Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43233

Add ability to request only specific attribute(s) for the LDAP groups

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.4.0-rc4, 3.6.20, 4.7.0, 4.2.10, 4.0.21
    • Affects Version/s: None
    • Component/s: None
    • None
    • Minor Change
    • v4.4, v4.2, v4.0, v3.6
    • Security 2020-04-20, Security 2020-05-04

      Issue Status as of Aug 28, 2020

      ISSUE DESCRIPTION AND IMPACT

      Affected versions of MongoDB Enterprise do not allow asking for only the DN (Distinguished Name) attribute when making LDAP (Lightweight Directory Access Protocol) authorization requests. This leads to longer authorization request times and in certain cases to unnecessary additional requests.

      DIAGNOSIS AND AFFECTED VERSIONS

      This behavior occurs on MongoDB Enterprise versions 4.2.9 and earlier, 4.0.20 and earlier, and 3.6.19 and earlier.

      MongoDB Enterprise users that rely on LDAP authorization and have a large number of LDAP users in their organization will see more LDAP requests from these versions of MongoDB.

      Users that rely on Okta LDAP in particular can even hit their API request limit (500 per minute by default).

      REMEDIATION AND WORKAROUNDS

      A fix is included in the 4.4.0, 4.2.10, 4.0.21 and 3.6.20 Enterprise releases of MongoDB. These versions of MongoDB Enterprise allow explicitly requesting the DN attribute from the LDAP server. The result of adding DN is that more requests are treated as faster, base DN queries and fewer requests are necessary overall.

      Affected users should upgrade to one of these versions, but in most cases, MongoDB will not add the DN attribute to LDAP queries automatically.

      To benefit from the fix in versions 4.2.10, 4.0.21, and 3.6.20 you must explicitly add the DN attribute to all templates. For example, if the current ldapAuthzQueryTemplate setting is:

      ou=Groups,dc=10gen,dc=cc??one?(&(objectClass=groupOfNames)(member={USER}))
      

      Change it to:

      ou=Groups,dc=10gen,dc=cc?dn?one?(&(objectClass=groupOfNames)(member={USER}))
      

      MongoDB version 4.4.0 adds the DN attribute to LDAP queries that don't request any other attributes. So, for version 4.4.0, you must explicitly add the DN attribute to all queries that request any other attributes.

      Original description

      For the certain LDAP implementations it is beneficial to request only DN attribute for the groups instead of requesting all of them by default. Regretfully, once you specify the list of attributes, mongod currently expects only a single LDAP result and errors out, for example:

      $ mongoldap --user 'uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com' --password 'REDACTED' -f ./mongod-okta.conf
      Running MongoDB LDAP authorization validation checks...
      Version: 4.2.0
      
      Checking that an LDAP server has been specified...
      [OK] LDAP server(s) provided in configuration
      
      Connecting to LDAP server...
      2019-09-09T09:58:46.074-0700 W  ACCESS   [main] LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP.
      [OK] Connected to LDAP server
      
      Attempting to authenticate against the LDAP server...
      [OK] Successful authentication performed
      
      Checking if LDAP authorization has been enabled by configuration...
      [OK] LDAP authorization enabled
      
      Parsing LDAP query template...
      [OK] LDAP query configuration template appears valid
      
      Executing query against LDAP server...
      2019-09-09T09:58:48.679-0700 E  ACCESS   [main] Expected exactly one LDAP entity from which to parse attributes. Found 2.
      [FAIL] Unable to acquire roles
      	* Error: UserDataInconsistent: Failed to obtain LDAP entities for query 'BaseDN: "ou=groups,dc=REDACTED,dc=oktapreview,dc=com", Scope: "sub", Filter: "(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com)", Attributes: "dn", ' :: caused by :: Expected exactly one LDAP entity from which to parse attributes.
      

      The LDAP response is provided significantly faster if you request only DN attribute:

      $ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))' dn
      dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com
      
      dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co
       m
      
      
      real	0m1.198s
      user	0m0.021s
      sys	0m0.021s
      

      vs

      $ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))'
      dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com
      objectClass: top
      objectClass: groupofUniqueNames
      cn: Everyone
      uniqueIdentifier: REDACTED
      description: All users in your organization
      ( 1988 uniqueMember attributes skipped)
      
      dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co
       m
      objectClass: top
      objectClass: groupofUniqueNames
      cn: REDACTED
      uniqueIdentifier: REDACTED
      uniqueMember: uid=REDACTED1,ou=users,dc=REDACTED
       REDACTED,dc=oktapreview,dc=com
      uniqueMember: uid=REDACTED2,ou=users,dc=REDACTED
       REDACTED,dc=oktapreview,dc=com
      
      
      real	0m41.067s
      user	0m0.024s
      sys	0m0.027s
      

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            andrey.brindeyev@mongodb.com Andrey Brindeyev
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: