Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43090

Fix LDAP connection health tests with Okta

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 4.3.1, 4.2.2, 4.0.14
    • 4.2.0
    • Security
    • None
    • Minor Change
    • v4.2, v4.0
    • Security 2019-09-23, Security 2019-10-07, Security 2019-10-21

    Description

      Okta's LDAP frontend appears to be very aggressive about rejecting unauthenticated commands, including RootDSE requests. This is unfortunate, because we rely on RootDSE queries to validate connection health on startup, and in our LDAP connection pooling logic. If MongoDB is using connection pooling, failing RootDSE queries will prevent connections from being established. If MongoDB is started without --ldapValidateLDAPServerConfig=false, failing RootDSE queries will prevent it from starting.

      I haven't been able to identify an LDAP command which could be issued against Okta endpoints which would succeed without authentication. In the absence of such a command, we may wish to consider LDAP error code 50/Insufficient Access a valid response for a successfully established connection in the connection pool.

      Attachments

        Activity

          People

            sara.golemon@mongodb.com Sara Golemon
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: