[SERVER-31625] The contents of {USER} needs to be escaped when querying for the groups using LDAP server - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 3.4.9
Fix Version/s: 3.4.11, 3.6.2, 3.7.1
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v3.6, v3.4
Sprint:
Platforms 2017-11-13, Platforms 2017-12-04
Case:

Description

When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below:

$ mongo --host rhel-73.acme.qa --authenticationDatabase '$external' --authenticationMechanism PLAIN --username peter.pan -p

MongoDB shell version v3.4.9

Enter password:

connecting to: mongodb://rhel-73.acme.qa:27017/

MongoDB server version: 3.4.9

2017-10-18T11:37:14.679-0700 E QUERY    [thread1] Error: Failed to acquire LDAP group membership :

DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20

@(auth):7:1

@(auth):1:2

exception: login failed

mongod.log:

2017-10-18T11:37:14.679-0700 E ACCESS   [conn5] LDAP authorization failed: UnknownError: Failed to obtain LDAP entities for query 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"': LDAP Operation <ldap_search_ext_s>, Failed to perform query: Bad search filter' Query was: 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"'". (-7/Bad search filter)

Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character):

$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie'"'"'s fictional character),CN=Users,DC=ACME,DC=QA))' cn

Enter LDAP Password:

ldap_search_ext: Bad search filter (-7)

Correct search filter syntax (please disregard bash-related escaping of the single quote character):

$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\\2c Peter \\28J.M. Barrie'"'"'s fictional character\\29,CN=Users,DC=ACME,DC=QA))' cn

Enter LDAP Password:

dn: CN=Global-Admins-Database,CN=Users,DC=ACME,DC=QA

cn: Global-Admins-Database

Attachments

Issue Links

is documented by

DOCS-11100 Docs for SERVER-31625: The contents of {USER} needs to be escaped when querying for the groups using LDAP server

Closed

Activity

People

Assignee:: Andrey Brindeyev

Reporter:: Andrey Brindeyev

Participants:: Andrey Brindeyev, Githook User

Votes:: 1 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: Oct 18 2017 06:52:17 PM UTC

Updated:: Jun 09 2020 04:59:51 PM UTC

Resolved:: Dec 05 2017 08:48:53 PM UTC