Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-83864

Incorrect escaping of LDAP DN with comma

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • ALL
    • Security 2023-12-25, Security 2024-01-08

      If a user with name "John Smith" and LDAP DN "Smith, John" in AD tries to login, the comma gets first escaped in the result from AD as "\," and then as "\5c," by escapeDN in the server. This double escaping results in an incorrect LDAP query for "CN=Smith\5c, John" instead of "CN=Smith\, John".

      Example URL
      mongodb://john.smith%40example.com:*****@localhost:27017/?authMechanism=PLAIN&authSource=%24external

      Example LDAP Config:

        ldap:
          bind:
            queryUser: "ldap@example.com"
            queryPassword: "*******"
          servers: "dc.example.com:3269"
          userToDNMapping:
              '[
                  {
                      match: "(.+)",
                      ldapQuery: "DC=example,DC=com??sub?(userPrincipalName={0})"
                  }
              ]'
          authz:
              queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))" # Nested Groups
      

            Assignee:
            adrian.gonzalez@mongodb.com Adrian Gonzalez Montemayor
            Reporter:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: