Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-13642

Investigate changes in SERVER-44786: Abort LDAP user to DN mapping on network error


      Downstream Change Summary

      CLOUD and Support should be aware of this change at it promotes otherwise "soft" error during LDAP name mapping into "hard" errors.

      This change is important as a transient network error could lead to an erroneous name mapping if an early, higher priority rule fails for non-schema related reasons, but a later fallback rule does not.

      If this causes customer issues, TSEs should be prepared to use setParameter `ldapAbortOnNameMappingFailure=false` to disable the new abort on error behavior. This setting should NOT be advertised in DOCS as using it has the potential to weaken authorization security as noted above.

      Description of Linked Ticket

      MongoDB evaluates a sequence if rules to resolve an authentication name into an LDAP DN. It may use regex rules or LDAP queries. If rules fail to match or evaluate the next rule is tried. However, failure to evaluate an LDAP rule doesn't indicate success or failure, and should terminate evaluation of the whole chain.

      Scope of changes

      Impact to Other Docs

      MVP (Work and Date)

      Resources (Scope or Design Docs, Invision, etc.)

            john.williams@mongodb.com John Williams
            backlog-server-pm Backlog - Core Eng Program Management Team
            0 Vote for this issue
            2 Start watching this issue

              3 years, 43 weeks, 3 days ago