Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-78829

Server does not anonymously bind to LDAP servers in the absence of ldapQueryUser

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Server Security
    • Security 2024-01-22, Security 2024-02-05, Security 2024-02-19, Security 2024-03-04

      The server's docs publicly state that MongoDB performs an anonymous bind to all LDAP servers before performing queries if the ldapQueryUser configuration option is unspecified.

      In reality, this does not happen. When connection pooling is disabled, the server simply runs the search operation on a new connection without performing any kind of bind, anonymous or otherwise. When connection pooling is enabled, the server grabs an existing connection from the pool and runs the search operation on it, regardless of whether the previous connection was previously bound to the LDAP server as some different user.

      We should standardize this behavior with our docs and always anonymously bind before running search operations.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            varun.ravichandran@mongodb.com Varun Ravichandran
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: