Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43233

Add ability to request only specific attribute(s) for the LDAP groups

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.10, 4.4.0-rc4, 3.6.20, 4.7.0, 4.0.21
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Minor Change
    • Backport Requested:
      v4.4, v4.2, v4.0, v3.6
    • Sprint:
      Security 2020-04-20, Security 2020-05-04
    • Case:

      Description

      Issue Status as of Aug 28, 2020

      ISSUE DESCRIPTION AND IMPACT

      Affected versions of MongoDB Enterprise do not allow asking for only the DN (Distinguished Name) attribute when making LDAP (Lightweight Directory Access Protocol) authorization requests. This leads to longer authorization request times and in certain cases to unnecessary additional requests.

      DIAGNOSIS AND AFFECTED VERSIONS

      This behavior occurs on MongoDB Enterprise versions 4.2.9 and earlier, 4.0.20 and earlier, and 3.6.19 and earlier.

      MongoDB Enterprise users that rely on LDAP authorization and have a large number of LDAP users in their organization will see more LDAP requests from these versions of MongoDB.

      Users that rely on Okta LDAP in particular can even hit their API request limit (500 per minute by default).

      REMEDIATION AND WORKAROUNDS

      A fix is included in the 4.4.0, 4.2.10, 4.0.21 and 3.6.20 Enterprise releases of MongoDB. These versions of MongoDB Enterprise allow explicitly requesting the DN attribute from the LDAP server. The result of adding DN is that more requests are treated as faster, base DN queries and fewer requests are necessary overall.

      Affected users should upgrade to one of these versions, but in most cases, MongoDB will not add the DN attribute to LDAP queries automatically.

      To benefit from the fix in versions 4.2.10, 4.0.21, and 3.6.20 you must explicitly add the DN attribute to all templates. For example, if the current ldapAuthzQueryTemplate setting is:

      ou=Groups,dc=10gen,dc=cc??one?(&(objectClass=groupOfNames)(member={USER}))
      

      Change it to:

      ou=Groups,dc=10gen,dc=cc?dn?one?(&(objectClass=groupOfNames)(member={USER}))
      

      MongoDB version 4.4.0 adds the DN attribute to LDAP queries that don't request any other attributes. So, for version 4.4.0, you must explicitly add the DN attribute to all queries that request any other attributes.

      Original description

      For the certain LDAP implementations it is beneficial to request only DN attribute for the groups instead of requesting all of them by default. Regretfully, once you specify the list of attributes, mongod currently expects only a single LDAP result and errors out, for example:

      $ mongoldap --user 'uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com' --password 'REDACTED' -f ./mongod-okta.conf
      Running MongoDB LDAP authorization validation checks...
      Version: 4.2.0
       
      Checking that an LDAP server has been specified...
      [OK] LDAP server(s) provided in configuration
       
      Connecting to LDAP server...
      2019-09-09T09:58:46.074-0700 W  ACCESS   [main] LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP.
      [OK] Connected to LDAP server
       
      Attempting to authenticate against the LDAP server...
      [OK] Successful authentication performed
       
      Checking if LDAP authorization has been enabled by configuration...
      [OK] LDAP authorization enabled
       
      Parsing LDAP query template...
      [OK] LDAP query configuration template appears valid
       
      Executing query against LDAP server...
      2019-09-09T09:58:48.679-0700 E  ACCESS   [main] Expected exactly one LDAP entity from which to parse attributes. Found 2.
      [FAIL] Unable to acquire roles
      	* Error: UserDataInconsistent: Failed to obtain LDAP entities for query 'BaseDN: "ou=groups,dc=REDACTED,dc=oktapreview,dc=com", Scope: "sub", Filter: "(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com)", Attributes: "dn", ' :: caused by :: Expected exactly one LDAP entity from which to parse attributes.
      

      The LDAP response is provided significantly faster if you request only DN attribute:

      $ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))' dn
      dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com
       
      dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co
       m
       
       
      real	0m1.198s
      user	0m0.021s
      sys	0m0.021s
      

      vs

      $ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))'
      dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com
      objectClass: top
      objectClass: groupofUniqueNames
      cn: Everyone
      uniqueIdentifier: REDACTED
      description: All users in your organization
      ( 1988 uniqueMember attributes skipped)
       
      dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co
       m
      objectClass: top
      objectClass: groupofUniqueNames
      cn: REDACTED
      uniqueIdentifier: REDACTED
      uniqueMember: uid=REDACTED1,ou=users,dc=REDACTED
       REDACTED,dc=oktapreview,dc=com
      uniqueMember: uid=REDACTED2,ou=users,dc=REDACTED
       REDACTED,dc=oktapreview,dc=com
       
       
      real	0m41.067s
      user	0m0.024s
      sys	0m0.027s
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sara.golemon Sara Golemon
              Reporter:
              andrey.brindeyev Andrey Brindeev
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: