-
Type:
Investigation
-
Resolution: Declined
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
Not Needed
-
Developer Tools
Use internal authorization for all authentication mechanisms, except for the following cases:
- LDAP (PLAIN) and GSSAPI is used as the authentication mechanism, in which case LDAP authorization will be used
- MONGODB-OIDC with useAuthorizationClaim=true, in which case OIDC authorization will be used
- MONGODB-X509 with useInternalAuthzForX509=false, in which case LDAP authorization will be used if enabled. If LDAP is disabled, internal authorization will be used regardless of the value of the useInternalAuthzForX509 flag.
Provide a new server parameter useInternalAuthzForX509 to enable the use of internal authorization alongside LDAP for MONGODB-X509.
Description of Linked Ticket
Summary
Respect per-mechanism external authz even when LDAP is enabled.
Motivation
Today, LDAP authorization becomes the authoritative source of external authz when enabled - a user who configures LDAP and OIDC together may be surprised that OIDC can used for authentication, but then LDAP is used for authorization. We would like to allow OIDC, among others, to operate independently of LDAP - when a user authenticates with OIDC and presents an authorization token, that token should allow them to authorize with OIDC, even if LDAP is enabled.