-
Type: Bug
-
Resolution: Won't Fix
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
Labels:None
-
ALL
It appears as though there is a discrepancy in the way MongoDB handles usernames during authentication that are LDAP DNs with escaped characters. The following behavior was observed on 3.4.13 and 3.6.2.
I have tested this with two users, one with escaped characters and one without:
CN=Vojvodic\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com
CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com
Both users are members of the group:
CN=DBAs\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com
First, I added to users to MongoDB configured for LDAP authentication (no authorization).
Connecting with the username with escaped special characters fails (note the necessary escaping \ before the \,):
marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password MongoDB shell version v3.6.2 Enter password: connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0 2018-02-26T11:41:15.077-0500 I NETWORK [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 2018-02-26T11:41:15.237-0500 I NETWORK [thread1] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:41:15.237-0500 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:41:15.456-0500 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) MongoDB server version: 3.4.13 WARNING: shell and server versions do not match 2018-02-26T11:41:15.608-0500 I NETWORK [thread1] Marking host marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external 2018-02-26T11:41:15.801-0500 I NETWORK [thread1] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 0 second timeout) 2018-02-26T11:41:15.913-0500 I NETWORK [thread1] Marking host marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external 2018-02-26T11:41:16.117-0500 I NETWORK [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 0 second timeout) 2018-02-26T11:41:16.200-0500 I NETWORK [thread1] Marking host marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external 2018-02-26T11:41:16.355-0500 I NETWORK [thread1] Marking host marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external 2018-02-26T11:41:16.355-0500 E QUERY [thread1] Error: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external : DB.prototype._authOrThrow@src/mongo/shell/db.js:1608:20 @(auth):7:1 @(auth):1:2 exception: login failed
Connecting with the username with no special characters succeeds as expected:
marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password MongoDB shell version v3.6.2 Enter password: connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0 2018-02-26T11:46:11.891-0500 I NETWORK [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 2018-02-26T11:46:12.250-0500 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:46:12.345-0500 I NETWORK [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:46:12.724-0500 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) MongoDB server version: 3.4.13 WARNING: shell and server versions do not match MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs admin 0.000GB local 0.000GB
Next, I configured authorization on MongoDB with the following security.ldap.authz.queryTemplate:
CN=DBAs\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))
Connecting with the username with escaped special characters succeeds:
marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password MongoDB shell version v3.6.2 Enter password: connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0 2018-02-26T11:43:11.655-0500 I NETWORK [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 2018-02-26T11:43:11.909-0500 I NETWORK [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:43:11.910-0500 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:43:12.146-0500 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) MongoDB server version: 3.4.13 WARNING: shell and server versions do not match MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs admin 0.000GB local 0.000GB
Connecting with the username with no special characters succeeds as well:
marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password MongoDB shell version v3.6.2 Enter password: connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0 2018-02-26T11:44:32.540-0500 I NETWORK [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 2018-02-26T11:44:32.818-0500 I NETWORK [thread1] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:44:32.835-0500 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) 2018-02-26T11:44:33.106-0500 I NETWORK [thread1] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout) MongoDB server version: 3.4.13 WARNING: shell and server versions do not match MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs admin 0.000GB local 0.000GB
- duplicates
-
SERVER-33593 Heavy escaping required in shell for LDAP DNs with special characters
- Closed