[DOCS-12399] Docs for SERVER-36117: LDAP Authorization add support for posixGroup schema (RFC2307) Created: 28/Jan/19  Updated: 13/Nov/23  Resolved: 14/Aug/19

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.1.8, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Kay Kim (Inactive) Assignee: Kay Kim (Inactive)
Resolution: Fixed Votes: 0
Labels: docs-4.2-security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-36117 LDAP Authorization add support for po... Closed
Participants:
Days since reply: 4 years, 26 weeks ago
Epic Link: DOCS: 4.2 Server/Tools

 Description   

Description

There is a new substitution token available in the security.ldap.authz.queryTemplate config parameter: PROVIDED_USER which corresponds to the username of the user attempting to authenticate before it is looked up or otherwise modified by the LDAP code.

Engineering Ticket Description:

When LDAP authentication and authorization is enabled in the Server, there is a variable

Unknown macro: {USER}

that can be used in the security.ldap.authz.queryTemplate configuration option.

That variable will contain the DN of the user after the security.ldap.userToDNMapping expression is processed.

Please add another variable, such as

Unknown macro: {0}

that allows to use the non-mapped username (the username passed to the client.

This will be useful for LDAP environments where the posixGroup schema is used (RFC2307) and the member field contains the user uid instead of the full DN:

Example posixGroup element:

dn: cn=Administrators,ou=group,ou=engineering,dc=example,dc=com
memberUid: bob
memberUid: eve
memberUid: tom
cn: Administrators
objectClass: posixgroup
objectClass: top
gidNumber: 12345

Possible configuration settings for MongoDB once the {0} variable is available:

security.ldap.authz.queryTemplate = ou=group,ou=engineering,dc=example,dc=com??base?(&(objectClass=posixGroup)(memberUid=\{0}))
security.ldap.userToDNMapping=[{match : "(.+)",substitution:"uid=\{0},ou=people,ou=engineering,dc=example,dc=com"}]

If the username is "bob":

  • {0} will be "bob" in the security.ldap.userToDNMapping parameter and the security.ldap.authz.queryTemplate
  • {USER} will be "uid=bob,ou=people,ou=engineering,dc=example,dc=com"

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Githook User [ 14/Aug/19 ]

Author:

{'username': 'kay-kim', 'email': 'kay.kim@10gen.com', 'name': 'Kay Kim'}

Message: DOCS-12399: 4.2 PROVIDED_USER substitution token
Branch: master
https://github.com/mongodb/docs/commit/5cc5ed8f2955a31f0cd722526f7a3a165f051d80

Generated at Thu Feb 08 08:05:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.