[DOCS-11100] Docs for SERVER-31625: The contents of {USER} needs to be escaped when querying for the groups using LDAP server Created: 08/Dec/17  Updated: 29/Oct/23  Resolved: 05/Jul/18

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 3.7.1, 3.4.11, 3.6.2

Type: Task Priority: Major - P3
Reporter: Kay Kim (Inactive) Assignee: Allison Reinheimer Moore
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-31625 The contents of {USER} needs to be es... Closed
Participants:
Days since reply: 5 years, 31 weeks, 6 days ago
Epic Link: DOCS: 4.0 Server

 Description   

Scoping

Description

  • If security.ldap.userToDNMapping uses the substitution parameter, the result of the substitution MUST be an RFC4514-escaped string, as in (CN=Doe\, John, OU=Users,DC=foo,DC=bar)
  • If LDAP Authz is enabled and an LDAP group (the DN part) contains an RFC4514-escaped sequence, the role names in the system.roles collection in the admin database must also be RFC4514-escaped (not plaintext)

Scope of changes (files that need work and how much)

Impact to other docs outside of this product

  • Ops Manager:
    • may need to clarify escaping in the Enable LDAP Tutorial - specifically the "User to Distinguished Name Mapping" section
    • probably need to say something about escaping the roles, though I'm not sure where

Documentation Request Summary:

1. When the

{security.ldap.userToDNMapping}

configuration option has one or more subsections with the

{substitution}

parameter, then the result of such substitution MUST be RFC4514-escaped string (CN=Doe\, John,OU=Users,DC=foo,DC=bar).

2. When LDAP authorization is enabled and LDAP groups (their DNs) contain RFC4514 escape sequences, then role names must be RFC4514 escaped in the system.roles collection in the admin database, not just plaintext representation of the role names.

This ticket does NOT introduce any new behavior. Instead, it fixing the authentication issue for the customers when their DN's contain the special characters.

Engineering Ticket Description:

When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below:

$ mongo --host rhel-73.acme.qa --authenticationDatabase '$external' --authenticationMechanism PLAIN --username peter.pan -p
MongoDB shell version v3.4.9
Enter password:
connecting to: mongodb://rhel-73.acme.qa:27017/
MongoDB server version: 3.4.9
2017-10-18T11:37:14.679-0700 E QUERY    [thread1] Error: Failed to acquire LDAP group membership :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):7:1
@(auth):1:2
exception: login failed

mongod.log:

2017-10-18T11:37:14.679-0700 E ACCESS   [conn5] LDAP authorization failed: UnknownError: Failed to obtain LDAP entities for query 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"': LDAP Operation <ldap_search_ext_s>, Failed to perform query: Bad search filter' Query was: 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"'". (-7/Bad search filter)

Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character):

$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie'"'"'s fictional character),CN=Users,DC=ACME,DC=QA))' cn
Enter LDAP Password:
ldap_search_ext: Bad search filter (-7)

Correct search filter syntax (please disregard bash-related escaping of the single quote character):

$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\\2c Peter \\28J.M. Barrie'"'"'s fictional character\\29,CN=Users,DC=ACME,DC=QA))' cn
Enter LDAP Password:
dn: CN=Global-Admins-Database,CN=Users,DC=ACME,DC=QA
cn: Global-Admins-Database



 Comments   
Comment by Allison Reinheimer Moore [ 05/Jul/18 ]

Merged to 3.4, 3.6, and master.

Comment by Githook User [ 05/Jul/18 ]

Author:

{'username': 'schmalliso', 'name': 'Allison Reinheimer Moore', 'email': 'allison.moore@10gen.com'}

Message: DOCS-11100: LDAP - substituted DNs must be RFC4514 escaped
Branch: v3.4
https://github.com/mongodb/docs/commit/1533cf11245467d52a9dc4bced31342e5d3eec49

Comment by Githook User [ 05/Jul/18 ]

Author:

{'username': 'schmalliso', 'name': 'Allison Reinheimer Moore', 'email': 'allison.moore@10gen.com'}

Message: DOCS-11100: LDAP - substituted DNs must be RFC4514 escaped
Branch: v3.6
https://github.com/mongodb/docs/commit/bb9d2e31c2e876ae6b021fcb7884bef7621c8bd7

Comment by Githook User [ 05/Jul/18 ]

Author:

{'username': 'schmalliso', 'name': 'Allison Reinheimer Moore', 'email': 'allison.moore@10gen.com'}

Message: DOCS-11100: LDAP - substituted DNs must be RFC4514 escaped
Branch: master
https://github.com/mongodb/docs/commit/fcfc435d0c1470d65d8f2f8383bc44e348a64ad4

Comment by sivakumar Gandhirajan [X] [ 15/Dec/17 ]

is there any progress or resolution on how to escape the special characters in user DN ?

Generated at Thu Feb 08 08:02:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.