Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11100

Docs for SERVER-31625: The contents of {USER} needs to be escaped when querying for the groups using LDAP server



    • Task
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 3.7.1, 3.4.11, 3.6.2
    • None
    • None




      • If security.ldap.userToDNMapping uses the substitution parameter, the result of the substitution MUST be an RFC4514-escaped string, as in (CN=Doe\, John, OU=Users,DC=foo,DC=bar)
      • If LDAP Authz is enabled and an LDAP group (the DN part) contains an RFC4514-escaped sequence, the role names in the system.roles collection in the admin database must also be RFC4514-escaped (not plaintext)

      Scope of changes (files that need work and how much)

      Impact to other docs outside of this product

      • Ops Manager:
        • may need to clarify escaping in the Enable LDAP Tutorial - specifically the "User to Distinguished Name Mapping" section
        • probably need to say something about escaping the roles, though I'm not sure where

      Documentation Request Summary:

      1. When the


      configuration option has one or more subsections with the


      parameter, then the result of such substitution MUST be RFC4514-escaped string (CN=Doe\, John,OU=Users,DC=foo,DC=bar).

      2. When LDAP authorization is enabled and LDAP groups (their DNs) contain RFC4514 escape sequences, then role names must be RFC4514 escaped in the system.roles collection in the admin database, not just plaintext representation of the role names.

      This ticket does NOT introduce any new behavior. Instead, it fixing the authentication issue for the customers when their DN's contain the special characters.

      Engineering Ticket Description:

      When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below:

      $ mongo --host rhel-73.acme.qa --authenticationDatabase '$external' --authenticationMechanism PLAIN --username peter.pan -p
      MongoDB shell version v3.4.9
      Enter password:
      connecting to: mongodb://rhel-73.acme.qa:27017/
      MongoDB server version: 3.4.9
      2017-10-18T11:37:14.679-0700 E QUERY    [thread1] Error: Failed to acquire LDAP group membership :
      exception: login failed


      2017-10-18T11:37:14.679-0700 E ACCESS   [conn5] LDAP authorization failed: UnknownError: Failed to obtain LDAP entities for query 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"': LDAP Operation <ldap_search_ext_s>, Failed to perform query: Bad search filter' Query was: 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"'". (-7/Bad search filter)

      Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character):

      $ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie'"'"'s fictional character),CN=Users,DC=ACME,DC=QA))' cn
      Enter LDAP Password:
      ldap_search_ext: Bad search filter (-7)

      Correct search filter syntax (please disregard bash-related escaping of the single quote character):

      $ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\\2c Peter \\28J.M. Barrie'"'"'s fictional character\\29,CN=Users,DC=ACME,DC=QA))' cn
      Enter LDAP Password:
      dn: CN=Global-Admins-Database,CN=Users,DC=ACME,DC=QA
      cn: Global-Admins-Database


        Issue Links



              allison.moore@mongodb.com Allison Reinheimer Moore
              kay.kim@mongodb.com Kay Kim (Inactive)
              Allison Reinheimer Moore Allison Reinheimer Moore
              Jeffrey Allen Jeffrey Allen
              0 Vote for this issue
              5 Start watching this issue


                4 years, 12 weeks, 5 days ago