Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43090

Fix LDAP connection health tests with Okta

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.3.1, 4.2.2, 4.0.14
    • Affects Version/s: 4.2.0
    • Component/s: Security
    • None
    • Minor Change
    • v4.2, v4.0
    • Security 2019-09-23, Security 2019-10-07, Security 2019-10-21

      Okta's LDAP frontend appears to be very aggressive about rejecting unauthenticated commands, including RootDSE requests. This is unfortunate, because we rely on RootDSE queries to validate connection health on startup, and in our LDAP connection pooling logic. If MongoDB is using connection pooling, failing RootDSE queries will prevent connections from being established. If MongoDB is started without --ldapValidateLDAPServerConfig=false, failing RootDSE queries will prevent it from starting.

      I haven't been able to identify an LDAP command which could be issued against Okta endpoints which would succeed without authentication. In the absence of such a command, we may wish to consider LDAP error code 50/Insufficient Access a valid response for a successfully established connection in the connection pool.

            sara.golemon@mongodb.com Sara Golemon
            spencer.jackson@mongodb.com Spencer Jackson
            0 Vote for this issue
            7 Start watching this issue