Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34267

Undesirable behaviour when using local authz with manually defined roles

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 3.4.13
    • Component/s: Security
    • Linux
    • Hide

      Steps
      1. User "uid=alice,ou=Users,dc=mongodb,dc=com" created in ldap. 

      ldapadd -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
dn: uid=alice,ou=Users,dc=mongodb,dc=com
changetype: add
objectclass: person
objectclass: inetOrgPerson
cn: alice
sn: Alice
uid: alice
userPassword: secret
EOF

      2. Following is the ldap configuration in mongod.conf

      security:
  authorization: "enabled"
  ldap:
    transportSecurity: none
    servers: "127.0.0.1"
    bind: 
      queryUser: "cn=Manager,dc=mongodb,dc=com"
      queryPassword: "password"
setParameter:
   authenticationMechanisms: PLAIN

      3. Using mongo shell, connect using a local userAdmin then create user in $external using internal authz by first using a local admin: 

      db.getSiblingDB("$external").createUser(
   { 
    user: "uid=alice,ou=Users,dc=mongodb,dc=com",
    roles: [ { role: "readWriteAnyDatabase", db: "admin" }]
 }
)

      4. Now using mongo shell connect to this mongod instance using ldap user: 

      mongodb-linux-x86_64-enterprise-rhel62-3.4.13/bin/mongo --authenticationDatabase '$external' -u "uid=alice,ou=Users,dc=mongodb,dc=com" -p --authenticationMechanism PLAIN

      5. Perform some CRUD operations using this user to confirm access.
      6. From another ssh session, delete the user from ldap server:

      ldapmodify -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
dn: uid=alice,ou=Users,dc=mongodb,dc=com
changetype: delete
EOF

      6.. Authentication fails for any new sessions using this deleted ldap user:

      Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: uid=alice,ou=Users,dc=mongodb,dc=com, authenticationType: simple}
2018-04-03T10:56:49.321+0000 I ACCESS   [conn29] PLAIN authentication failed for uid=alice,ou=Users,dc=mongodb,dc=com on $external from client 192.168.19.100:34012 ; OperationFailed: LDAP bind failed with error: Invalid credentials

      7. Go back to the mongo shell with authenticated session (created in step4.) and the ldap user can still perform CRUD operations for almost infinite time.

      Show
      Steps 1. User "uid=alice,ou=Users,dc=mongodb,dc=com" created in ldap. ldapadd -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi: /// <<EOF dn: uid=alice,ou=Users,dc=mongodb,dc=com changetype: add objectclass: person objectclass: inetOrgPerson cn: alice sn: Alice uid: alice userPassword: secret EOF 2. Following is the ldap configuration in mongod.conf security: authorization: "enabled" ldap: transportSecurity: none servers: "127.0.0.1" bind: queryUser: "cn=Manager,dc=mongodb,dc=com" queryPassword: "password" setParameter: authenticationMechanisms: PLAIN 3. Using mongo shell, connect using a local userAdmin then create user in $external using internal authz by first using a local admin: db.getSiblingDB( "$external" ).createUser( { user: "uid=alice,ou=Users,dc=mongodb,dc=com" , roles: [ { role: "readWriteAnyDatabase" , db: "admin" }] } ) 4. Now using mongo shell connect to this mongod instance using ldap user: mongodb-linux-x86_64-enterprise-rhel62-3.4.13/bin/mongo --authenticationDatabase '$external' -u "uid=alice,ou=Users,dc=mongodb,dc=com" -p --authenticationMechanism PLAIN 5. Perform some CRUD operations using this user to confirm access. 6. From another ssh session, delete the user from ldap server: ldapmodify -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi: /// <<EOF dn: uid=alice,ou=Users,dc=mongodb,dc=com changetype: delete EOF 6.. Authentication fails for any new sessions using this deleted ldap user: Failed to bind to LDAP server at default : Invalid credentials. Bind parameters were: {BindDN: uid=alice,ou=Users,dc=mongodb,dc=com, authenticationType: simple} 2018-04-03T10:56:49.321+0000 I ACCESS [conn29] PLAIN authentication failed for uid=alice,ou=Users,dc=mongodb,dc=com on $external from client 192.168.19.100:34012 ; OperationFailed: LDAP bind failed with error: Invalid credentials 7. Go back to the mongo shell with authenticated session (created in step4.) and the ldap user can still perform CRUD operations for almost infinite time.

      ldapcacheinvalidation appears to only deal with external authz. So when using local authz with manually defined roles it creates undesirable behaviour related to security.

      For an ldap user that has an authenticated session in MongoDB using $external and if this user is deleted on ldap server. Then the existing authenticated session remains unaffected and one can perform normal CRUD operations without any interruption.

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            nishant.bhardwaj@mongodb.com Nishant Bhardwaj
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: