ISSUE DESCRIPTION AND IMPACT
Affected versions of MongoDB Enterprise do not allow asking for only the DN (Distinguished Name) attribute when making LDAP (Lightweight Directory Access Protocol) authorization requests. This leads to longer authorization request times and in certain cases to unnecessary additional requests.
DIAGNOSIS AND AFFECTED VERSIONS
This behavior occurs on MongoDB Enterprise versions 4.2.9 and earlier, 4.0.20 and earlier, and 3.6.19 and earlier.
MongoDB Enterprise users that rely on LDAP authorization and have a large number of LDAP users in their organization will see more LDAP requests from these versions of MongoDB.
Users that rely on Okta LDAP in particular can even hit their API request limit (500 per minute by default).
REMEDIATION AND WORKAROUNDS
A fix is included in the 4.4.0, 4.2.10, 4.0.21 and 3.6.20 Enterprise releases of MongoDB. These versions of MongoDB Enterprise allow explicitly requesting the DN attribute from the LDAP server. The result of adding DN is that more requests are treated as faster, base DN queries and fewer requests are necessary overall.
Affected users should upgrade to one of these versions, but in most cases, MongoDB will not add the DN attribute to LDAP queries automatically.
To benefit from the fix in versions 4.2.10, 4.0.21, and 3.6.20 you must explicitly add the DN attribute to all templates. For example, if the current ldapAuthzQueryTemplate setting is:
Change it to:
MongoDB version 4.4.0 adds the DN attribute to LDAP queries that don't request any other attributes. So, for version 4.4.0, you must explicitly add the DN attribute to all queries that request any other attributes.