Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Won't Fix
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:
None

Operating System:
ALL

It appears as though there is a discrepancy in the way MongoDB handles usernames during authentication that are LDAP DNs with escaped characters. The following behavior was observed on 3.4.13 and 3.6.2.

I have tested this with two users, one with escaped characters and one without:

CN=Vojvodic\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com

CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com

Both users are members of the group:

CN=DBAs\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com

First, I added to users to MongoDB configured for LDAP authentication (no authorization).

Connecting with the username with escaped special characters fails (note the necessary escaping \ before the \,):

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:41:15.077-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:41:15.237-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:41:15.237-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:41:15.456-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
2018-02-26T11:41:15.608-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:15.801-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 0 second timeout)
2018-02-26T11:41:15.913-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:16.117-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 0 second timeout)
2018-02-26T11:41:16.200-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:16.355-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:16.355-0500 E QUERY    [thread1] Error: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1608:20
@(auth):7:1
@(auth):1:2
exception: login failed

Connecting with the username with no special characters succeeds as expected:

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:46:11.891-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:46:12.250-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:46:12.345-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:46:12.724-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs
admin  0.000GB
local  0.000GB

Next, I configured authorization on MongoDB with the following security.ldap.authz.queryTemplate:

CN=DBAs\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))

Connecting with the username with escaped special characters succeeds:

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:43:11.655-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:43:11.909-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:43:11.910-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:43:12.146-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs
admin  0.000GB
local  0.000GB

Connecting with the username with no special characters succeeds as well:

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:44:32.540-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:44:32.818-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:44:32.835-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:44:33.106-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs
admin  0.000GB
local  0.000GB

duplicates

SERVER-33593 Heavy escaping required in shell for LDAP DNs with special characters

Closed

Assignee:: DO NOT USE - Backlog - Platform Team

Reporter:: Marko Vojvodic

Participants:: DO NOT USE - Backlog - Platform Team, Marko Vojvodic, Spencer Jackson

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: Feb 26 2018 05:11:20 PM UTC

Updated:: Mar 12 2018 02:05:31 PM UTC

Resolved:: Mar 06 2018 09:52:29 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates