP configuration set to \fB127.0.0.1\fP by
 default.
 
@@ -284,152 +412,283 @@ default.
 .B \-\-unixSocketPrefix <path>
 \fIDefault\fP: /tmp
 .sp
-The path for the UNIX socket. If this option has no value, the
+The path for the UNIX socket. \fI\%\-\-unixSocketPrefix\fP applies only
+to Unix\-based systems.
+.sp
+If this option has no value, the
 \fBmongos\fP process creates a socket with \fB/tmp\fP as a prefix. MongoDB
 creates and listens on a UNIX socket unless one of the following is true:
 .INDENT 7.0
 .IP \(bu 2
+\fBnet.unixDomainSocket.enabled\fP is \fBfalse\fP
+.IP \(bu 2
 \fI\%\-\-nounixsocket\fP is set
 .IP \(bu 2
-\fBbindIp\fP is not set
+\fBnet.bindIp\fP is not set
 .IP \(bu 2
-\fBbindIp\fP does not specify \fB127.0.0.1\fP
+\fBnet.bindIp\fP does not specify \fB127.0.0.1\fP
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-filePermissions <path>
+\fIDefault\fP: \fB0700\fP
+.sp
+Sets the permission for the UNIX domain socket file.
+.sp
+\fI\%\-\-filePermissions\fP applies only to Unix\-based systems.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-fork
-Enables a \fIdaemon\fP mode that runs the \fBmongos\fP process in the
+Enables a daemon mode that runs the \fBmongos\fP process in the
 background. By default \fBmongos\fP does not run as a daemon:
 typically you will run \fBmongos\fP as a daemon, either by using
 \fI\%\-\-fork\fP or by using a controlling process that handles the
 daemonization process (e.g. as with \fBupstart\fP and \fBsystemd\fP).
 .UNINDENT
-.SS Sharded Cluster Options
 .INDENT 0.0
 .TP
-.B \-\-configdb <config1>,<config2>,<config3>
-Specifies the \fIconfiguration database\fP for the
-\fIsharded cluster\fP\&. You must specify either 1 or 3
-configuration servers, in a comma separated list. \fBAlways\fP use 3
-config servers in production environments.
+.B \-\-transitionToAuth
+New in version 3.4: Allows the \fBmongos\fP to accept and create authenticated and
+non\-authenticated connections to and from other \fBmongod\fP
+and \fI\%mongos\fP instances in the deployment. Used for
+performing rolling transition of replica sets or sharded clusters
+from a no\-auth configuration to internal authentication\&. Requires specifying a internal
+authentication mechanism such as
+\fI\%\-\-keyFile\fP\&.
+
 .sp
-All \fBmongos\fP instances \fBmust\fP specify the exact same value for
-\fI\%\-\-configdb\fP
+For example, if using keyfiles for
+internal authentication, the \fBmongos\fP creates
+an authenticated connection with any \fBmongod\fP or \fI\%mongos\fP
+in the deployment using a matching keyfile. If the security mechanisms do
+not match, the \fBmongos\fP utilizes a non\-authenticated connection instead.
 .sp
-If your configuration databases reside in more that one data center,
-order the hosts so that first config sever in the list is the closest to the
-majority of your \fBmongos\fP instances.
+A \fBmongos\fP running with \fI\%\-\-transitionToAuth\fP does not enforce user access
+controls\&. Users may connect to your deployment without any
+access control checks and perform read, write, and administrative operations.
 .sp
-\fBWARNING:\fP
+\fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-Never remove a config server from this setting, even if the config
-server is not available or offline.
+A \fBmongos\fP running with internal authentication and \fIwithout\fP \fI\%\-\-transitionToAuth\fP requires clients to connect
+using user access controls\&. Update clients to
+connect to the \fBmongos\fP using the appropriate user
+prior to restarting \fBmongos\fP without \fI\%\-\-transitionToAuth\fP\&.
 .UNINDENT
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-localThreshold
-\fIDefault\fP: 15
+.B \-\-networkMessageCompressors <string>
+New in version 3.4.
+
 .sp
-Affects the logic that \fBmongos\fP uses when selecting
-\fIreplica set\fP members to pass read operations from clients.
-Specify a value in milliseconds. The default value of \fB15\fP
-corresponds to the default value in all of the client \fBdrivers\fP\&.
+Changed in version 3.6: Add support for zlib compressor.
+
 .sp
-When \fBmongos\fP receives a request that permits reads to
-\fIsecondary\fP members, the \fBmongos\fP will:
+Enables network compression for communication between this
+\fBmongos\fP instance and:
 .INDENT 7.0
 .IP \(bu 2
-Find the member of the set with the lowest ping time.
+other members of the sharded cluster
 .IP \(bu 2
-Construct a list of replica set members that is within a ping time of
-15 milliseconds of the nearest suitable member of the set.
+a \fBmongo\fP shell.
+.UNINDENT
 .sp
-If you specify a value for the \fI\%\-\-localThreshold\fP option, \fBmongos\fP will
-construct the list of replica members that are within the latency
-allowed by this value.
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+Messages are compressed when both parties enable network
+compression. Otherwise, messages between the parties are
+uncompressed.
+.UNINDENT
+.UNINDENT
+.sp
+You can specify the following compressors:
+.INDENT 7.0
 .IP \(bu 2
-Select a member to read from at random from this list.
+snappy (Default)
+.IP \(bu 2
+zlib
 .UNINDENT
 .sp
-The ping time used for a member compared by the \fI\%\-\-localThreshold\fP setting is a
-moving average of recent ping times, calculated at most every 10
-seconds. As a result, some queries may reach members above the threshold
-until the \fBmongos\fP recalculates the average.
+If you specify multiple compressors, then the order in which you list
+the compressors matter as well as the communication initiator. For
+example, if a \fBmongo\fP shell specifies the following network
+compressors \fBzlib,snappy\fP and the \fBmongod\fP specifies
+\fBsnappy,zlib\fP, messages between \fBmongo\fP shell and
+\fBmongod\fP uses \fBzlib\fP\&.
 .sp
-See the \fIreplica\-set\-read\-preference\-behavior\-member\-selection\fP
-section of the \fBread preference\fP
-documentation for more information.
+If the parties do not share at least one common compressor, messages
+between the parties are uncompressed. For example, if a
+\fBmongo\fP shell specifies the network compressor
+\fBzlib\fP and \fBmongod\fP specifies \fBsnappy\fP, messages
+between \fBmongo\fP shell and \fBmongod\fP are not compressed.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-upgrade
-Updates the meta data format used by the \fIconfig database\fP\&.
+.B \-\-serviceExecutor <string>
+\fIDefault\fP: synchronous
+.sp
+New in version 3.6.
+
+.sp
+Determines the threading and execution model \fBmongos\fP uses to
+execute client requests. The \fB\-\-serviceExecutor\fP option accepts one
+of the following values:
+.TS
+center;
+|l|l|.
+_
+T{
+Value
+T}	T{
+Description
+T}
+_
+T{
+\fBsynchronous\fP
+T}	T{
+The \fBmongos\fP uses synchronous networking and manages its
+networking thread pool on a per connection basis. Previous
+versions of MongoDB managed threads in this way.
+T}
+_
+T{
+\fBadaptive\fP
+T}	T{
+The \fBmongos\fP uses the new experimental asynchronous
+networking mode with an adaptive thread pool which manages
+threads on a per request basis. This mode should have more
+consistent performance and use less resources when there are
+more inactive connections than database requests.
+T}
+_
+.TE
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-chunkSize <value>
-\fIDefault\fP: 64
-.sp
-Determines the size in megabytes of each \fIchunk\fP in the
-\fIsharded cluster\fP\&. A size of 64 megabytes is ideal in most
-deployments: larger chunk size can lead to uneven data distribution;
-smaller chunk size can lead to inefficient movement of chunks between
-nodes.
+.B \-\-timeZoneInfo <path>
+The full path from which to load the time zone database. If this option
+is not provided, then MongoDB will use its built\-in time zone database.
+.sp
+The configuration file included with Linux and macOS packages sets the time
+zone database path to \fB/usr/share/zoneinfo\fP by default.
+.sp
+The built\-in time zone database is a copy of the \fI\%Olson/IANA time zone
+database\fP\&. It is updated along with MongoDB
+releases, but the release cycle of the time zone database differs from the
+release cycle of MongoDB. A copy of the most recent release of the time zone
+database can be downloaded from
+\fI\%https://downloads.mongodb.org/olson_tz_db/timezonedb\-latest.zip\fP\&.
+.INDENT 7.0
+.INDENT 3.5
 .sp
-This option affects chunk size \fIonly\fP when you initialize the cluster
-for the first time. If you later modify the option, the new value has no
-effect. See the http://docs.mongodb.org/manual/tutorial/modify\-chunk\-size\-in\-sharded\-cluster
-procedure if you need to change the chunk size on an existing sharded
-cluster.
+.nf
+.ft C
+wget https://downloads.mongodb.org/olson_tz_db/timezonedb\-latest.zip
+unzip timezonedb\-latest.zip
+mongos \-\-timeZoneInfo timezonedb\-2017b/
+.ft P
+.fi
+.UNINDENT
 .UNINDENT
+.UNINDENT
+.SS Sharded Cluster Options
 .INDENT 0.0
 .TP
-.B \-\-noAutoSplit
-Prevents \fBmongos\fP from automatically inserting metadata splits
-in a \fIsharded collection\fP\&. If set on all
-\fBmongos\fP instances, this prevents MongoDB from creating new
-chunks as the data in a collection grows.
+.B \-\-configdb <replicasetName>/<config1>,<config2>...
+Changed in version 3.2.
+
 .sp
-Because any \fBmongos\fP in a cluster can create a split, to
-totally disable splitting in a cluster you must set \fI\%\-\-noAutoSplit\fP on all
-\fBmongos\fP\&.
+Specifies the configuration servers for the
+sharded cluster\&.
 .sp
-\fBWARNING:\fP
+Starting in MongoDB 3.2, config servers for sharded clusters can be
+deployed as a replica set\&. The
+replica set config servers must run the WiredTiger storage engine\&. MongoDB 3.2 deprecates the use of three mirrored
+\fBmongod\fP instances for config servers.
+.sp
+Specify the config server replica set name and the hostname and port of
+at least one of the members of the config server replica set.
 .INDENT 7.0
 .INDENT 3.5
-With \fI\%\-\-noAutoSplit\fP enabled, the data in your sharded
-cluster may become imbalanced over time. Enable with caution.
+.sp
+.nf
+.ft C
+sharding:
+  configDB: <configReplSetName>/cfg1.example.net:27017, cfg2.example.net:27017,...
+.ft P
+.fi
 .UNINDENT
 .UNINDENT
+.sp
+The \fI\%mongos\fP instances for the sharded cluster must specify
+the same config server replica set name but can specify hostname and
+port of different members of the replica set.
 .UNINDENT
-.SS SSL Options
+.INDENT 0.0
+.TP
+.B \-\-localThreshold
+\fIDefault\fP: 15
+.sp
+Specifies the ping time, in milliseconds, that \fI\%mongos\fP uses
+to determine which secondary replica set members to pass read
+operations from clients. The default value of \fB15\fP corresponds to
+the default value in all of the client drivers\&.
+.sp
+When \fI\%mongos\fP receives a request that permits reads to
+secondary members, the \fI\%mongos\fP will:
+.INDENT 7.0
+.IP \(bu 2
+Find the member of the set with the lowest ping time.
+.IP \(bu 2
+Construct a list of replica set members that is within a ping time of
+15 milliseconds of the nearest suitable member of the set.
+.sp
+If you specify a value for the \fI\%\-\-localThreshold\fP option, \fI\%mongos\fP will
+construct the list of replica members that are within the latency
+allowed by this value.
+.IP \(bu 2
+Select a member to read from at random from this list.
+.UNINDENT
+.sp
+The ping time used for a member compared by the \fI\%\-\-localThreshold\fP setting is a
+moving average of recent ping times, calculated at most every 10
+seconds. As a result, some queries may reach members above the threshold
+until the \fI\%mongos\fP recalculates the average.
+.sp
+See the replica\-set\-read\-preference\-behavior\-member\-selection
+section of the read preference
+documentation for more information.
+.UNINDENT
+.SS TLS/SSL Options
 .INDENT 0.0
 .INDENT 3.5
 .SS See
 .sp
-http://docs.mongodb.org/manual/tutorial/configure\-ssl for full
-documentation of MongoDB\(aqs support.
+/tutorial/configure\-ssl for full
+documentation of MongoDB’s support.
 .UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslOnNormalPorts
-Deprecated since version 2.6.
+Deprecated since version 2.6: Use \fI\%\-\-sslMode requireSSL\fP instead.
 
 .sp
-Enables SSL for \fBmongos\fP\&.
+Enables TLS/SSL for \fBmongos\fP\&.
 .sp
-With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongos\fP requires SSL encryption for all
+With \fI\%\-\-sslOnNormalPorts\fP, a \fBmongos\fP requires TLS/SSL encryption for all
 connections on the default MongoDB port, or the port specified by
-\fI\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is
+\fI\%\-\-port\fP\&. By default, \fI\%\-\-sslOnNormalPorts\fP is
 disabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -437,7 +696,7 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 2.6.
 
 .sp
-Enables SSL or mixed SSL used for all network connections. The
+Enables TLS/SSL or mixed TLS/SSL used for all network connections. The
 argument to the \fI\%\-\-sslMode\fP option can be one of the following:
 .TS
 center;
@@ -452,67 +711,72 @@ _
 T{
 \fBdisabled\fP
 T}	T{
-The server does not use SSL.
+The server does not use TLS/SSL.
 T}
 _
 T{
 \fBallowSSL\fP
 T}	T{
-Connections between servers do not use SSL. For incoming
-connections, the server accepts both SSL and non\-SSL.
+Connections between servers do not use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
 T}
 _
 T{
 \fBpreferSSL\fP
 T}	T{
-Connections between servers use SSL. For incoming
-connections, the server accepts both SSL and non\-SSL.
+Connections between servers use TLS/SSL. For incoming
+connections, the server accepts both TLS/SSL and non\-TLS/non\-SSL.
 T}
 _
 T{
 \fBrequireSSL\fP
 T}	T{
-The server uses and accepts only SSL encrypted connections.
+The server uses and accepts only TLS/SSL encrypted connections.
 T}
 _
 .TE
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslPEMKeyFile <filename>
-New in version 2.2.
-
-.sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
-When SSL is enabled, you must specify \fI\-\-sslPEMKeyFile\fP\&.
+You must specify \fI\%\-\-sslPEMKeyFile\fP when TLS/SSL is enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslPEMKeyPassword <value>
-New in version 2.2.
-
-.sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fB\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongos\fP will
 redact the password from all logging and reporting output.
 .sp
 Changed in version 2.6: If the private key in the PEM file is encrypted and you do not
-specify the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongos\fP will prompt for a
-passphrase. See \fIssl\-certificate\-password\fP\&.
+specify the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongos\fP will prompt for a
+passphrase. See ssl\-certificate\-password\&.
 
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -523,7 +787,7 @@ New in version 2.6.
 
 .sp
 The authentication mode used for cluster authentication. If you use
-\fIinternal x.509 authentication\fP,
+internal x.509 authentication,
 specify so here. This option can have one of the following values:
 .TS
 center;
@@ -567,8 +831,17 @@ T}
 _
 .TE
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -577,16 +850,19 @@ New in version 2.6.
 
 .sp
 Specifies the \fB\&.pem\fP file that contains the x.509 certificate\-key
-file for \fImembership authentication\fP
+file for membership authentication
 for the cluster or replica set.
 .sp
 If \fI\%\-\-sslClusterFile\fP does not specify the \fB\&.pem\fP file for internal cluster
 authentication, the cluster uses the \fB\&.pem\fP file specified in the
-\fI\-\-sslPEMKeyFile\fP option.
+\fI\%\-\-sslPEMKeyFile\fP option.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
-The default distribution of MongoDB does not contain support for
-SSL.  For more information on MongoDB and SSL, see
-http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -601,93 +877,87 @@ will redact the password from all logging and reporting output.
 .sp
 If the x.509 key file is encrypted and you do not specify the
 \fI\%\-\-sslClusterPassword\fP option, the \fBmongos\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslCAFile <filename>
-New in version 2.4.
-
-.sp
 Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
 .sp
-\fBWARNING:\fP
-.INDENT 7.0
-.INDENT 3.5
-If the \fI\-\-sslCAFile\fP option and its target
-file are not specified, x.509 client and member authentication will not
-function. \fBmongod\fP, and \fBmongos\fP in sharded systems,
-will not be able to verify the certificates of processes connecting to it
-against the trusted certificate authority (CA) that issued them, breaking
-the certificate chain.
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
-As of version 2.6.4, \fBmongod\fP will not start with x.509
-authentication enabled if the CA file is not specified.
-.UNINDENT
-.UNINDENT
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslCRLFile <filename>
-New in version 2.4.
-
-.sp
-Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
+Specifies the the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslWeakCertificateValidation
-New in version 2.4.
-
-.sp
-Changed in version 3.0.0: \fB\-\-sslAllowConnectionsWithoutCertificates\fP became \fI\%\-\-sslWeakCertificateValidation\fP\&. For
-compatibility, MongoDB processes continue to accept
-\fB\-\-sslAllowConnectionsWithoutCertificates\fP, but all users should
-update their configuration files.
-
-.sp
-Disables the requirement for SSL certificate validation that
-\fB\-\-sslCAFile\fP enables. With the \fI\%\-\-sslWeakCertificateValidation\fP option, the \fBmongos\fP
+.B \-\-sslAllowConnectionsWithoutCertificates
+Disables the requirement for TLS/SSL certificate validation that
+\fB\-\-sslCAFile\fP enables. With the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option, the \fBmongos\fP
 will accept connections when the client does not present a certificate
 when establishing the connection.
 .sp
-If the client presents a certificate and the \fBmongos\fP has \fI\%\-\-sslWeakCertificateValidation\fP
+If the client presents a certificate and the \fBmongos\fP has \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP
 enabled, the \fBmongos\fP will validate the certificate using the root
 certificate chain specified by \fB\-\-sslCAFile\fP and reject clients
 with invalid certificates.
 .sp
-Use the \fI\%\-\-sslWeakCertificateValidation\fP option if you have a mixed deployment that includes
+Use the \fI\%\-\-sslAllowConnectionsWithoutCertificates\fP option if you have a mixed deployment that includes
 clients that do not or cannot present certificates to the \fBmongos\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-sslAllowInvalidCertificates
-New in version 2.6.
-
+Bypasses the validation checks for TLS/SSL certificates on other
+servers in the cluster and allows the use of invalid certificates to
+connect.
 .sp
-Bypasses the validation checks for SSL certificates on other servers
-in the cluster and allows the use of invalid certificates. When using
-the \fBallowInvalidCertificates\fP setting, MongoDB
-logs as a warning the use of the invalid certificate.
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.UNINDENT
+.UNINDENT
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+When using
+the \fI\%\-\-sslAllowInvalidCertificates\fP setting, MongoDB
+logs a warning regarding the use of the invalid certificate.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -695,31 +965,71 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates, when
-connecting to other \fBmongos\fP instances for inter\-process
-authentication. This allows \fBmongos\fP to connect to other
-\fBmongos\fP instances if the hostnames in their certificates do not
-match their configured hostname.
+Disables the validation of the hostnames in TLS/SSL certificates,
+when connecting to other members of the replica set or sharded cluster
+for inter\-process authentication. This allows \fBmongos\fP to connect
+to other members if the hostnames in their certificates do not match
+their configured hostname.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-sslFIPSMode
-New in version 2.4.
+.B \-\-sslDisabledProtocols <protocol(s)>
+New in version 3.0.7.
 
 .sp
+Prevents a MongoDB server running with TLS/SSL from accepting
+incoming connections that use a specific protocol or protocols. To
+specify multiple protocols, use a comma separated list of protocols.
+.sp
+\fI\%\-\-sslDisabledProtocols\fP recognizes the following protocols: \fBTLS1_0\fP, \fBTLS1_1\fP,
+and \fBTLS1_2\fP\&.
+.INDENT 7.0
+.IP \(bu 2
+On macOS, you cannot disable \fBTLS1_1\fP and leave both \fBTLS1_0\fP and
+\fBTLS1_2\fP enabled. You must disable at least one of the other
+two, for example, \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+To list multiple protocols, specify as a comma separated list of
+protocols. For example \fBTLS1_0,TLS1_1\fP\&.
+.IP \(bu 2
+Specifying an unrecognized protocol will prevent the server from
+starting.
+.IP \(bu 2
+The specified disabled protocols overrides any default disabled
+protocols.
+.UNINDENT
+.sp
+Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
+1.1+ is available on the system. To enable the disabled TLS 1.0,
+specify \fBnone\fP to \fI\%\-\-sslDisabledProtocols\fP\&. 4.0\-disable\-tls
+.sp
+Members of replica sets and sharded clusters must speak at least one
+protocol in common.
+.sp
+\fBSEE ALSO:\fP
+.INDENT 7.0
+.INDENT 3.5
+ssl\-disallow\-protocols
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-sslFIPSMode
 Directs the \fBmongos\fP to use the FIPS mode of the installed OpenSSL
-library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+library. Your system must have a FIPS
+compliant OpenSSL library to use the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -727,11 +1037,10 @@ http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
 .INDENT 0.0
 .TP
 .B \-\-auditDestination
-New in version 2.6.
-
+Enables auditing and specifies where
+\fBmongos\fP sends all audit events.
 .sp
-Enables \fBauditing\fP\&. The \fI\%\-\-auditDestination\fP option can
-have one of the following values:
+\fI\%\-\-auditDestination\fP can have one of the following values:
 .TS
 center;
 |l|l|.
@@ -783,7 +1092,7 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 New in version 2.6.
 
 .sp
-Specifies the format of the output file for \fBauditing\fP if \fI\%\-\-auditDestination\fP is \fBfile\fP\&. The
+Specifies the format of the output file for auditing if \fI\%\-\-auditDestination\fP is \fBfile\fP\&. The
 \fI\%\-\-auditFormat\fP option can have one of the following values:
 .TS
 center;
@@ -827,7 +1136,7 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 New in version 2.6.
 
 .sp
-Specifies the output file for \fBauditing\fP if
+Specifies the output file for auditing if
 \fI\%\-\-auditDestination\fP has value of \fBfile\fP\&. The \fI\%\-\-auditPath\fP
 option can take either a full path name or a relative path name.
 .sp
@@ -844,7 +1153,7 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 New in version 2.6.
 
 .sp
-Specifies the filter to limit the \fItypes of operations\fP the \fBaudit system\fP records. The option takes a string representation
+Specifies the filter to limit the types of operations the audit system records. The option takes a string representation
 of a query document of the form:
 .INDENT 7.0
 .INDENT 3.5
@@ -857,14 +1166,14 @@ of a query document of the form:
 .UNINDENT
 .UNINDENT
 .sp
-The \fB<field>\fP can be \fBany field in the audit message\fP, including fields returned in the
-\fIparam\fP document. The
-\fB<expression>\fP is a \fIquery condition expression\fP\&.
+The \fB<field>\fP can be any field in the audit message, including fields returned in the
+param document. The
+\fB<expression>\fP is a query condition expression\&.
 .sp
 To specify an audit filter, enclose the filter document in single
 quotes to pass the document as a string.
 .sp
-To specify the audit filter in a \fBconfiguration file\fP, you must use the YAML format of
+To specify the audit filter in a configuration file, you must use the YAML format of
 the configuration file.
 .sp
 \fBNOTE:\fP
@@ -874,21 +1183,506 @@ Available only in \fI\%MongoDB Enterprise\fP\&.
 .UNINDENT
 .UNINDENT
 .UNINDENT
-.SS Additional Options
+.SS Profiler Options
+.sp
+New in version 4.0.
+
 .INDENT 0.0
 .TP
-.B \-\-ipv6
-Enables IPv6 support and allows the \fBmongos\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+.B \-\-slowms <integer>
+\fIDefault\fP: 100
+.sp
+The \fIslow\fP operation time threshold, in milliseconds. Operations
+that run for longer than this threshold are considered \fIslow\fP\&.
+.sp
+When \fBlogLevel\fP is set to \fB0\fP, MongoDB
+records \fIslow\fP operations to the diagnostic log at a rate determined by
+\fBslowOpSampleRate\fP\&. At higher
+\fBlogLevel\fP settings, all operations appear in the diagnostic
+log regardless of their latency.
+.sp
+For \fI\%mongos\fP instances,  affects the diagnostic
+log only and not the profiler since profiling is not available on
+\fI\%mongos\fP\&.
+.sp
+New in version 4.0.
+
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-slowOpSampleRate <double>
+\fIDefault\fP: 1.0
+.sp
+The fraction of \fIslow\fP operations that should be logged.
+\fI\%\-\-slowOpSampleRate\fP accepts values between 0 and 1, inclusive.
+.sp
+For \fI\%mongos\fP instances, \fI\%\-\-slowOpSampleRate\fP affects the diagnostic log
+only and not the profiler since profiling is not available on
+\fI\%mongos\fP\&.
+.sp
+New in version 4.0.
+
+.UNINDENT
+.SS Text Search Options
+.INDENT 0.0
+.TP
+.B \-\-basisTechRootDirectory <path>
+New in version 3.2.
+
+.sp
+Specify the root directory of the Basis Technology Rosette
+Linguistics Platform installation to support additional languages for
+text search operations.
+.INDENT 7.0
+.INDENT 3.5
+.IP "Enterprise Feature"
+.sp
+Available in MongoDB Enterprise only.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS LDAP Authentication and Authorization Options
+.INDENT 0.0
+.TP
+.B \-\-ldapServers <host1>:<port>,<host2>:<port>,...,<hostN>:<port>
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+The LDAP server against which the \fBmongos\fP executes LDAP operations
+against to authenticate users or determine what actions a user is authorized
+to perform on a given database. If the LDAP server specified has any
+replicated instances, you may specify the host and port of each replicated
+server in a comma\-delimited list.
+.sp
+If your LDAP infrastrucure partitions the LDAP directory over multiple LDAP
+servers, specify \fIone\fP LDAP server any of its replicated instances to
+\fI\%\-\-ldapServers\fP\&. MongoDB supports following LDAP referrals as defined in \fI\%RFC 4511
+4.1.10\fP\&. Do not use \fI\%\-\-ldapServers\fP
+for listing every LDAP server in your infrastucture.
+.sp
+This setting can be configured on a running \fBmongos\fP using
+\fBsetParameter\fP\&.
+.sp
+If unset, \fBmongos\fP cannot use LDAP authentication or authorization\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ldapQueryUser <string>
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+The identity with which \fBmongos\fP binds as, when connecting to or
+performing queries on an LDAP server.
+.sp
+Only required if any of the following are true:
+.INDENT 7.0
+.IP \(bu 2
+Using LDAP authorization\&.
+.IP \(bu 2
+Using an LDAP query for \fI\%username transformation\fP\&.
+.IP \(bu 2
+The LDAP server disallows anonymous binds
+.UNINDENT
+.sp
+You must use \fI\%\-\-ldapQueryUser\fP with \fI\%\-\-ldapQueryPassword\fP\&.
+.sp
+If unset, \fBmongos\fP will not attempt to bind to the LDAP server.
+.sp
+This setting can be configured on a running \fBmongos\fP using
+\fBsetParameter\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Windows MongoDB deployments can use \fI\%\-\-ldapBindWithOSDefaults\fP
+instead of \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP\&. You cannot specify
+both \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the same time.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ldapQueryPassword <string>
+New in version 3.4: Available in MongoDB Enterprise only.
+.sp
+The password used to bind to an LDAP server when using
+\fI\%\-\-ldapQueryUser\fP\&. You must use \fI\%\-\-ldapQueryPassword\fP with
+\fI\%\-\-ldapQueryUser\fP\&.
+
+.sp
+If unset, \fBmongos\fP will not attempt to bind to the LDAP server.
+.sp
+This setting can be configured on a running \fBmongos\fP using
+\fBsetParameter\fP\&.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+Windows MongoDB deployments can use \fI\%\-\-ldapBindWithOSDefaults\fP
+instead of \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapQueryPassword\fP\&. You cannot specify
+both \fI\%\-\-ldapQueryPassword\fP and \fI\%\-\-ldapBindWithOSDefaults\fP at the same time.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ldapBindWithOSDefaults <bool>
+\fIDefault\fP: False
+.sp
+New in version 3.4: Available in MongoDB Enterprise for the Windows platform only.
+
+.sp
+Allows \fBmongos\fP to authenticate, or bind, using your Windows login
+credentials when connecting to the LDAP server.
+.sp
+Only required if:
+.INDENT 7.0
+.IP \(bu 2
+Using LDAP authorization\&.
+.IP \(bu 2
+Using an LDAP query for \fI\%username transformation\fP\&.
+.IP \(bu 2
+The LDAP server disallows anonymous binds
+.UNINDENT
+.sp
+Use \fI\%\-\-ldapBindWithOSDefaults\fP to replace \fI\%\-\-ldapQueryUser\fP and
+\fI\%\-\-ldapQueryPassword\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ldapBindMethod <string>
+\fIDefault\fP: simple
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+The method \fBmongos\fP uses to authenticate to an LDAP server.
+Use with \fI\%\-\-ldapQueryUser\fP and \fI\%\-\-ldapQueryPassword\fP to
+connect to the LDAP server.
+.sp
+\fI\%\-\-ldapBindMethod\fP supports the following values:
+.INDENT 7.0
+.IP \(bu 2
+\fBsimple\fP \- \fBmongos\fP uses simple authentication.
+.IP \(bu 2
+\fBsasl\fP \- \fBmongos\fP uses SASL protocol for authentication
+.UNINDENT
+.sp
+If you specify \fBsasl\fP, you can configure the available SASL mechanisms
+using \fI\%\-\-ldapBindSASLMechanisms\fP\&. \fBmongos\fP defaults to
+using \fBDIGEST\-MD5\fP mechanism.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ldapBindSASLMechanisms <string>
+\fIDefault\fP: DIGEST\-MD5
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+A comma\-separated list of SASL mechanisms \fBmongos\fP can
+use when authenticating to the LDAP server. The \fBmongos\fP and the
+LDAP server must agree on at least one mechanism. The \fBmongos\fP
+dynamically loads any SASL mechanism libraries installed on the host
+machine at runtime.
+.sp
+Install and configure the appropriate libraries for the selected
+SASL mechanism(s) on both the \fBmongos\fP host and the remote
+LDAP server host. Your operating system may include certain SASL
+libraries by default. Defer to the documentation associated with each
+SASL mechanism for guidance on installation and configuration.
+.sp
+If using the \fBGSSAPI\fP SASL mechanism for use with
+security\-kerberos, verify the following for the
+\fBmongos\fP host machine:
+.INDENT 7.0
+.TP
+.B \fBLinux\fP
+.INDENT 7.0
+.IP \(bu 2
+The \fBKRB5_CLIENT_KTNAME\fP environment
+variable resolves to the name of the client keytab\-files
+for the host machine. For more on Kerberos environment
+variables, please defer to the
+\fI\%Kerberos documentation\fP\&.
+.IP \(bu 2
+The client keytab includes a
+kerberos\-user\-principal for the \fBmongos\fP to use when
+connecting to the LDAP server and execute LDAP queries.
+.UNINDENT
+.TP
+.B \fBWindows\fP
+If connecting to an Active Directory server, the Windows
+Kerberos configuration automatically generates a
+\fI\%Ticket\-Granting\-Ticket\fP
+when the user logs onto the system. Set \fI\%\-\-ldapBindWithOSDefaults\fP to
+\fBtrue\fP to allow \fBmongos\fP to use the generated credentials when
+connecting to the Active Directory server and execute queries.
+.UNINDENT
+.sp
+Set \fI\%\-\-ldapBindMethod\fP to \fBsasl\fP to use this option.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+For a complete list of SASL mechanisms see the
+\fI\%IANA listing\fP\&.
+Defer to the documentation for your LDAP or Active Directory
+service for identifying the SASL mechanisms compatible with the
+service.
+.sp
+MongoDB is not a source of SASL mechanism libraries, nor
+is the MongoDB documentation a definitive source for
+installing or configuring any given SASL mechanism. For
+documentation and support, defer to the SASL mechanism
+library vendor or owner.
+.sp
+For more information on SASL, defer to the following resources:
+.INDENT 0.0
+.IP \(bu 2
+For Linux, please see the \fI\%Cyrus SASL documentation\fP\&.
+.IP \(bu 2
+For Windows, please see the \fI\%Windows SASL documentation\fP\&.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ldapTransportSecurity <string>
+\fIDefault\fP: tls
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+By default, \fBmongos\fP creates a TLS/SSL secured connection to the LDAP
+server.
+.sp
+For Linux deployments, you must configure the appropriate TLS Options in
+\fB/etc/openldap/ldap.conf\fP file. Your operating system’s package manager
+creates this file as part of the MongoDB Enterprise installation, via the
+\fBlibldap\fP dependency. See the documentation for \fBTLS Options\fP in the
+\fI\%ldap.conf OpenLDAP documentation\fP
+for more complete instructions.
+.sp
+For Windows deployment, you must add the LDAP server CA certificates to the
+Windows certificate management tool. The exact name and functionality of the
+tool may vary depending on operating system version. Please see the
+documentation for your version of Windows for more information on
+certificate management.
+.sp
+Set \fI\%\-\-ldapTransportSecurity\fP to \fBnone\fP to disable TLS/SSL between \fBmongos\fP and the LDAP
+server.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+Setting \fI\%\-\-ldapTransportSecurity\fP to \fBnone\fP transmits plaintext information and possibly
+credentials between \fBmongos\fP and the LDAP server.
+.UNINDENT
+.UNINDENT
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-jsonp
-Permits \fIJSONP\fP access via an HTTP interface. Enabling the
-interface can increase network exposure. The \fI\%\-\-jsonp\fP option enables the
-HTTP interface, even if the \fBHTTP interface\fP
-option is disabled.
+.B \-\-ldapTimeoutMS <long>
+\fIDefault\fP: 10000
+.sp
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+The amount of time in milliseconds \fBmongos\fP should wait for an LDAP server
+to respond to a request.
+.sp
+Increasing the value of \fI\%\-\-ldapTimeoutMS\fP may prevent connection failure between the
+MongoDB server and the LDAP server, if the source of the failure is a
+connection timeout. Decreasing the value of \fI\%\-\-ldapTimeoutMS\fP reduces the time
+MongoDB waits for a response from the LDAP server.
+.sp
+This setting can be configured on a running \fBmongos\fP using
+\fBsetParameter\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-ldapUserToDNMapping <string>
+New in version 3.4: Available in MongoDB Enterprise only.
+
+.sp
+Maps the username provided to \fBmongos\fP for authentication to a LDAP
+Distinguished Name (DN). You may need to use \fI\%\-\-ldapUserToDNMapping\fP to transform a
+username into an LDAP DN in the following scenarios:
+.INDENT 7.0
+.IP \(bu 2
+Performing LDAP authentication with simple LDAP binding, where users
+authenticate to MongoDB with usernames that are not full LDAP DNs.
+.IP \(bu 2
+Using an \fBLDAP authorization query template\fP that requires a DN.
+.IP \(bu 2
+Transforming the usernames of clients authenticating to Mongo DB using
+different authentication mechanisms (e.g. x.509, kerberos) to a full LDAP
+DN for authorization.
+.UNINDENT
+.sp
+\fI\%\-\-ldapUserToDNMapping\fP expects a quote\-enclosed JSON\-string representing an ordered array
+of documents. Each document contains a regular expression \fBmatch\fP and
+either a \fBsubstitution\fP or \fBldapQuery\fP template used for transforming the
+incoming username.
+.sp
+Each document in the array has the following form:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+{
+  match: "<regex>"
+  substitution: "<LDAP DN>" | ldapQuery: "<LDAP Query>"
+}
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.TS
+center;
+|l|l|l|.
+_
+T{
+Field
+T}	T{
+Description
+T}	T{
+Example
+T}
+_
+T{
+\fBmatch\fP
+T}	T{
+An ECMAScript\-formatted regular expression (regex) to match against a
+provided username. Each parenthesis\-enclosed section represents a
+regex capture group used by \fBsubstitution\fP or \fBldapQuery\fP\&.
+T}	T{
+\fB"(.+)ENGINEERING"\fP
+\fB"(.+)DBA"\fP
+T}
+_
+T{
+\fBsubstitution\fP
+T}	T{
+An LDAP distinguished name (DN) formatting template that converts the
+authentication name matched by the \fBmatch\fP regex into a LDAP DN.
+Each curly bracket\-enclosed numeric value is replaced by the
+corresponding \fI\%regex capture group\fP extracted
+from the authentication username via the \fBmatch\fP regex.
+T}	T{
+\fB"cn={0},ou=engineering,
+dc=example,dc=com"\fP
+T}
+_
+T{
+\fBldapQuery\fP
+T}	T{
+A LDAP query formatting template that inserts the authentication
+name matched by the \fBmatch\fP regex into an LDAP query URI encoded
+respecting RFC4515 and RFC4516. Each curly bracket\-enclosed numeric
+value is replaced by the corresponding \fI\%regex capture group\fP extracted
+from the authentication username via the \fBmatch\fP expression.
+\fBmongos\fP executes the query against the LDAP server to retrieve
+the LDAP DN for the authenticated user. \fBmongos\fP requires
+exactly one returned result for the transformation to be
+successful, or \fBmongos\fP skips this transformation.
+T}	T{
+\fB"ou=engineering,dc=example,
+dc=com??one?(user={0})"\fP
+T}
+_
+.TE
+.sp
+For each document in the array, you must use either \fBsubstitution\fP or
+\fBldapQuery\fP\&. You \fIcannot\fP specify both in the same document.
+.sp
+When performing authentication or authorization, \fBmongos\fP steps through
+each document in the array in the given order, checking the authentication
+username against the \fBmatch\fP filter.  If a match is found,
+\fBmongos\fP applies the transformation and uses the output for
+authenticating the user. \fBmongos\fP does not check the remaining documents
+in the array.
+.sp
+If the given document does not match the provided authentication name, or
+the transformation described by the document fails, \fBmongos\fP continues
+through the list of documents to find additional matches. If no matches are
+found in any document, \fBmongos\fP returns an error.
+.INDENT 7.0
+.INDENT 3.5
+.SS Example
+.sp
+The following shows two transformation documents. The first
+document matches against any string ending in \fB@ENGINEERING\fP, placing
+anything preceeding the suffix into a regex capture group. The
+second document matches against any string ending in \fB@DBA\fP, placing
+anything preceeding the suffix into a regex capture group.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 0.0
+.INDENT 3.5
+You must pass the array to \fI\%\-\-ldapUserToDNMapping\fP as a string.
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+"[
+   {
+      match: "(.+)@ENGINEERING.EXAMPLE.COM",
+      substitution: "cn={0},ou=engineering,dc=example,dc=com"
+   },
+   {
+      match: "(.+)@DBA.EXAMPLE.COM",
+      ldapQuery: "ou=dba,dc=example,dc=com??one?(user={0})"
+
+   }
+
+]"
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+A user with username \fBalice@ENGINEERING.EXAMPLE.COM\fP matches the first
+document. The regex capture group \fB{0}\fP corresponds to the string
+\fBalice\fP\&. The resulting output is the DN
+\fB"cn=alice,ou=engineering,dc=example,dc=com"\fP\&.
+.sp
+A user with username \fBbob@DBA.EXAMPLE.COM\fP matches the second document.
+The regex capture group \fB{0}\fP corresponds to the string \fBbob\fP\&.  The
+resulting output is the LDAP query
+\fB"ou=dba,dc=example,dc=com??one?(user=bob)"\fP\&. \fBmongos\fP executes this
+query against the LDAP server, returning the result
+\fB"cn=bob,ou=dba,dc=example,dc=com"\fP\&.
+.UNINDENT
+.UNINDENT
+.sp
+If \fI\%\-\-ldapUserToDNMapping\fP is unset, \fBmongos\fP applies no transformations to the username
+when attempting to authenticate or authorize a user against the LDAP server.
+.sp
+This setting can be configured on a running \fBmongos\fP using the
+\fBsetParameter\fP database command.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+An explanation of \fI\%RFC4515\fP,
+\fI\%RFC4516\fP or LDAP queries is out
+of scope for the MongoDB Documentation. Please review the RFC directly or
+use your preferred LDAP resource.
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.SS Additional Options
+.INDENT 0.0
+.TP
+.B \-\-ipv6
+Enables IPv6 support. \fBmongos\fP disables IPv6 support by default.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -898,6 +1692,6 @@ Disables the scripting engine.
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongostat.1 b/debian/mongostat.1
index 8a8a3629de2..f4af7fb85f8 100644
--- a/debian/mongostat.1
+++ b/debian/mongostat.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGOSTAT" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGOSTAT" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongostat \- MongoDB Use Statistics
 .
@@ -30,47 +30,70 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Required Access\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Fields\fP
+.IP \(bu 2
+\fI\%Use\fP
+.UNINDENT
+.INDENT 0.0
+.INDENT 3.5
+.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
+.sp
+Users running on Mac OSX Sierra require the 3.2.10 or newer version
+of  mongostat\&.
+.UNINDENT
+.UNINDENT
 .SH SYNOPSIS
 .sp
-The \fBmongostat\fP utility provides a quick overview of the
+The \fI\%mongostat\fP utility provides a quick overview of the
 status of a currently running \fBmongod\fP
 or \fBmongos\fP
-instance. \fBmongostat\fP is functionally similar to the
+instance. \fI\%mongostat\fP is functionally similar to the
 UNIX/Linux file system utility \fBvmstat\fP, but provides data regarding
 \fBmongod\fP and \fBmongos\fP instances.
 .sp
+Run \fI\%mongostat\fP from the system command line, not the \fBmongo\fP shell.
+.sp
 \fBSEE ALSO:\fP
 .INDENT 0.0
 .INDENT 3.5
 For more information about monitoring MongoDB, see
-http://docs.mongodb.org/manual/administration/monitoring\&.
+/administration/monitoring\&.
 .sp
-For more background on various other MongoDB status outputs see:
+For more background on other MongoDB status outputs see:
 .INDENT 0.0
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/serverStatus
+/reference/command/serverStatus
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/replSetGetStatus
+/reference/command/replSetGetStatus
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/dbStats
+/reference/command/dbStats
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/collStats
+/reference/command/collStats
 .UNINDENT
 .sp
 For an additional utility that provides MongoDB metrics see
-\fBmongotop\fP\&.
+mongotop\&.
 .UNINDENT
 .UNINDENT
-.SH ACCESS CONTROL REQUIREMENTS
+.SH REQUIRED ACCESS
 .sp
 In order to connect to a \fBmongod\fP that enforces authorization
-with the \fI\-\-auth\fP option, specify the
-\fI\-\-username\fP and \fI\-\-password\fP options, and the user specified must have the
+with the \fB\-\-auth\fP option, specify the
+\fI\%\-\-username\fP and \fI\%\-\-password\fP options, and the connecting user must have the
 \fBserverStatus\fP privilege action on the cluster resources.
 .sp
 The built\-in role \fBclusterMonitor\fP provides this privilege as
 well as other privileges. To create a role with just the privilege to
-run \fBmongostat\fP, see \fIcreate\-role\-for\-mongostat\fP\&.
+run \fI\%mongostat\fP, see create\-role\-for\-mongostat\&.
 .SH OPTIONS
 .INDENT 0.0
 .TP
@@ -78,10 +101,6 @@ run \fBmongostat\fP, see \fIcreate\-role\-for\-mongostat\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B mongostat
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-help
 Returns information on the options and use of \fBmongostat\fP\&.
 .UNINDENT
@@ -99,6 +118,60 @@ Returns the \fBmongostat\fP release number.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-uri <connectionString>
+New in version 3.4.6.
+
+.sp
+Specify a resolvable URI
+connection string for the \fBmongod\fP to which to
+connect.
+.sp
+The following is the standard
+URI connection scheme:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For detailed explanations of the components of this string, refer to
+the
+Connection String URI Format
+documentation.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+The following \fI\%mongostat\fP options are incompatible with the
+\fB\-\-uri\fP option. Instead, specify these options as part of your
+\fB\-\-uri\fP connection string when applicable:
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-host\fP
+.IP \(bu 2
+\fB\-\-port\fP
+.IP \(bu 2
+\fB\-\-db\fP
+.IP \(bu 2
+\fB\-\-username\fP
+.IP \(bu 2
+\fB\-\-password\fP (when specifying the password as part of the
+URI connection string)
+.IP \(bu 2
+\fB\-\-authenticationDatabase\fP
+.IP \(bu 2
+\fB\-\-authenticationMechanism\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-host <hostname><:port>, \-h <hostname><:port>
 \fIDefault\fP: localhost:27017
 .sp
@@ -106,23 +179,20 @@ Specifies a resolvable hostname for the \fBmongod\fP to which to
 connect. By default, the \fBmongostat\fP attempts to connect to a MongoDB
 instance running on the localhost on port number \fB27017\fP\&.
 .sp
-To connect to a replica set, specify the
-\fBreplSetName\fP and a seed list of set members, as in
-the following:
+To connect to a replica set, you can specify the set member or
+members to report on, as in the following (see also the
+\fB\-\-discover\fP flag):
 .INDENT 7.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
+\-\-host <hostname1><:port>,<hostname2><:port>,<...>
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-You can always connect directly to a single MongoDB instance by
-specifying the host and port number directly.
-.sp
 Changed in version 3.0.0: If you use IPv6 and use the \fB<address>:<port>\fP format, you must
 enclose the portion of an address and port combination in
 brackets (e.g. \fB[<address>]\fP).
@@ -139,9 +209,12 @@ client connections.
 .INDENT 0.0
 .TP
 .B \-\-ipv6
-Enables IPv6 support and allows the \fBmongostat\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+\fIRemoved in version 3.0.\fP
+.sp
+Enables IPv6 support and allows \fBmongostat\fP to connect to the
+MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
+had to specify \fI\%\-\-ipv6\fP to use IPv6. In MongoDB 3.0 and later, IPv6
+is always enabled.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -150,10 +223,11 @@ New in version 2.6.
 
 .sp
 Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+TLS/SSL support enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -165,23 +239,32 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
 \fBWARNING:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
+\fBVersion 3.2 and earlier:\fP For TLS/SSL connections (\fB\-\-ssl\fP) to
+\fBmongod\fP and \fBmongos\fP, if the \fBmongostat\fP runs without the
+\fI\%\-\-sslCAFile\fP, \fBmongostat\fP will not attempt
+to validate the server certificates. This creates a vulnerability
+to expired \fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid \fBmongod\fP or
+\fBmongos\fP instances. Ensure that you \fIalways\fP specify the
+CA file to validate the server certificates in cases where
+intrusion is a possibility.
 .UNINDENT
 .UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -189,17 +272,18 @@ possibility.
 New in version 2.6.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
-This option is required when using the \fI\-\-ssl\fP option to connect
+This option is required when using the \fI\%\-\-ssl\fP option to connect
 to a \fBmongod\fP or \fBmongos\fP that has
 \fBCAFile\fP enabled \fIwithout\fP
 \fBallowConnectionsWithoutCertificates\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -208,16 +292,17 @@ New in version 2.6.
 
 .sp
 Specifies the password to de\-crypt the certificate\-key file (i.e.
-\fI\-\-sslPEMKeyFile\fP). Use the \fI\-\-sslPEMKeyPassword\fP option only if the
+\fI\%\-\-sslPEMKeyFile\fP). Use the \fI\%\-\-sslPEMKeyPassword\fP option only if the
 certificate\-key file is encrypted. In all cases, the \fBmongostat\fP will
 redact the password from all logging and reporting output.
 .sp
 If the private key in the PEM file is encrypted and you do not specify
-the \fI\-\-sslPEMKeyPassword\fP option, the \fBmongostat\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongostat\fP will prompt for a passphrase. See
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -229,8 +314,9 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -243,8 +329,36 @@ the use of invalid certificates. When using the
 \fBallowInvalidCertificates\fP setting, MongoDB logs as a
 warning the use of the invalid certificate.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL connections to \fBmongod\fP and
+\fBmongos\fP, avoid using
+\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
+\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
+not possible.
+.sp
+If the \fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -252,9 +366,13 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongostat\fP to connect to MongoDB instances if the hostname their
+Disables the validation of the hostnames in TLS/SSL certificates. Allows
+\fBmongostat\fP to connect to MongoDB instances even if the hostname in their
 certificates do not match the specified hostname.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -264,14 +382,14 @@ New in version 2.6.
 .sp
 Directs the \fBmongostat\fP to use the FIPS mode of the installed OpenSSL
 library. Your system must have a FIPS compliant OpenSSL library to use
-the \fI\-\-sslFIPSMode\fP option.
+the \fI\%\-\-sslFIPSMode\fP option.
 .sp
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -289,34 +407,39 @@ Specifies a password with which to authenticate to a MongoDB database
 that uses authentication. Use in conjunction with the \fB\-\-username\fP and
 \fB\-\-authenticationDatabase\fP options.
 .sp
-If you do not specify an argument for \fI\-\-password\fP, \fBmongostat\fP will
-prompt interactively for a password on the console.
+Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongostat\fP returns
+an error.
+
+.sp
+Changed in version 3.0.2: If you wish \fBmongostat\fP to prompt the user
+for the password, pass the \fI\%\-\-username\fP option without
+\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
+as in \fB\-\-password ""\fP .
+
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationDatabase <dbname>
-New in version 2.4.
-
-.sp
-Specifies the database that holds the user\(aqs credentials.
+Specifies the database in which the user is created.
+See user\-authentication\-database\&.
 .sp
-\fI\-\-authenticationDatabase\fP is required for \fBmongod\fP
-and \fBmongos\fP instances that use \fIauthentication\fP\&.
+\fI\%\-\-authenticationDatabase\fP is required for \fBmongod\fP
+and \fBmongos\fP instances that use authentication\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
-
-.sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+\fIDefault\fP: SCRAM\-SHA\-1
 .sp
 Specifies the authentication mechanism the \fBmongostat\fP instance uses to
 authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.sp
+Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
+Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
+.sp
+MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
+function (\fBSCRAM\-SHA\-256\fP).
+
 .TS
 center;
 |l|l|.
@@ -328,33 +451,47 @@ Description
 T}
 _
 T{
-MONGODB\-CR
+SCRAM\-SHA\-1
 T}	T{
-MongoDB challenge/response authentication.
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
 T}
 _
 T{
-MONGODB\-X509
+SCRAM\-SHA\-256
 T}	T{
-MongoDB SSL certificate authentication.
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
 T}
 _
 T{
-PLAIN
+MONGODB\-X509
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+MongoDB TLS/SSL certificate authentication.
 T}
 _
 T{
-GSSAPI
+GSSAPI (Kerberos)
 T}	T{
 External authentication using Kerberos. This mechanism is
 available only in \fI\%MongoDB Enterprise\fP\&.
 T}
 _
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
 .TE
 .UNINDENT
 .INDENT 0.0
@@ -363,7 +500,7 @@ _
 New in version 2.6.
 
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
+Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
 default name of \fBmongodb\fP\&.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -374,13 +511,144 @@ This option is available only in MongoDB Enterprise.
 New in version 2.6.
 
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
+Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
 not match the hostname resolved by DNS.
 .sp
 This option is available only in MongoDB Enterprise.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-humanReadable boolean
+\fIDefault\fP: True
+.sp
+New in version 3.4.
+
+.sp
+When \fBtrue\fP, \fBmongostat\fP formats dates and quantity values for
+easier reading, as in the following sample output:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+insert query update delete getmore command dirty used flushes vsize  res qrw arw net_in net_out conn                time
+   991    *0     *0     *0       0     2|0  3.4% 4.5%       0 2.90G 297M 0|0 0|0  12.9m   84.2k    2 Oct  6 09:45:37.478
+   989    *0     *0     *0       0     2|0  3.6% 4.7%       0 2.91G 310M 0|0 0|0  12.9m   84.1k    2 Oct  6 09:45:38.476
+   988    *0     *0     *0       0     1|0  3.7% 4.8%       0 2.92G 323M 0|0 0|0  12.8m   83.8k    2 Oct  6 09:45:39.481
+   976    *0     *0     *0       0     2|0  3.9% 5.0%       0 2.94G 335M 0|0 0|0  12.7m   83.7k    2 Oct  6 09:45:40.476
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+When \fBfalse\fP, \fBmongostat\fP returns the raw data, as in the following
+sample output:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+insert query update delete getmore command dirty used flushes      vsize       res qrw arw   net_in net_out conn                      time
+   992    *0     *0     *0       0     2|0   1.3  2.4       0 2941255680 149946368 0|0 0|0 12913607   84271    2 2016\-10\-06T09:45:25\-04:00
+   989    *0     *0     *0       0     1|0   1.5  2.6       0 2974810112 163577856 0|0 0|0 12873225   84087    2 2016\-10\-06T09:45:26\-04:00
+   996    *0     *0     *0       0     1|0   1.6  2.8       0 2972712960 177209344 0|0 0|0 12955423   84345    2 2016\-10\-06T09:45:27\-04:00
+   987    *0     *0     *0       0     1|0   1.8  2.9       0 2989490176 190840832 0|0 0|0 12861852   84008    2 2016\-10\-06T09:45:28\-04:00
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-o <field list>
+New in version 3.4.
+
+.sp
+When specified, \fBmongostat\fP includes \fBonly\fP the specified fields
+in the \fBmongostat\fP output.
+.sp
+Use dot notation to specify
+\fBserverStatus fields\fP, as in
+\fBmetrics.document.inserted\fP\&.
+.sp
+To specify a custom name for a field, use \fB<field>=<customName>\fP,
+as in:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongostat \-o \(aqhost=H,time=T,version=MongoDB Version\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fI\%\-o\fP supports the following methods to modify the information
+returned for a given serverStatus field:
+.INDENT 7.0
+.TP
+.B rate()
+Use \fI\%\&.rate()\fP to view the rate per second at which a
+serverStatus field is changing from \fI\%mongostat\fP call to
+call.
+.sp
+\fI\%View Rate of Change for a Field with .rate()\fP illustrates how to use
+\fI\%mongostat\fP with \fI\%\-o\fP and the \fI\%\&.rate()\fP
+method.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B diff()
+Use \fI\%\&.diff()\fP to view how much a serverStatus field has
+changed since the previous \fI\%mongostat\fP call. The interval
+between calls is specified by \fB<sleeptime>\fP\&.
+.sp
+\fI\%View Field Changes with .diff()\fP illustrates how to use
+\fI\%mongostat\fP with \fI\%\-o\fP and the \fI\%\&.diff()\fP
+method.
+.UNINDENT
+.sp
+\fBmongostat\fP supports specifying \fIeither\fP \fI\%\-o\fP or \fI\%\-O\fP:
+you cannot include both options.
+.sp
+See \fI\%Specify mongostat Output Fields\fP for an example of
+\fI\%\-o\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-O <field list>
+New in version 3.4.
+
+.sp
+When specified, \fBmongostat\fP includes the specified
+\fBserverStatus\fP fields after the default \fBmongostat\fP output.
+.sp
+Use dot notation to specify
+\fBserverStatus fields\fP, as in
+\fBmetrics.document.inserted\fP\&.
+.sp
+To specify a custom name for a field, use \fB<field>=<customName>\fP,
+as in:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongostat \-O host=H,time=T
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+\fBmongostat\fP supports specifying \fIeither\fP \fI\%\-O\fP or \fI\%\-o\fP:
+you cannot include both options.
+.sp
+See \fI\%Add Fields to mongostat Output\fP for an example of
+\fI\%\-O\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-noheaders
 Disables the output of column or field names.
 .UNINDENT
@@ -389,39 +657,43 @@ Disables the output of column or field names.
 .B \-\-rowcount <number>, \-n <number>
 Controls the number of rows to output. Use in conjunction with
 the \fBsleeptime\fP argument to control the duration of a
-\fBmongostat\fP operation.
+\fI\%mongostat\fP operation.
 .sp
-Unless \fI\-\-rowcount\fP is specified, \fBmongostat\fP
+Unless \fI\%\-\-rowcount\fP is specified, \fI\%mongostat\fP
 will return an infinite number of rows (e.g. value of \fB0\fP\&.)
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-http
-Configures \fBmongostat\fP to collect data using the HTTP interface
-rather than a raw database connection.
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-discover
-Discovers and reports on statistics from all members of a \fIreplica
-set\fP or \fIsharded cluster\fP\&. When connected to any member of a
-replica set, \fI\%\-\-discover\fP all non\-\fIhidden members\fP of the replica set. When connected to a \fBmongos\fP,
-\fBmongostat\fP will return data from all \fIshards\fP in
+Discovers and reports on statistics from all members of a replica
+set or sharded cluster\&. When connected to any member of a
+replica set, \fI\%\-\-discover\fP all non\-hidden members of the replica set. When connected to a \fBmongos\fP,
+\fI\%mongostat\fP will return data from all shards in
 the cluster. If a replica set provides a shard in the sharded cluster,
-\fBmongostat\fP will report on non\-hidden members of that replica
+\fI\%mongostat\fP will report on non\-hidden members of that replica
 set.
 .sp
-The \fImongostat \-\-host\fP option is not required but
+The \fI\%mongostat \-\-host\fP option is not required but
 potentially useful in this case.
 .sp
-Changed in version 2.6: When running with \fI\%\-\-discover\fP, \fBmongostat\fP now
-respects :option:\-\-rowcount\(ga.
+Changed in version 2.6: When running with \fI\%\-\-discover\fP, \fI\%mongostat\fP now
+respects \fI\%\-\-rowcount\fP\&.
+
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-http
+Configures \fI\%mongostat\fP to collect data using the HTTP interface
+rather than a raw database connection.
+.sp
+Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API to
+MongoDB.
 
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-all
-Configures \fBmongostat\fP to return all optional \fI\%fields\fP\&.
+Configures \fI\%mongostat\fP to return all optional \fI\%fields\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -429,28 +701,44 @@ Configures \fBmongostat\fP to return all optional \fI\%fields\fP\&.
 New in version 3.0.0.
 
 .sp
-Returns output for \fBmongostat\fP in \fIJSON\fP format.
+Returns output for \fBmongostat\fP in JSON format.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-interactive
+New in version 3.4.
+
+.sp
+Display \fBmongostat\fP output in an interactive non\-scrolling interface
+rather than the default scrolling output.
+.sp
+\fI\%\-\-interactive\fP is not available with the \fI\%\-\-json\fP
+option.
+.sp
+See: \fI\%View Statistics in an Interactive Interface\fP for an example of \fI\%\-\-interactive\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B <sleeptime>
-The final argument is the length of time, in seconds, that
-\fBmongostat\fP waits in between calls. By default \fBmongostat\fP
+\fIDefault\fP: 1
+.sp
+The final \fBmongostat\fP argument is the length of time, in seconds, that
+\fI\%mongostat\fP waits in between calls. By default \fI\%mongostat\fP
 returns one call every second.
 .sp
-\fBmongostat\fP returns values that reflect the operations
+\fI\%mongostat\fP returns values that reflect the operations
 over a 1 second period. For values of \fB<sleeptime>\fP greater
-than 1, \fBmongostat\fP averages data to reflect average
+than 1, \fI\%mongostat\fP averages data to reflect average
 operations per second.
 .UNINDENT
 .SH FIELDS
 .sp
-\fBmongostat\fP returns values that reflect the operations over a
+\fI\%mongostat\fP returns values that reflect the operations over a
 1 second period. When \fBmongostat <sleeptime>\fP has a value
-greater than 1, \fBmongostat\fP averages the statistics to reflect
+greater than 1, \fI\%mongostat\fP averages the statistics to reflect
 average operations per second.
 .sp
-\fBmongostat\fP outputs the following fields:
+\fI\%mongostat\fP outputs the following fields:
 .INDENT 0.0
 .TP
 .B inserts
@@ -481,82 +769,153 @@ The number of get more (i.e. cursor batch) operations per second.
 .INDENT 0.0
 .TP
 .B command
-The number of commands per second. On \fIslave\fP and
-\fIsecondary\fP systems, \fBmongostat\fP presents two values
+The number of commands per second. On
+secondary systems, \fI\%mongostat\fP presents two values
 separated by a pipe character (e.g. \fB|\fP), in the form of
 \fBlocal|replicated\fP commands.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B flushes
-The number of \fIfsync\fP operations per second.
+Changed in version 3.0.
+
+.sp
+For the storage\-wiredtiger, \fBflushes\fP refers to the number
+of WiredTiger checkpoints triggered between each polling interval.
+.sp
+For the storage\-mmapv1, \fBflushes\fP represents the number of
+fsync operations per second.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B dirty
+New in version 3.0.
+
+.sp
+Only for storage\-wiredtiger\&. The percentage of the WiredTiger
+cache with dirty bytes, calculated by
+\fBwiredTiger.cache.tracked dirty bytes in the cache\fP
+/ \fBwiredTiger.cache.maximum bytes configured\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B used
+New in version 3.0.
+
+.sp
+Only for storage\-wiredtiger\&. The percentage of the WiredTiger
+cache that is in use, calculated by
+\fBwiredTiger.cache.bytes currently in the cache\fP /
+\fBwiredTiger.cache.maximum bytes configured\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B mapped
-The total amount of data mapped in megabytes. This is the total
-data size at the time of the last \fBmongostat\fP call.
+Changed in version 3.0.
+
+.sp
+Only for storage\-mmapv1\&. The total amount of data mapped in
+megabytes. This is the total data size at the time of the last
+\fI\%mongostat\fP call.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B size
+.B vsize
 The amount of virtual memory in megabytes used by the process at
-the time of the last \fBmongostat\fP call.
+the time of the last \fI\%mongostat\fP call.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B non\-mapped
-The total amount of virtual memory excluding all mapped memory at
-the time of the last \fBmongostat\fP call.
+Changed in version 3.0.
+
+.sp
+Only for storage\-mmapv1\&.
+.sp
+\fIOptional\fP\&. The total amount of virtual memory excluding all mapped memory at
+the time of the last \fI\%mongostat\fP call.
+.sp
+\fI\%mongostat\fP only returns this value when started with the
+\fI\%\-\-all\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B res
 The amount of resident memory in megabytes used by the process at
-the time of the last \fBmongostat\fP call.
+the time of the last \fI\%mongostat\fP call.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B faults
-Changed in version 2.1.
+Changed in version 3.0.
 
 .sp
-The number of page faults per second.
+Only for storage\-mmapv1\&. The number of page faults per second.
 .sp
-Before version 2.1 this value was only provided for MongoDB
+Changed in version 2.1: Before version 2.1, this value was only provided for MongoDB
 instances running on Linux hosts.
+
 .UNINDENT
 .INDENT 0.0
 .TP
-.B locked
-The percent of time in a global write lock.
+.B lr
+New in version 3.2.
+
+.sp
+Only for storage\-mmapv1\&. The percentage of read lock
+acquisitions that had to wait. \fI\%mongostat\fP displays \fBlr|lw\fP
+if a lock acquisition waited.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B lw
+New in version 3.2.
+
 .sp
-Changed in version 2.2: The \fBlocked db\fP field replaces the \fBlocked %\fP field to
-more appropriate data regarding the database specific locks in
-version 2.2.
+Only for storage\-mmapv1\&. The percentage of write lock
+acquisitions that had to wait. \fI\%mongostat\fP displays \fBlr|lw\fP
+if a lock acquisition waited.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B lrt
+New in version 3.2.
 
+.sp
+Only for storage\-mmapv1\&. The average acquire time, in
+microseconds, of read lock acquisitions that waited.
+\fI\%mongostat\fP displays \fBlrt|lwt\fP if a lock acquisition
+waited.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B locked db
-New in version 2.2.
+.B lwt
+New in version 3.2.
 
 .sp
-The percent of time in the per\-database context\-specific
-lock. \fBmongostat\fP will report the database that has spent
-the most time since the last \fBmongostat\fP call with a write
-lock.
+Only for storage\-mmapv1\&. The average acquire time, in
+microseconds, of write lock acquisitions that waited.
+\fI\%mongostat\fP displays \fBlrt|lwt\fP if a lock acquisition
+waited.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B locked
+Changed in version 3.0: Only appears when \fI\%mongostat\fP runs against pre\-3.0
+versions of MongoDB instances.
+
 .sp
-This value represents the amount of time that the listed database
-spent in a locked state \fIcombined\fP with the time that the
-\fBmongod\fP spent in the global lock. Because of this, and
-the sampling method, you may see some values greater than 100%.
+The percent of time in a global write lock.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B idx miss
-The percent of index access attempts that required a page fault
-to load a btree node. This is a sampled value.
+Changed in version 3.0.
+
+.sp
+Only for storage\-mmapv1\&. The percent of index access attempts
+that required a page fault to load a btree node. This is a sampled
+value.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -585,14 +944,14 @@ The number of active clients performing write operations.
 .B netIn
 The amount of network traffic, in \fIbytes\fP, received by the MongoDB instance.
 .sp
-This includes traffic from \fBmongostat\fP itself.
+This includes traffic from \fI\%mongostat\fP itself.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B netOut
 The amount of network traffic, in \fIbytes\fP, sent by the MongoDB instance.
 .sp
-This includes traffic from \fBmongostat\fP itself.
+This includes traffic from \fI\%mongostat\fP itself.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -621,13 +980,13 @@ _
 T{
 M
 T}	T{
-\fImaster\fP
+master
 T}
 _
 T{
 SEC
 T}	T{
-\fIsecondary\fP
+secondary
 T}
 _
 T{
@@ -643,23 +1002,24 @@ unknown
 T}
 _
 T{
-SLV
+RTR
 T}	T{
-\fIslave\fP
+mongos process (“router”)
 T}
 _
 T{
-RTR
+ARB
 T}	T{
-mongos process ("router")
+arbiter
 T}
 _
 .TE
 .UNINDENT
-.SH USAGE
+.SH USE
+.SS Specify \fBmongostat\fP Collection Period and Frequency
 .sp
-In the first example, \fBmongostat\fP will return data every
-second for 20 seconds. \fBmongostat\fP collects data from the
+In the first example, \fI\%mongostat\fP will return data every
+second for 20 seconds. \fI\%mongostat\fP collects data from the
 \fBmongod\fP instance running on the localhost interface on
 port 27017. All of the following invocations produce identical
 behavior:
@@ -677,11 +1037,11 @@ mongostat \-n 20
 .UNINDENT
 .UNINDENT
 .sp
-In the next example, \fBmongostat\fP returns data every 5 minutes
-(or 300 seconds) for as long as the program runs. \fBmongostat\fP
+In the next example, \fI\%mongostat\fP returns data every 5 minutes
+(or 300 seconds) for as long as the program runs. \fI\%mongostat\fP
 collects data from the \fBmongod\fP instance running on the
-localhost interface on port \fB27017\fP\&. Both of the following
-invocations produce identical behavior.
+localhost interface on port \fB27017\fP\&. The following
+invocations produce identical behavior:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -695,11 +1055,11 @@ mongostat 300
 .UNINDENT
 .UNINDENT
 .sp
-In the following example, \fBmongostat\fP returns data every 5
-minutes for an hour (12 times.) \fBmongostat\fP collects data
+In the following example, \fI\%mongostat\fP returns data every 5
+minutes for an hour (12 times.) \fI\%mongostat\fP collects data
 from the \fBmongod\fP instance running on the localhost interface
-on port 27017. Both of the following invocations produce identical
-behavior.
+on port 27017. The following invocations produce identical
+behavior:
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -711,11 +1071,166 @@ mongostat \-n 12 300
 .fi
 .UNINDENT
 .UNINDENT
+.SS Add Fields to \fI\%mongostat\fP Output
+.sp
+New in version 3.4.
+
+.sp
+\fI\%\-O\fP allows you to specify fields from
+\fBserverStatus\fP output to add to the default
+\fI\%mongostat\fP output. The following example adds the \fBhost\fP
+and \fBversion\fP fields as well as the \fBnetwork.numRequests\fP field,
+which will display as “network requests”, to the default
+\fI\%mongostat\fP output:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongostat \-O \(aqhost,version,network.numRequests=network requests\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .sp
-In many cases, using the \fI\-\-discover\fP
+The \fI\%mongostat\fP output would then resemble:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+insert query update delete getmore command dirty used flushes vsize   res qrw arw net_in net_out conn                time            host version network requests
+    *0    *0     *0     *0       0     2|0  0.0% 0.0%       0 2.51G 19.0M 0|0 0|0   158b   39.4k    2 Oct 11 12:14:45.878 localhost:37017  3.3.14               91
+    *0    *0     *0     *0       0     1|0  0.0% 0.0%       0 2.51G 19.0M 0|0 0|0   157b   39.3k    2 Oct 11 12:14:46.879 localhost:37017  3.3.14               95
+    *0    *0     *0     *0       0     1|0  0.0% 0.0%       0 2.51G 19.0M 0|0 0|0   157b   39.2k    2 Oct 11 12:14:47.884 localhost:37017  3.3.14               99
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS Specify \fI\%mongostat\fP Output Fields
+.sp
+New in version 3.4.
+
+.sp
+\fI\%\-o\fP specifies the columns \fI\%mongostat\fP includes in its
+output. You can specify any \fBserverStatus\fP field as a
+\fI\%mongostat\fP output column. The following example specifies the
+\fBhost\fP, \fBtime\fP, and  \fBmetrics.document.inserted\fP fields:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongostat \-o \(aqhost,time,metrics.document.inserted\(aq
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The \fI\%mongostat\fP output would then resemble:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+           host                time metrics.document.inserted
+localhost:37017 Oct 11 12:21:17.370                         0
+localhost:37017 Oct 11 12:21:18.371                         0
+localhost:37017 Oct 11 12:21:19.371                         0
+localhost:37017 Oct 11 12:21:20.368                         0
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS View Rate of Change for a Field with \fI\%\&.rate()\fP
+.sp
+New in version 3.4.
+
+.sp
+\fI\%\&.rate()\fP enables you to view the rate per second at which a
+numerical field has changed from one \fI\%mongostat\fP call to the
+next. For example, you can view the rate at which documents have been
+inserted during an insert operation. \fI\%\&.rate()\fP can therefore
+help you view the performance of your \fBmongod\fP instance.
+.sp
+The following example reports on the rate of change of the
+\fBmetrics.document.inserted\fP \fBserverStatus\fP field. The
+invocation uses \fI\%\-o\fP’s ability to specify the name of an column
+to label \fBmetrics.document.inserted.rate()\fP as “inserted rate” and
+\fBmetrics.document.inserted\fP as “inserted”:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongostat \-o \(aqhost,mem,bits,metrics.document.inserted.rate()=inserted rate,metrics.document.inserted=inserted\(aq \-\-rowcount 5
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The output would then resemble:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+           host mem.bits inserted rate inserted
+localhost:37017       64           501     3455
+localhost:37017       64           967    13128
+localhost:37017       64           972    22851
+localhost:37017       64           214    25000
+localhost:37017       64             0    25000
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS View Field Changes with \fI\%\&.diff()\fP
+.sp
+New in version 3.4.
+
+.sp
+\fI\%\&.diff()\fP returns the difference between the current
+\fBserverStatus\fP field value and the value from the previous
+\fI\%mongostat\fP call. The following example returns statistics on
+the number of documents being inserted into a collection: \fBinserted
+diff\fP is the difference in the
+\fBmetrics.document.inserted\fP field between subsequent
+calls, while \fBinserted\fP is the value of
+\fBmetrics.document.inserted\fP:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongostat \-o \(aqhost,mem.bits,metrics.document.inserted.diff()=inserted diff,metrics.document.inserted=inserted\(aq \-\-rowcount 5
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The output would then resemble:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+           host mem.bits inserted diff inserted
+localhost:27017       64             0    25359
+localhost:27017       64            94    25453
+localhost:27017       64           938    26391
+localhost:27017       64           964    27355
+localhost:27017       64           978    28333
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.SS View Statistics for a Replica Set or Sharded Cluster
+.sp
+In many cases, using the \fI\%\-\-discover\fP option
 will help provide a more complete snapshot of the state of an entire
 group of machines. If a \fBmongos\fP process connected to a
-\fIsharded cluster\fP is running on port \fB27017\fP of the local
+sharded cluster is running on port \fB27017\fP of the local
 machine, you can use the following form to return statistics from all
 members of the cluster:
 .INDENT 0.0
@@ -728,9 +1243,51 @@ mongostat \-\-discover
 .fi
 .UNINDENT
 .UNINDENT
+.SS View Statistics in an Interactive Interface
+.sp
+New in version 3.4.
+
+.sp
+Use the \fI\%\-\-interactive\fP option to
+view statistics in a non\-scrolling \fI\%ncurses\fP \-style
+interactive output. The \fI\%\-\-interactive\fP option lets you highlight specific
+hosts, columns, or fields to view. When combined with \fI\%\-\-discover\fP,
+\fI\%\-\-interactive\fP displays statistics for all members of a
+replica set or sharded cluster, as in the following example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongostat \-\-discover \-\-interactive
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The output for a sharded cluster would then resemble:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+                  host insert query update delete getmore command dirty used flushes mapped vsize   res faults qrw arw net_in net_out conn set repl                time
+hostname.local:27018     *0    *0     *0     *0       0     1|0  0.0% 0.0%       0        3.25G 25.0M    n/a 0|0 1|0   157b   43.9k   19 tic  PRI Nov  2 11:44:46.439
+hostname.local:27019     *0    *0     *0     *0       0     2|0  0.0% 0.0%       0        3.18G 26.0M    n/a 0|0 1|0   322b   44.4k   12 tic  SEC Nov  2 11:44:46.439
+hostname.local:27020     *0    *0     *0     *0       0     2|0  0.0% 0.0%       0        3.18G 26.0M    n/a 0|0 1|0   322b   44.4k   12 tic  SEC Nov  2 11:44:46.439
+hostname.local:27021   2017    *0     *0     *0     826  1029|0  0.0% 0.0%       0        3.25G 31.0M    n/a 0|0 1|0  1.74m   1.60m   20 tac  PRI Nov  2 11:44:46.439
+hostname.local:27022  *2021    *0     *0     *0       0     2|0  0.0% 0.0%       0        3.19G 32.0M    n/a 0|0 1|0   322b   44.6k   12 tac  SEC Nov  2 11:44:46.438
+hostname.local:27023  *2022    *0     *0     *0       0     3|0  0.0% 0.0%       0        3.19G 33.0M    n/a 0|0 1|0   323b   44.7k   12 tac  SEC Nov  2 11:44:46.438
+     localhost:27017   2071    *0     *0     *0       0  2073|0                  0     0B 2.43G 9.00M      0 0|0 0|0   249k    130k    4      RTR Nov  2 11:44:47.429
+
+Press \(aq?\(aq to toggle help
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .
diff --git a/debian/mongotop.1 b/debian/mongotop.1
index 7075fa5f839..9962045a255 100644
--- a/debian/mongotop.1
+++ b/debian/mongotop.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "MONGOTOP" "1" "January 30, 2015" "3.0" "mongodb-manual"
+.TH "MONGOTOP" "1" "Jun 21, 2018" "4.0" "mongodb-manual"
 .SH NAME
 mongotop \- MongoDB Activity Monitor
 .
@@ -30,51 +30,68 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.SH SYNOPSIS
-.sp
-\fBmongotop\fP provides a method to track the amount of time a
-MongoDB instance spends reading and writing data. \fBmongotop\fP
-provides statistics on a per\-collection level. By default,
-\fBmongotop\fP returns values every second.
-.sp
-\fBIMPORTANT:\fP
+.SS On this page
+.INDENT 0.0
+.IP \(bu 2
+\fI\%Synopsis\fP
+.IP \(bu 2
+\fI\%Required Access\fP
+.IP \(bu 2
+\fI\%Options\fP
+.IP \(bu 2
+\fI\%Fields\fP
+.IP \(bu 2
+\fI\%Use\fP
+.UNINDENT
 .INDENT 0.0
 .INDENT 3.5
-In order to connect to a \fBmongod\fP that enforces
-authorization with the \fI\-\-auth\fP option, the
-\fI\-\-username\fP and
-\fI\-\-password\fP options must be used, and the
-user specified must have the \fBserverStatus\fP and
-\fBtop\fP privileges.
+.IP "Mac OSX Sierra and Go 1.6 Incompatibility"
 .sp
-The most appropriate built\-in role that has these privileges is
-\fBclusterMonitor\fP\&.
+Users running on Mac OSX Sierra require the 3.2.10 or newer version
+of  mongotop\&.
 .UNINDENT
 .UNINDENT
+.SH SYNOPSIS
+.sp
+\fI\%mongotop\fP provides a method to track the amount of time a
+MongoDB instance spends reading and writing data. \fI\%mongotop\fP
+provides statistics on a per\-collection level. By default,
+\fI\%mongotop\fP returns values every second.
+.sp
+Run \fI\%mongotop\fP from the system command line, not the \fBmongo\fP shell.
 .sp
 \fBSEE ALSO:\fP
 .INDENT 0.0
 .INDENT 3.5
 For more information about monitoring MongoDB, see
-http://docs.mongodb.org/manual/administration/monitoring\&.
+/administration/monitoring\&.
 .sp
 For additional background on various other MongoDB status outputs
 see:
 .INDENT 0.0
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/serverStatus
+/reference/command/serverStatus
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/replSetGetStatus
+/reference/command/replSetGetStatus
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/dbStats
+/reference/command/dbStats
 .IP \(bu 2
-http://docs.mongodb.org/manual/reference/command/collStats
+/reference/command/collStats
 .UNINDENT
 .sp
 For an additional utility that provides MongoDB metrics
-see \fBmongostat\fP\&.
+see mongostat\&.
 .UNINDENT
 .UNINDENT
+.SH REQUIRED ACCESS
+.sp
+In order to connect to a \fBmongod\fP that enforces authorization
+with the \fB\-\-auth\fP option, you must use the
+\fI\%\-\-username\fP and \fI\%\-\-password\fP options, and the connecting user must
+have the \fBserverStatus\fP and \fBtop\fP privileges.
+.sp
+The most appropriate built\-in role that has these privileges is
+\fBclusterMonitor\fP\&.
 .SH OPTIONS
 .INDENT 0.0
 .TP
@@ -82,10 +99,6 @@ see \fBmongostat\fP\&.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B mongotop
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-help
 Returns information on the options and use of \fBmongotop\fP\&.
 .UNINDENT
@@ -99,13 +112,13 @@ including the option multiple times, (e.g. \fB\-vvvvv\fP\&.)
 .INDENT 0.0
 .TP
 .B \-\-quiet
-Runs the \fBmongotop\fP in a quiet mode that attempts to limit the amount
+Runs \fBmongotop\fP in a quiet mode that attempts to limit the amount
 of output.
 .sp
 This option suppresses:
 .INDENT 7.0
 .IP \(bu 2
-output from \fIdatabase commands\fP
+output from database commands
 .IP \(bu 2
 replication activity
 .IP \(bu 2
@@ -121,6 +134,60 @@ Returns the \fBmongotop\fP release number.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-uri <connectionString>
+New in version 3.4.6.
+
+.sp
+Specify a resolvable URI
+connection string for the \fBmongod\fP to which to
+connect.
+.sp
+The following is the standard
+URI connection scheme:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+For detailed explanations of the components of this string, refer to
+the
+Connection String URI Format
+documentation.
+.sp
+\fBIMPORTANT:\fP
+.INDENT 7.0
+.INDENT 3.5
+The following \fI\%mongotop\fP options are incompatible with the
+\fB\-\-uri\fP option. Instead, specify these options as part of your
+\fB\-\-uri\fP connection string when applicable:
+.INDENT 0.0
+.IP \(bu 2
+\fB\-\-host\fP
+.IP \(bu 2
+\fB\-\-port\fP
+.IP \(bu 2
+\fB\-\-db\fP
+.IP \(bu 2
+\fB\-\-username\fP
+.IP \(bu 2
+\fB\-\-password\fP (when specifying the password as part of the
+URI connection string)
+.IP \(bu 2
+\fB\-\-authenticationDatabase\fP
+.IP \(bu 2
+\fB\-\-authenticationMechanism\fP
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-host <hostname><:port>, \-h <hostname><:port>
 \fIDefault\fP: localhost:27017
 .sp
@@ -150,7 +217,7 @@ enclose the portion of an address and port combination in
 brackets (e.g. \fB[<address>]\fP).
 
 .sp
-If connected to a replica set where the \fIprimary\fP is not
+If connected to a replica set where the primary is not
 reachable, \fBmongotop\fP returns an error message.
 .UNINDENT
 .INDENT 0.0
@@ -164,9 +231,12 @@ client connections.
 .INDENT 0.0
 .TP
 .B \-\-ipv6
-Enables IPv6 support and allows the \fBmongotop\fP to connect to the
-MongoDB instance using an IPv6 network. All MongoDB programs and
-processes disable IPv6 support by default.
+\fIRemoved in version 3.0.\fP
+.sp
+Enables IPv6 support and allows \fBmongotop\fP to connect to the
+MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
+had to specify \fI\%\-\-ipv6\fP to use IPv6. In MongoDB 3.0 and later, IPv6
+is always enabled.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -175,10 +245,11 @@ New in version 2.6.
 
 .sp
 Enables connection to a \fBmongod\fP or \fBmongos\fP that has
-SSL support enabled.
+TLS/SSL support enabled.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -190,23 +261,32 @@ Specifies the \fB\&.pem\fP file that contains the root certificate chain
 from the Certificate Authority. Specify the file name of the
 \fB\&.pem\fP file using relative or absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in version 3.4, if \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP is not
+specified and you are not using x.509 authentication, the
+system\-wide CA certificate store will be used when connecting to an
+TLS/SSL\-enabled server.
+.sp
+If using x.509 authentication, \fB\-\-sslCAFile\fP or \fBssl.CAFile\fP
+must be specified.
 .sp
 \fBWARNING:\fP
 .INDENT 7.0
 .INDENT 3.5
-If the \fBmongo\fP shell or any other tool that connects to
-\fBmongos\fP or \fBmongod\fP is run without
-\fI\-\-sslCAFile\fP, it will not attempt to validate
-server certificates. This results in vulnerability to expired
-\fBmongod\fP and \fBmongos\fP certificates as well as to foreign
-processes posing as valid \fBmongod\fP or \fBmongos\fP
-instances. Ensure that you \fIalways\fP specify the CA file against which
-server certificates should be validated in cases where intrusion is a
-possibility.
+\fBVersion 3.2 and earlier:\fP For TLS/SSL connections (\fB\-\-ssl\fP) to
+\fBmongod\fP and \fBmongos\fP, if the \fBmongotop\fP runs without the
+\fI\%\-\-sslCAFile\fP, \fBmongotop\fP will not attempt
+to validate the server certificates. This creates a vulnerability
+to expired \fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid \fBmongod\fP or
+\fBmongos\fP instances. Ensure that you \fIalways\fP specify the
+CA file to validate the server certificates in cases where
+intrusion is a possibility.
 .UNINDENT
 .UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -214,7 +294,7 @@ possibility.
 New in version 2.6.
 
