-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: 4.3 Desired
-
Component/s: Security
-
Labels:None
-
Server Security
When connecting to LDAP, if the certificate isn't validated properly, we spit out different error messages depending on what flavor of TLS is linked into LDAP.
On spencer.jackson's machine, which is using OpenSSL, the error message is
sajack@spencerjacksonDesktop /home/sajack/Projects/mongo git master () % ./mongod --ldapServers ldaptest.10gen.cc --ldapQueryPassword <password> --ldapQueryUser cn=ldapz_admin,ou=Users,dc=10gen,dc=cc 2019-07-31T13:06:19.923-0400 I CONTROL [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none' 2019-07-31T13:06:19.927-0400 W ACCESS [main] LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP. 2019-07-31T13:06:20.025-0400 E ACCESS [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Bind parameters were: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple} 2019-07-31T13:06:20.026-0400 F CONTROL [main] Failed to create service context: FailedToParse: Can't connect to the specified LDAP servers, error: LDAP bind failed with error: Can't contact LDAP server
On my machine, which uses GNU TLS, the error message is:
$ ./mongod --ldapServers ldaptest.10gen.cc --ldapQueryPassword <password> --ldapQueryUser cn=ldapz_admin,ou=Users,dc=10gen,dc=cc 2019-07-31T13:08:44.786-0400 I CONTROL [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none' 2019-07-31T13:08:44.882-0400 E ACCESS [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): (unknown error code). Bind parameters were: {BindDN: cn=ldapz_ldap_bind,ou=Users,dc=10gen,dc=cc, authenticationType: simple} 2019-07-31T13:08:44.882-0400 F CONTROL [main] Failed to create service context: FailedToParse: Can't connect to the specified LDAP servers, error: LDAP bind failed with error: Can't contact LDAP server
The latter error message should at least inform the user that the certificate was unable to validate.