[COMPASS-4544] MongoDB Atlas Cluster Database - can't login with X509 user with Compass Created: 17/Dec/20  Updated: 27/Oct/23  Resolved: 18/Dec/20

Status: Closed
Project: Compass
Component/s: Compass
Affects Version/s: 1.24.1
Fix Version/s: No version

Type: Bug Priority: Major - P3
Reporter: Amikam Goldfarb Assignee: Unassigned
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation Changes: Not Needed

 Description   

Problem Description

On version 1.22.1 it was still possible to connect with x509 (user) authentication to cluster db.
However, after upgrade to 1.24.1, it stopped to work.

Steps to Reproduce

  1. Fill in connection fields individually
  2. fill cluster dns name in Hostname field
  3. SRV Record enabled
  4. Authentication - X509, username: username as created in Atlas DB
  5. Fill replica set name
  6. Read Preference: Primary
  7. SSL: Server and Client Validation
    1. Certificate Authority: PEM File from Mongo created for X509 User
    2. Client Certificate: PEM File from Mongo created for X509 User
    3. Client Private Key: PEM File from Mongo created for X509 User
  8. Click CONNECT

Expected Results

Connects

Actual Results

"Auth failed" error

Additional Notes

Works perfectly on 1.22.1 Compass version, and on mongo cli.



 Comments   
Comment by Rhys Howell [ 18/Dec/20 ]

amikamg@securitydam.com In Compass 1.24.1 we updated our mongodb driver to 3.6.3 we had a fix where it started to use the username field supplied in the X509 username field: https://github.com/mongodb/node-mongodb-native/commit/9110a45cfa9a536795fd3cbca92d1c1b4dc61d59 . Previously it seems this was unused, and it was resolved through the certificate. I suspect this is causing the issue. Sorry that updating caused it to stop working.

Two potential solutions:

  • Remove the username value, we've now made it optional, and with the PEM from compass it is not needed as it is pulled from the CN field in the PEM.
  • Update the username field to include `CN=` before the username so that it uses the username per [RFC-2253](https://tools.ietf.org/html/rfc2253). For example, the username "X509User" should be provided as "CN=X509User".

Thanks for creating this ticket - and sorry the connection suddenly stopped working - hopefully one of those solutions fixes it for you. Feel free to re-open if that's not the case.

Generated at Wed Feb 07 22:36:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.