 .sp
-Specifies the \fB\&.pem\fP file that contains both the SSL certificate
+Specifies the \fB\&.pem\fP file that contains both the TLS/SSL certificate
 and key. Specify the file name of the \fB\&.pem\fP file using relative
 or absolute paths.
 .sp
@@ -223,8 +303,9 @@ to a \fBmongod\fP or \fBmongos\fP that has
 \fBCAFile\fP enabled \fIwithout\fP
 \fBallowConnectionsWithoutCertificates\fP\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -239,10 +320,11 @@ redact the password from all logging and reporting output.
 .sp
 If the private key in the PEM file is encrypted and you do not specify
 the \fI\%\-\-sslPEMKeyPassword\fP option, the \fBmongotop\fP will prompt for a passphrase. See
-\fIssl\-certificate\-password\fP\&.
+ssl\-certificate\-password\&.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -254,8 +336,9 @@ Specifies the \fB\&.pem\fP file that contains the Certificate Revocation
 List. Specify the file name of the \fB\&.pem\fP file using relative or
 absolute paths.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -268,8 +351,36 @@ the use of invalid certificates. When using the
 \fBallowInvalidCertificates\fP setting, MongoDB logs as a
 warning the use of the invalid certificate.
 .sp
-The default distribution of MongoDB does not contain support for SSL.
-For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tutorial/configure\-ssl\&.
+Starting in MongoDB 4.0, if you specify
+\fB\-\-sslAllowInvalidCertificates\fP or \fBssl.allowInvalidCertificates:
+true\fP when using x.509 authentication, an invalid certificate is
+only sufficient to establish a TLS/SSL connection but is
+\fIinsufficient\fP for authentication.
+.sp
+\fBWARNING:\fP
+.INDENT 7.0
+.INDENT 3.5
+For TLS/SSL connections to \fBmongod\fP and
+\fBmongos\fP, avoid using
+\fB\-\-sslAllowInvalidCertificates\fP if possible and only use
+\fB\-\-sslAllowInvalidCertificates\fP on systems where intrusion is
+not possible.
+.sp
+If the \fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) runs with the
+\fB\-\-sslAllowInvalidCertificates\fP option, the
+\fBmongo\fP shell (and other
+mongodb\-tools\-support\-ssl) will not attempt to validate
+the server certificates. This creates a vulnerability to expired
+\fBmongod\fP and \fBmongos\fP certificates as
+well as to foreign processes posing as valid
+\fBmongod\fP or \fBmongos\fP instances.
+.UNINDENT
+.UNINDENT
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -277,9 +388,13 @@ For more information on MongoDB and SSL, see http://docs.mongodb.org/manual/tuto
 New in version 3.0.
 
 .sp
-Disables the validation of the hostnames in SSL certificates. Allows
-\fBmongotop\fP to connect to MongoDB instances if the hostname their
+Disables the validation of the hostnames in TLS/SSL certificates. Allows
+\fBmongotop\fP to connect to MongoDB instances even if the hostname in their
 certificates do not match the specified hostname.
+.sp
+For more information about TLS/SSL and MongoDB, see
+/tutorial/configure\-ssl and
+/tutorial/configure\-ssl\-clients .
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -294,9 +409,9 @@ the \fI\%\-\-sslFIPSMode\fP option.
 \fBNOTE:\fP
 .INDENT 7.0
 .INDENT 3.5
-FIPS Compatible SSL is
+FIPS\-compatible TLS/SSL is
 available only in \fI\%MongoDB Enterprise\fP\&. See
-http://docs.mongodb.org/manual/tutorial/configure\-fips for more information.
+/tutorial/configure\-fips for more information.
 .UNINDENT
 .UNINDENT
 .UNINDENT
@@ -314,35 +429,40 @@ Specifies a password with which to authenticate to a MongoDB database
 that uses authentication. Use in conjunction with the \fB\-\-username\fP and
 \fB\-\-authenticationDatabase\fP options.
 .sp
-If you do not specify an argument for \fI\%\-\-password\fP, \fBmongotop\fP will
-prompt interactively for a password on the console.
+Changed in version 3.0.0: If you do not specify an argument for \fI\%\-\-password\fP, \fBmongotop\fP returns
+an error.
+
+.sp
+Changed in version 3.0.2: If you wish \fBmongotop\fP to prompt the user
+for the password, pass the \fI\%\-\-username\fP option without
+\fI\%\-\-password\fP or specify an empty string as the \fI\%\-\-password\fP value,
+as in \fB\-\-password ""\fP .
+
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationDatabase <dbname>
-New in version 2.4.
-
-.sp
-Specifies the database that holds the user\(aqs credentials.
+Specifies the database in which the user is created.
+See user\-authentication\-database\&.
 .sp
 Changed in version 3.0.0: \fI\%\-\-authenticationDatabase\fP is required for \fBmongod\fP
-and \fBmongos\fP instances that use \fIauthentication\fP\&.
+and \fBmongos\fP instances that use authentication\&.
 
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-authenticationMechanism <name>
-\fIDefault\fP: MONGODB\-CR
-.sp
-New in version 2.4.
-
-.sp
-Changed in version 2.6: Added support for the \fBPLAIN\fP and \fBMONGODB\-X509\fP authentication
-mechanisms.
-
+\fIDefault\fP: SCRAM\-SHA\-1
 .sp
 Specifies the authentication mechanism the \fBmongotop\fP instance uses to
 authenticate to the \fBmongod\fP or \fBmongos\fP\&.
+.sp
+Changed in version 4.0: MongoDB removes support for the deprecated MongoDB
+Challenge\-Response (\fBMONGODB\-CR\fP) authentication mechanism.
+.sp
+MongoDB adds support for SCRAM mechanism using the SHA\-256 hash
+function (\fBSCRAM\-SHA\-256\fP).
+
 .TS
 center;
 |l|l|.
@@ -354,33 +474,47 @@ Description
 T}
 _
 T{
-MONGODB\-CR
+SCRAM\-SHA\-1
 T}	T{
-MongoDB challenge/response authentication.
+\fI\%RFC 5802\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-1
+hash function.
 T}
 _
 T{
-MONGODB\-X509
+SCRAM\-SHA\-256
 T}	T{
-MongoDB SSL certificate authentication.
+\fI\%RFC 7677\fP standard
+Salted Challenge Response Authentication Mechanism using the SHA\-256
+hash function.
+.sp
+Requires featureCompatibilityVersion set to \fB4.0\fP\&.
+.sp
+New in version 4.0.
 T}
 _
 T{
-PLAIN
+MONGODB\-X509
 T}	T{
-External authentication using LDAP. You can also use \fBPLAIN\fP
-for authenticating in\-database users. \fBPLAIN\fP transmits
-passwords in plain text. This mechanism is available only in
-\fI\%MongoDB Enterprise\fP\&.
+MongoDB TLS/SSL certificate authentication.
 T}
 _
 T{
-GSSAPI
+GSSAPI (Kerberos)
 T}	T{
 External authentication using Kerberos. This mechanism is
 available only in \fI\%MongoDB Enterprise\fP\&.
 T}
 _
+T{
+PLAIN (LDAP SASL)
+T}	T{
+External authentication using LDAP. You can also use \fBPLAIN\fP
+for authenticating in\-database users. \fBPLAIN\fP transmits
+passwords in plain text. This mechanism is available only in
+\fI\%MongoDB Enterprise\fP\&.
+T}
+_
 .TE
 .UNINDENT
 .INDENT 0.0
@@ -389,7 +523,7 @@ _
 New in version 2.6.
 
 .sp
-Specify the name of the service using \fBGSSAPI/Kerberos\fP\&. Only required if the service does not use the
+Specify the name of the service using GSSAPI/Kerberos\&. Only required if the service does not use the
 default name of \fBmongodb\fP\&.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -400,7 +534,7 @@ This option is available only in MongoDB Enterprise.
 New in version 2.6.
 
 .sp
-Specify the hostname of a service using \fBGSSAPI/Kerberos\fP\&. \fIOnly\fP required if the hostname of a machine does
+Specify the hostname of a service using GSSAPI/Kerberos\&. \fIOnly\fP required if the hostname of a machine does
 not match the hostname resolved by DNS.
 .sp
 This option is available only in MongoDB Enterprise.
@@ -408,17 +542,17 @@ This option is available only in MongoDB Enterprise.
 .INDENT 0.0
 .TP
 .B \-\-locks
-Toggles the mode of \fBmongotop\fP to report on use of per\-database
-\fIlocks\fP\&. These data are useful for measuring concurrent
-operations and lock percentage.
+Toggles the mode of \fI\%mongotop\fP to report on use of per\-database
+locks\&. This data is only available when connected to a
+MongoDB 2.6 or older instance.
 .sp
-\fI\%\-\-locks\fP returns an error when called against a \fBmongod\fP instance
-that does not report lock usage.
+\fI\%\-\-locks\fP returns an error when called against a \fBmongod\fP 3.0 or
+newer instance that does not report per\-database lock usage.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-rowcount int, \-n int
-Number of lines of data that \fBmongotop\fP should print. "0 for indefinite"
+Number of lines of data that \fBmongotop\fP should print. “0 for indefinite”
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -426,7 +560,7 @@ Number of lines of data that \fBmongotop\fP should print. "0 for indefinite"
 New in version 3.0.0.
 
 .sp
-Returns output for \fBmongotop\fP in \fIJSON\fP format.
+Returns output for \fBmongotop\fP in JSON format.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -437,35 +571,31 @@ data every second.
 .UNINDENT
 .SH FIELDS
 .sp
-\fBmongotop\fP returns time values specified in milliseconds
+\fI\%mongotop\fP returns time values specified in milliseconds
 (ms.)
 .sp
-\fBmongotop\fP only reports active namespaces or databases,
-depending on the \fI\%\-\-locks\fP option. If you don\(aqt see a database
+\fI\%mongotop\fP only reports active namespaces or databases,
+depending on the \fI\%\-\-locks\fP option. If you don’t see a database
 or collection, it has received no recent activity. You can issue a
 simple operation in the \fBmongo\fP shell to generate activity to
-affect the output of \fBmongotop\fP\&.
+affect the output of \fI\%mongotop\fP\&.
 .INDENT 0.0
 .TP
 .B mongotop.ns
 Contains the database namespace, which combines the database name
 and collection.
 .sp
-Changed in version 2.2: If you use the \fImongotop \-\-locks\fP, the \fBns\fP field does not
-appear in the \fBmongotop\fP output.
-
+If you use the \fI\%mongotop \-\-locks\fP, the \fI\%ns\fP
+field does not appear in the \fI\%mongotop\fP output.
 .UNINDENT
 .INDENT 0.0
 .TP
 .B mongotop.db
-New in version 2.2.
-
-.sp
 Contains the name of the database. The database named \fB\&.\fP refers
 to the global lock, rather than a specific database.
 .sp
 This field does not appear unless you have invoked
-\fBmongotop\fP with the \fI\%\-\-locks\fP option.
+\fI\%mongotop\fP with the \fI\%\-\-locks\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -492,14 +622,14 @@ Provides a time stamp for the returned data.
 .UNINDENT
 .SH USE
 .sp
-By default \fBmongotop\fP connects to the MongoDB instance
-running on the localhost port \fB27017\fP\&. However, \fBmongotop\fP can optionally
+By default \fI\%mongotop\fP connects to the MongoDB instance
+running on the localhost port \fB27017\fP\&. However, \fI\%mongotop\fP can optionally
 connect to remote \fBmongod\fP
 instances. See the \fI\%mongotop options\fP for more
 information.
 .sp
-To force \fBmongotop\fP to return less frequently specify a number, in
-seconds at the end of the command. In this example, \fBmongotop\fP will
+To force \fI\%mongotop\fP to return less frequently specify a number, in
+seconds at the end of the command. In this example, \fI\%mongotop\fP will
 return every 15 seconds.
 .INDENT 0.0
 .INDENT 3.5
@@ -546,10 +676,10 @@ local.system.namespaces      0ms     0ms      0ms
 .sp
 The output varies depending on your MongoDB setup. For example,
 \fBlocal.system.indexes\fP and \fBlocal.system.namespaces\fP only appear
-for \fBmongod\fP instances using the \fIMMAPv1\fP
+for \fBmongod\fP instances using the MMAPv1
 storage engine.
 .sp
-To return a \fBmongotop\fP report every 5 minutes, use the
+To return a \fI\%mongotop\fP report every 5 minutes, use the
 following command:
 .INDENT 0.0
 .INDENT 3.5
@@ -561,33 +691,9 @@ mongotop 300
 .fi
 .UNINDENT
 .UNINDENT
-.sp
-To report the use of per\-database locks, use \fI\%\-\-locks\fP,
-which produces the following output:
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-$ mongotop \-\-locks
-connected to: 127.0.0.1
-
-                  db       total        read       write          2012\-08\-13T16:33:34
-               local         0ms         0ms         0ms
-               admin         0ms         0ms         0ms
-                   .         0ms         0ms         0ms
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-Changed in version 3.0.0: When called against a \fBmongod\fP that does not report lock
-usage, \fI\%\-\-locks\fP will return a \fBFailed: Server does not
-support reporting locking information\fP error.
-
 .SH AUTHOR
 MongoDB Documentation Project
 .SH COPYRIGHT
-2011-2015
+2008-2018
 .\" Generated by docutils manpage writer.
 .