Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-83864

Incorrect escaping of LDAP DN with comma

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Works as Designed
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • Server Security
    • ALL
    • Security 2023-12-25, Security 2024-01-08

    Description

      If a user with name "John Smith" and LDAP DN "Smith, John" in AD tries to login, the comma gets first escaped in the result from AD as "\," and then as "\5c," by escapeDN in the server. This double escaping results in an incorrect LDAP query for "CN=Smith\5c, John" instead of "CN=Smith\, John".

      Example URL
      mongodb://john.smith%40example.com:*****@localhost:27017/?authMechanism=PLAIN&authSource=%24external

      Example LDAP Config:

        ldap:
          bind:
            queryUser: "ldap@example.com"
            queryPassword: "*******"
          servers: "dc.example.com:3269"
          userToDNMapping:
              '[
                  {
                      match: "(.+)",
                      ldapQuery: "DC=example,DC=com??sub?(userPrincipalName={0})"
                  }
              ]'
          authz:
              queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))" # Nested Groups
      

      Attachments

        Activity

          People

            adrian.gonzalez@mongodb.com Adrian Gonzalez Montemayor
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: