Hide
Steps
1. User "uid=alice,ou=Users,dc=mongodb,dc=com" created in ldap.
ldapadd -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
|
dn: uid=alice,ou=Users,dc=mongodb,dc=com
|
changetype: add
|
objectclass: person
|
objectclass: inetOrgPerson
|
cn: alice
|
sn: Alice
|
uid: alice
|
userPassword: secret
|
EOF
|
2. Following is the ldap configuration in mongod.conf
security:
|
authorization: "enabled"
|
ldap:
|
transportSecurity: none
|
servers: "127.0.0.1"
|
bind:
|
queryUser: "cn=Manager,dc=mongodb,dc=com"
|
queryPassword: "password"
|
setParameter:
|
authenticationMechanisms: PLAIN
|
3. Using mongo shell, connect using a local userAdmin then create user in $external using internal authz by first using a local admin:
db.getSiblingDB("$external").createUser(
|
{
|
user: "uid=alice,ou=Users,dc=mongodb,dc=com",
|
roles: [ { role: "readWriteAnyDatabase", db: "admin" }]
|
}
|
)
|
4. Now using mongo shell connect to this mongod instance using ldap user:
mongodb-linux-x86_64-enterprise-rhel62-3.4.13/bin/mongo --authenticationDatabase '$external' -u "uid=alice,ou=Users,dc=mongodb,dc=com" -p --authenticationMechanism PLAIN
|
5. Perform some CRUD operations using this user to confirm access.
6. From another ssh session, delete the user from ldap server:
ldapmodify -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
|
dn: uid=alice,ou=Users,dc=mongodb,dc=com
|
changetype: delete
|
EOF
|
6.. Authentication fails for any new sessions using this deleted ldap user:
Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: uid=alice,ou=Users,dc=mongodb,dc=com, authenticationType: simple}
|
2018-04-03T10:56:49.321+0000 I ACCESS [conn29] PLAIN authentication failed for uid=alice,ou=Users,dc=mongodb,dc=com on $external from client 192.168.19.100:34012 ; OperationFailed: LDAP bind failed with error: Invalid credentials
|
7. Go back to the mongo shell with authenticated session (created in step4.) and the ldap user can still perform CRUD operations for almost infinite time.
Show
Steps
1. User "uid=alice,ou=Users,dc=mongodb,dc=com" created in ldap.
ldapadd -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
dn: uid=alice,ou=Users,dc=mongodb,dc=com
changetype: add
objectclass: person
objectclass: inetOrgPerson
cn: alice
sn: Alice
uid: alice
userPassword: secret
EOF
2. Following is the ldap configuration in mongod.conf
security:
authorization: "enabled"
ldap:
transportSecurity: none
servers: "127.0.0.1"
bind:
queryUser: "cn=Manager,dc=mongodb,dc=com"
queryPassword: "password"
setParameter:
authenticationMechanisms: PLAIN
3. Using mongo shell, connect using a local userAdmin then create user in $external using internal authz by first using a local admin:
db.getSiblingDB("$external").createUser(
{
user: "uid=alice,ou=Users,dc=mongodb,dc=com",
roles: [ { role: "readWriteAnyDatabase", db: "admin" }]
}
)
4. Now using mongo shell connect to this mongod instance using ldap user:
mongodb-linux-x86_64-enterprise-rhel62-3.4.13/bin/mongo --authenticationDatabase '$external' -u "uid=alice,ou=Users,dc=mongodb,dc=com" -p --authenticationMechanism PLAIN
5. Perform some CRUD operations using this user to confirm access.
6. From another ssh session, delete the user from ldap server:
ldapmodify -x -D "cn=Manager,dc=mongodb,dc=com" -w password -H ldapi:/// <<EOF
dn: uid=alice,ou=Users,dc=mongodb,dc=com
changetype: delete
EOF
6.. Authentication fails for any new sessions using this deleted ldap user:
Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: uid=alice,ou=Users,dc=mongodb,dc=com, authenticationType: simple}
2018-04-03T10:56:49.321+0000 I ACCESS [conn29] PLAIN authentication failed for uid=alice,ou=Users,dc=mongodb,dc=com on $external from client 192.168.19.100:34012 ; OperationFailed: LDAP bind failed with error: Invalid credentials
7. Go back to the mongo shell with authenticated session (created in step4.) and the ldap user can still perform CRUD operations for almost infinite time.
Bug
Minor - P4