ISSUE DESCRIPTION AND IMPACT
Affected versions of MongoDB Enterprise do not allow asking for only the DN (Distinguished Name) attribute when making LDAP (Lightweight Directory Access Protocol) authorization requests. This leads to longer authorization request times and in certain cases to unnecessary additional requests.
DIAGNOSIS AND AFFECTED VERSIONS
This behavior occurs on MongoDB Enterprise versions 4.2.9 and earlier, 4.0.20 and earlier, and 3.6.19 and earlier.
MongoDB Enterprise users that rely on LDAP authorization and have a large number of LDAP users in their organization will see more LDAP requests from these versions of MongoDB.
Users that rely on Okta LDAP in particular can even hit their API request limit (500 per minute by default).
REMEDIATION AND WORKAROUNDS
A fix is included in the 4.4.0, 4.2.10, 4.0.21 and 3.6.20 Enterprise releases of MongoDB. These versions of MongoDB Enterprise allow explicitly requesting the DN attribute from the LDAP server. The result of adding DN is that more requests are treated as faster, base DN queries and fewer requests are necessary overall.
Affected users should upgrade to one of these versions, but in most cases, MongoDB will not add the DN attribute to LDAP queries automatically.
To benefit from the fix in versions 4.2.10, 4.0.21, and 3.6.20 you must explicitly add the DN attribute to all templates. For example, if the current ldapAuthzQueryTemplate setting is:
ou=Groups,dc=10gen,dc=cc??one?(&(objectClass=groupOfNames)(member={USER}))
Change it to:
ou=Groups,dc=10gen,dc=cc?dn?one?(&(objectClass=groupOfNames)(member={USER}))
MongoDB version 4.4.0 adds the DN attribute to LDAP queries that don't request any other attributes. So, for version 4.4.0, you must explicitly add the DN attribute to all queries that request any other attributes.
Original description
For the certain LDAP implementations it is beneficial to request only DN attribute for the groups instead of requesting all of them by default. Regretfully, once you specify the list of attributes, mongod currently expects only a single LDAP result and errors out, for example:
$ mongoldap --user 'uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com' --password 'REDACTED' -f ./mongod-okta.conf Running MongoDB LDAP authorization validation checks... Version: 4.2.0 Checking that an LDAP server has been specified... [OK] LDAP server(s) provided in configuration Connecting to LDAP server... 2019-09-09T09:58:46.074-0700 W ACCESS [main] LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP. [OK] Connected to LDAP server Attempting to authenticate against the LDAP server... [OK] Successful authentication performed Checking if LDAP authorization has been enabled by configuration... [OK] LDAP authorization enabled Parsing LDAP query template... [OK] LDAP query configuration template appears valid Executing query against LDAP server... 2019-09-09T09:58:48.679-0700 E ACCESS [main] Expected exactly one LDAP entity from which to parse attributes. Found 2. [FAIL] Unable to acquire roles * Error: UserDataInconsistent: Failed to obtain LDAP entities for query 'BaseDN: "ou=groups,dc=REDACTED,dc=oktapreview,dc=com", Scope: "sub", Filter: "(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com)", Attributes: "dn", ' :: caused by :: Expected exactly one LDAP entity from which to parse attributes.
The LDAP response is provided significantly faster if you request only DN attribute:
$ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))' dn dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co m real 0m1.198s user 0m0.021s sys 0m0.021s
vs
$ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))' dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com objectClass: top objectClass: groupofUniqueNames cn: Everyone uniqueIdentifier: REDACTED description: All users in your organization ( 1988 uniqueMember attributes skipped) dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co m objectClass: top objectClass: groupofUniqueNames cn: REDACTED uniqueIdentifier: REDACTED uniqueMember: uid=REDACTED1,ou=users,dc=REDACTED REDACTED,dc=oktapreview,dc=com uniqueMember: uid=REDACTED2,ou=users,dc=REDACTED REDACTED,dc=oktapreview,dc=com real 0m41.067s user 0m0.024s sys 0m0.027s
- is related to
-
DOCS-13882 [Atlas] Update Okta LDAP authorization example
-
- Closed
-