Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45938

Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 3.2.22, 3.6.17, 3.4.24, 4.2.3, 4.3.3, 4.0.16
    • 4.7.0, 4.4.2, 4.2.11, 4.0.21
    • Security
    • None
    • Fully Compatible
    • v4.4, v4.2, v4.0
    • Security 2020-02-24, Security 2020-08-24, Security 2020-09-07

    Description

      When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.

      Attachments

        Issue Links

          Activity

            People

              spencer.jackson@mongodb.com Spencer Jackson
              james.kovacs@mongodb.com James Kovacs
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: