Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43090

Fix LDAP connection health tests with Okta

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 4.2.0
    • Fix Version/s: 4.3.1, 4.2.2, 4.0.14
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Minor Change
    • Backport Requested:
      v4.2, v4.0
    • Sprint:
      Security 2019-09-23, Security 2019-10-07, Security 2019-10-21

      Description

      Okta's LDAP frontend appears to be very aggressive about rejecting unauthenticated commands, including RootDSE requests. This is unfortunate, because we rely on RootDSE queries to validate connection health on startup, and in our LDAP connection pooling logic. If MongoDB is using connection pooling, failing RootDSE queries will prevent connections from being established. If MongoDB is started without --ldapValidateLDAPServerConfig=false, failing RootDSE queries will prevent it from starting.

      I haven't been able to identify an LDAP command which could be issued against Okta endpoints which would succeed without authentication. In the absence of such a command, we may wish to consider LDAP error code 50/Insufficient Access a valid response for a successfully established connection in the connection pool.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: