-
Type:
Improvement
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: 3.2.22, 3.6.17, 3.4.24, 4.2.3, 4.3.3, 4.0.16
-
Component/s: Security
-
None
-
Fully Compatible
-
v4.4, v4.2, v4.0
-
Security 2020-02-24, Security 2020-08-24, Security 2020-09-07
-
(copied to CRM)
-
None
-
None
-
None
-
None
-
None
-
None
-
None
When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.
- is caused by
-
SERVER-11025 Adding a user with x509 certificate = server certificate appears to work
-
- Closed
-
-
SERVER-15459 Check new X509 user names against _clusterIdMatch
-
- Closed
-
- is related to
-
SERVER-73576 enforceUserClusterSeparation authenticate validation incorrect
-
- Closed
-
- related to
-
SERVER-54136 Make the authenticate command respect enforceUserClusterSeparation
-
- Closed
-
-
SERVER-14655 x.509 certificate authentication requires O,OU to differ between client and server
-
- Closed
-