-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Labels:
Description
There is a new substitution token available in the security.ldap.authz.queryTemplate config parameter: PROVIDED_USER which corresponds to the username of the user attempting to authenticate before it is looked up or otherwise modified by the LDAP code.
Engineering Ticket Description:
When LDAP authentication and authorization is enabled in the Server, there is a variable
Unknown macro: {USER}that can be used in the security.ldap.authz.queryTemplate configuration option.
That variable will contain the DN of the user after the security.ldap.userToDNMapping expression is processed.
Please add another variable, such as
Unknown macro: {0}that allows to use the non-mapped username (the username passed to the client.
This will be useful for LDAP environments where the posixGroup schema is used (RFC2307) and the member field contains the user uid instead of the full DN:
Example posixGroup element:
dn: cn=Administrators,ou=group,ou=engineering,dc=example,dc=com memberUid: bob memberUid: eve memberUid: tom cn: Administrators objectClass: posixgroup objectClass: top gidNumber: 12345Possible configuration settings for MongoDB once the {0} variable is available:
security.ldap.authz.queryTemplate = ou=group,ou=engineering,dc=example,dc=com??base?(&(objectClass=posixGroup)(memberUid=\{0})) security.ldap.userToDNMapping=[{match : "(.+)",substitution:"uid=\{0},ou=people,ou=engineering,dc=example,dc=com"}]If the username is "bob":
- {0} will be "bob" in the security.ldap.userToDNMapping parameter and the security.ldap.authz.queryTemplate
- {USER} will be "uid=bob,ou=people,ou=engineering,dc=example,dc=com"
Scope of changes
Impact to Other Docs
MVP (Work and Date)
Resources (Scope or Design Docs, Invision, etc.)
- documents
-
SERVER-36117 LDAP Authorization add support for posixGroup schema (RFC2307)
- Closed