-
Type: Task
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
external_auth suites are not something we have previously enabled / supported on Debian variants.
However it may be straightforward to enable these and expand test coverage. According to varun.ravichandran@mongodb.com:
I believe external_auth was initially failing due to 2 tests: ldap_authz_bind.js and ldap_tool_ocsp.js.
ldap_authz_bind.js was failing because OpenLDAP uses GnuTLS on Debian. GnuTLS doesn't support SHA-1 signed certificate anymore, which is what ldaptest.10gen.cc uses. ldap_authz_bind.js and ldap_tls.js are the only LDAP tests that use TLS when connecting to ldaptest.10gen.cc, and ldap_tls.js already has a check that prevents it from running on anything but RHEL. ldap_authz_bind.js was already being skipped on Ubuntu (which also uses GnuTLS), so I extended this check to also account for Amazon Linux 2023 and Debian. Now, that test doesn't fail anymore.
ldap_tool_ocsp.js fails because it is unable to start a Python mock OCSP server. The error indicates that oscrypto was unable to determine the version of libcrypto on the machine. This appears to be a bug on oscrypto 1.3.0 and OpenSSL 3.0 that has since been patched. So we could probably fix this also by pinning oscrypto to a higher version (1.3.1) or by simply skipping this test also on Debian and other distros that have OpenSSL 3.0.
Since there's only 1 test left failing, I wonder if it would be worth it to just target the fix for that appropriately rather than blocking external_auth on Debian entirely? We would be getting a decent amount of additional test coverage from this as compared to blocking the entire suite.