Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11100

Docs for SERVER-31625: The contents of {USER} needs to be escaped when querying for the groups using LDAP server

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.7.1, 3.4.11, 3.6.2
    • Component/s: None
    • Labels:
      None

      Description

      Scoping

      Description

      • If security.ldap.userToDNMapping uses the substitution parameter, the result of the substitution MUST be an RFC4514-escaped string, as in (CN=Doe\, John, OU=Users,DC=foo,DC=bar)
      • If LDAP Authz is enabled and an LDAP group (the DN part) contains an RFC4514-escaped sequence, the role names in the system.roles collection in the admin database must also be RFC4514-escaped (not plaintext)

      Scope of changes (files that need work and how much)

      Impact to other docs outside of this product

      • Ops Manager:
        • may need to clarify escaping in the Enable LDAP Tutorial - specifically the "User to Distinguished Name Mapping" section
        • probably need to say something about escaping the roles, though I'm not sure where

      Documentation Request Summary:

      1. When the

      {security.ldap.userToDNMapping}

      configuration option has one or more subsections with the

      {substitution}

      parameter, then the result of such substitution MUST be RFC4514-escaped string (CN=Doe\, John,OU=Users,DC=foo,DC=bar).

      2. When LDAP authorization is enabled and LDAP groups (their DNs) contain RFC4514 escape sequences, then role names must be RFC4514 escaped in the system.roles collection in the admin database, not just plaintext representation of the role names.

      This ticket does NOT introduce any new behavior. Instead, it fixing the authentication issue for the customers when their DN's contain the special characters.

      Engineering Ticket Description:

      When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below:

      $ mongo --host rhel-73.acme.qa --authenticationDatabase '$external' --authenticationMechanism PLAIN --username peter.pan -p
      MongoDB shell version v3.4.9
      Enter password:
      connecting to: mongodb://rhel-73.acme.qa:27017/
      MongoDB server version: 3.4.9
      2017-10-18T11:37:14.679-0700 E QUERY    [thread1] Error: Failed to acquire LDAP group membership :
      DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
      @(auth):7:1
      @(auth):1:2
      exception: login failed
      

      mongod.log:

      2017-10-18T11:37:14.679-0700 E ACCESS   [conn5] LDAP authorization failed: UnknownError: Failed to obtain LDAP entities for query 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"': LDAP Operation <ldap_search_ext_s>, Failed to perform query: Bad search filter' Query was: 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"'". (-7/Bad search filter)
      

      Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character):

      $ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie'"'"'s fictional character),CN=Users,DC=ACME,DC=QA))' cn
      Enter LDAP Password:
      ldap_search_ext: Bad search filter (-7)
      

      Correct search filter syntax (please disregard bash-related escaping of the single quote character):

      $ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\\2c Peter \\28J.M. Barrie'"'"'s fictional character\\29,CN=Users,DC=ACME,DC=QA))' cn
      Enter LDAP Password:
      dn: CN=Global-Admins-Database,CN=Users,DC=ACME,DC=QA
      cn: Global-Admins-Database
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              allison.moore Allison Reinheimer Moore
              Reporter:
              kay.kim Kay Kim (Inactive)
              Participants:
              Last commenter:
              Allison Reinheimer Moore Allison Reinheimer Moore
              Docs Reviewer:
              Jeffrey Allen Jeffrey Allen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since reply:
                3 years, 11 weeks, 5 days ago
                Date of 1st Reply: