-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
Scoping
Description
- If security.ldap.userToDNMapping uses the substitution parameter, the result of the substitution MUST be an RFC4514-escaped string, as in (CN=Doe\, John, OU=Users,DC=foo,DC=bar)
- If LDAP Authz is enabled and an LDAP group (the DN part) contains an RFC4514-escaped sequence, the role names in the system.roles collection in the admin database must also be RFC4514-escaped (not plaintext)
Scope of changes (files that need work and how much)
- userToDNMapping reference: tweak description (also handles the mongod option)
- MongoDB Roles for LDAP Authz : note that role names must be RFC4514-escaped if LDAP group names contain an RFC4514-escaped sequence
- userToDNMapping (again) : tweak description
- userToDNMapping (again) : tweak description
- Transform usernames : add note about needing the outcome to be RFC4514-escaped
Impact to other docs outside of this product
- Ops Manager:
- may need to clarify escaping in the Enable LDAP Tutorial - specifically the "User to Distinguished Name Mapping" section
- probably need to say something about escaping the roles, though I'm not sure where
Documentation Request Summary:
1. When the
{security.ldap.userToDNMapping}configuration option has one or more subsections with the
{substitution}parameter, then the result of such substitution MUST be RFC4514-escaped string (CN=Doe\, John,OU=Users,DC=foo,DC=bar).
2. When LDAP authorization is enabled and LDAP groups (their DNs) contain RFC4514 escape sequences, then role names must be RFC4514 escaped in the system.roles collection in the admin database, not just plaintext representation of the role names.
This ticket does NOT introduce any new behavior. Instead, it fixing the authentication issue for the customers when their DN's contain the special characters.
Engineering Ticket Description:
When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below:
$ mongo --host rhel-73.acme.qa --authenticationDatabase '$external' --authenticationMechanism PLAIN --username peter.pan -p MongoDB shell version v3.4.9 Enter password: connecting to: mongodb://rhel-73.acme.qa:27017/ MongoDB server version: 3.4.9 2017-10-18T11:37:14.679-0700 E QUERY [thread1] Error: Failed to acquire LDAP group membership : DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20 @(auth):7:1 @(auth):1:2 exception: login failed
mongod.log:
2017-10-18T11:37:14.679-0700 E ACCESS [conn5] LDAP authorization failed: UnknownError: Failed to obtain LDAP entities for query 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"': LDAP Operation <ldap_search_ext_s>, Failed to perform query: Bad search filter' Query was: 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"'". (-7/Bad search filter)
Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character):
$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie'"'"'s fictional character),CN=Users,DC=ACME,DC=QA))' cn Enter LDAP Password: ldap_search_ext: Bad search filter (-7)
Correct search filter syntax (please disregard bash-related escaping of the single quote character):
$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\\2c Peter \\28J.M. Barrie'"'"'s fictional character\\29,CN=Users,DC=ACME,DC=QA))' cn Enter LDAP Password: dn: CN=Global-Admins-Database,CN=Users,DC=ACME,DC=QA cn: Global-Admins-Database
- documents
-
SERVER-31625 The contents of {USER} needs to be escaped when querying for the groups using LDAP server
- Closed