[DOCS-11100] Docs for SERVER-31625: The contents of {USER} needs to be escaped when querying for the groups using LDAP server Created: 08/Dec/17 Updated: 29/Oct/23 Resolved: 05/Jul/18 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 3.7.1, 3.4.11, 3.6.2 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Kay Kim (Inactive) | Assignee: | Allison Reinheimer Moore |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 5 years, 31 weeks, 6 days ago | ||||||||
| Epic Link: | DOCS: 4.0 Server | ||||||||
| Description |
ScopingDescription
Scope of changes (files that need work and how much)
Impact to other docs outside of this product
Documentation Request Summary:1. When the {security.ldap.userToDNMapping}configuration option has one or more subsections with the {substitution}parameter, then the result of such substitution MUST be RFC4514-escaped string (CN=Doe\, John,OU=Users,DC=foo,DC=bar). 2. When LDAP authorization is enabled and LDAP groups (their DNs) contain RFC4514 escape sequences, then role names must be RFC4514 escaped in the system.roles collection in the admin database, not just plaintext representation of the role names. This ticket does NOT introduce any new behavior. Instead, it fixing the authentication issue for the customers when their DN's contain the special characters. Engineering Ticket Description:When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below:
mongod.log:
Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character):
Correct search filter syntax (please disregard bash-related escaping of the single quote character):
|
| Comments |
| Comment by Allison Reinheimer Moore [ 05/Jul/18 ] |
|
Merged to 3.4, 3.6, and master. |
| Comment by Githook User [ 05/Jul/18 ] |
|
Author: {'username': 'schmalliso', 'name': 'Allison Reinheimer Moore', 'email': 'allison.moore@10gen.com'}Message: |
| Comment by Githook User [ 05/Jul/18 ] |
|
Author: {'username': 'schmalliso', 'name': 'Allison Reinheimer Moore', 'email': 'allison.moore@10gen.com'}Message: |
| Comment by Githook User [ 05/Jul/18 ] |
|
Author: {'username': 'schmalliso', 'name': 'Allison Reinheimer Moore', 'email': 'allison.moore@10gen.com'}Message: |
| Comment by sivakumar Gandhirajan [X] [ 15/Dec/17 ] |
|
is there any progress or resolution on how to escape the special characters in user DN ? |