Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34267

Undesirable behaviour when using local authz with manually defined roles

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Works as Designed
    • Affects Version/s: 3.4.13
    • Fix Version/s: None
    • Component/s: Security
    • Operating System:
      Linux
    • Steps To Reproduce:
      Hide

      Steps
      1. User "uid=alice,ou=Users,dc=mongodb,dc=com" created in ldap.

      ldapadd -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
      dn: uid=alice,ou=Users,dc=mongodb,dc=com
      changetype: add
      objectclass: person
      objectclass: inetOrgPerson
      cn: alice
      sn: Alice
      uid: alice
      userPassword: secret
      EOF
      

      2. Following is the ldap configuration in mongod.conf

      security:
        authorization: "enabled"
        ldap:
          transportSecurity: none
          servers: "127.0.0.1"
          bind: 
            queryUser: "cn=Manager,dc=mongodb,dc=com"
            queryPassword: "password"
      setParameter:
         authenticationMechanisms: PLAIN
      

      3. Using mongo shell, connect using a local userAdmin then create user in $external using internal authz by first using a local admin:

      db.getSiblingDB("$external").createUser(
         { 
          user: "uid=alice,ou=Users,dc=mongodb,dc=com",
          roles: [ { role: "readWriteAnyDatabase", db: "admin" }]
       }
      )
      

      4. Now using mongo shell connect to this mongod instance using ldap user:

      mongodb-linux-x86_64-enterprise-rhel62-3.4.13/bin/mongo --authenticationDatabase '$external' -u "uid=alice,ou=Users,dc=mongodb,dc=com" -p --authenticationMechanism PLAIN
      

      5. Perform some CRUD operations using this user to confirm access.
      6. From another ssh session, delete the user from ldap server:

      ldapmodify -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
      dn: uid=alice,ou=Users,dc=mongodb,dc=com
      changetype: delete
      EOF
      

      6.. Authentication fails for any new sessions using this deleted ldap user:

      Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: uid=alice,ou=Users,dc=mongodb,dc=com, authenticationType: simple}
      2018-04-03T10:56:49.321+0000 I ACCESS   [conn29] PLAIN authentication failed for uid=alice,ou=Users,dc=mongodb,dc=com on $external from client 192.168.19.100:34012 ; OperationFailed: LDAP bind failed with error: Invalid credentials
      

      7. Go back to the mongo shell with authenticated session (created in step4.) and the ldap user can still perform CRUD operations for almost infinite time.

      Show
      Steps 1. User "uid=alice,ou=Users,dc=mongodb,dc=com" created in ldap. ldapadd -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF dn: uid=alice,ou=Users,dc=mongodb,dc=com changetype: add objectclass: person objectclass: inetOrgPerson cn: alice sn: Alice uid: alice userPassword: secret EOF 2. Following is the ldap configuration in mongod.conf security: authorization: "enabled" ldap: transportSecurity: none servers: "127.0.0.1" bind: queryUser: "cn=Manager,dc=mongodb,dc=com" queryPassword: "password" setParameter: authenticationMechanisms: PLAIN 3. Using mongo shell, connect using a local userAdmin then create user in $external using internal authz by first using a local admin: db.getSiblingDB("$external").createUser( { user: "uid=alice,ou=Users,dc=mongodb,dc=com", roles: [ { role: "readWriteAnyDatabase", db: "admin" }] } ) 4. Now using mongo shell connect to this mongod instance using ldap user: mongodb-linux-x86_64-enterprise-rhel62-3.4.13/bin/mongo --authenticationDatabase '$external' -u "uid=alice,ou=Users,dc=mongodb,dc=com" -p --authenticationMechanism PLAIN 5. Perform some CRUD operations using this user to confirm access. 6. From another ssh session, delete the user from ldap server: ldapmodify -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF dn: uid=alice,ou=Users,dc=mongodb,dc=com changetype: delete EOF 6.. Authentication fails for any new sessions using this deleted ldap user: Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: uid=alice,ou=Users,dc=mongodb,dc=com, authenticationType: simple} 2018-04-03T10:56:49.321+0000 I ACCESS [conn29] PLAIN authentication failed for uid=alice,ou=Users,dc=mongodb,dc=com on $external from client 192.168.19.100:34012 ; OperationFailed: LDAP bind failed with error: Invalid credentials 7. Go back to the mongo shell with authenticated session (created in step4.) and the ldap user can still perform CRUD operations for almost infinite time.

      Description

      ldapcacheinvalidation appears to only deal with external authz. So when using local authz with manually defined roles it creates undesirable behaviour related to security.

      For an ldap user that has an authenticated session in MongoDB using $external and if this user is deleted on ldap server. Then the existing authenticated session remains unaffected and one can perform normal CRUD operations without any interruption.

        Attachments

          Activity

            People

            Assignee:
            spencer.jackson Spencer Jackson
            Reporter:
            nishant.bhardwaj Nishant Bhardwaj
            Participants:
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: