[DOCS-9594] Document LDAP Referral support for native LDAP authn / authz Created: 05/Dec/16  Updated: 30/Oct/23  Resolved: 19/Jan/17

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Major - P3
Reporter: Rahul Dhodapkar Assignee: Ravind Kumar (Inactive)
Resolution: Done Votes: 0
Labels: security-ldap
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 7 years, 3 weeks, 6 days ago
Story Points: 0.25

 Description   

Documentation should specify that the "security.ldap.servers" parameter must specifically be used for redundancy.

https://docs.mongodb.com/manual/reference/configuration-options/#security.ldap.servers

Not sure where, but for clients with multiple LDAP servers distributed across multiple locations, a specification of the LDAP referral structure required by MongoDB would be valuable to point clients at.



 Comments   
Comment by Githook User [ 19/Jan/17 ]

Author:

{u'username': u'rkumar-mongo', u'name': u'ravind', u'email': u'ravind.kumar@10gen.com'}

Message: DOCS-9594: ldapServers additional hosts for redundancy only

Signed-off-by: kay <kay.kim@10gen.com>
Branch: master
https://github.com/mongodb/docs/commit/cfac4677f974e822246e2591a6573b53562ee13a

Comment by Ravind Kumar (Inactive) [ 19/Jan/17 ]

https://github.com/mongodb/docs/pull/2824

Comment by Spencer Jackson [ 06/Dec/16 ]

ravind.kumar Yes.
rahul.dhodapkar See subsection 4.1.10 of RFC4511. Basically, the LDAP protocol defines a way for servers to respond that they don't store information about the subtree you're talking about, but they do know which server to ask. They send a referral, and your client can go chase it to get the information. We support chasing these types of referrals. There's nothing stopping an LDAP administrator from creating a new data type for storing LDAP URIs describing a document on a remote server, and we would not be able to chase that. Because I haven't seen that described as a standard practice, that hopefully shouldn't come up.

Comment by Rahul Dhodapkar [ 06/Dec/16 ]

(assuming they are using some sane implementation of referrals).

Do we have any notion of specifically what referral implementation we support? (I'm not all that familiar with LDAP referrals so it is entirely possible there is only one notion of this)

Generated at Thu Feb 08 07:58:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.