Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-42533

Make libldap TLS errors consistent

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • 4.3 Desired
    • Security
    • None
    • Server Security

    Description

      When connecting to LDAP, if the certificate isn't validated properly, we spit out different error messages depending on what flavor of TLS is linked into LDAP.

      On spencer.jackson's machine, which is using OpenSSL, the error message is

      sajack@spencerjacksonDesktop /home/sajack/Projects/mongo git master () % ./mongod --ldapServers ldaptest.10gen.cc --ldapQueryPassword <password> --ldapQueryUser cn=ldapz_admin,ou=Users,dc=10gen,dc=cc
      2019-07-31T13:06:19.923-0400 I  CONTROL  [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
      2019-07-31T13:06:19.927-0400 W  ACCESS   [main] LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP.
      2019-07-31T13:06:20.025-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Bind parameters were: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
      2019-07-31T13:06:20.026-0400 F  CONTROL  [main] Failed to create service context: FailedToParse: Can't connect to the specified LDAP servers, error: LDAP bind failed with error: Can't contact LDAP server
      

      On my machine, which uses GNU TLS, the error message is:

      $ ./mongod --ldapServers ldaptest.10gen.cc --ldapQueryPassword <password> --ldapQueryUser cn=ldapz_admin,ou=Users,dc=10gen,dc=cc
      2019-07-31T13:08:44.786-0400 I  CONTROL  [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
      2019-07-31T13:08:44.882-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): (unknown error code). Bind parameters were: {BindDN: cn=ldapz_ldap_bind,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
      2019-07-31T13:08:44.882-0400 F  CONTROL  [main] Failed to create service context: FailedToParse: Can't connect to the specified LDAP servers, error: LDAP bind failed with error: Can't contact LDAP server
      

      The latter error message should at least inform the user that the certificate was unable to validate.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: