Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-56617

Reconsider advice to switch to the libldap_r

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: 4.4.5, 4.2.14
    • Fix Version/s: 5.1 Required
    • Component/s: None
    • Labels:
      None

      Description

      Majority of current installations in the field are still using RHEL 7/CentOS 7. It seems that most customers upgrade their operating system. Since NSS is no longer in use, we may need to adjust the warning printed because it may be harmful: if the server uses LDAPS connections, then libldap_r library may remove mitigations for SERVER-30643 set by the mongod process in RHEL 7.5+.

      This is the current log line:

      {"t":{"$date":"2021-05-04T15:32:54.939+00:00"},"s":"W", "c":"ACCESS", "id":24052, "ctx":"main","msg":"LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP."}
      

      The server may advice to disable the NSS shim layer (present only in RHEL7/CentOS 7) to achieve better stability instead of the switch to the libldap_r: TLS_MOZNSS_COMPATIBILITY off setting in the ldap.conf

        Attachments

          Activity

            People

            Assignee:
            backlog-server-security Backlog - Security Team
            Reporter:
            andrey.brindeyev Andrey Brindeev
            Participants:
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated: