Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-42533

Make libldap TLS errors consistent

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 4.3 Desired
    • Component/s: Security
    • Labels:
      None
    • Server Security

      When connecting to LDAP, if the certificate isn't validated properly, we spit out different error messages depending on what flavor of TLS is linked into LDAP.

      On spencer.jackson's machine, which is using OpenSSL, the error message is

      sajack@spencerjacksonDesktop /home/sajack/Projects/mongo git master () % ./mongod --ldapServers ldaptest.10gen.cc --ldapQueryPassword <password> --ldapQueryUser cn=ldapz_admin,ou=Users,dc=10gen,dc=cc
2019-07-31T13:06:19.923-0400 I  CONTROL  [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
2019-07-31T13:06:19.927-0400 W  ACCESS   [main] LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP.
2019-07-31T13:06:20.025-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Bind parameters were: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
2019-07-31T13:06:20.026-0400 F  CONTROL  [main] Failed to create service context: FailedToParse: Can't connect to the specified LDAP servers, error: LDAP bind failed with error: Can't contact LDAP server

      On my machine, which uses GNU TLS, the error message is:

      $ ./mongod --ldapServers ldaptest.10gen.cc --ldapQueryPassword <password> --ldapQueryUser cn=ldapz_admin,ou=Users,dc=10gen,dc=cc
2019-07-31T13:08:44.786-0400 I  CONTROL  [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
2019-07-31T13:08:44.882-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): (unknown error code). Bind parameters were: {BindDN: cn=ldapz_ldap_bind,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
2019-07-31T13:08:44.882-0400 F  CONTROL  [main] Failed to create service context: FailedToParse: Can't connect to the specified LDAP servers, error: LDAP bind failed with error: Can't contact LDAP server

      The latter error message should at least inform the user that the certificate was unable to validate.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: