[SERVER-30491] LDAP authorisation tries to transform username when GSSAPI (Kerberos) is used as authentication twice Created: 03/Aug/17  Updated: 30/Oct/23  Resolved: 01/Dec/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.4.4, 3.4.6
Fix Version/s: 3.7.1

Type: Bug Priority: Major - P3
Reporter: Markus Thielsch Assignee: Sara Golemon
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File mongod.log     HTML File mongodconfig    
Issue Links:
Backports
Problem/Incident
causes SERVER-36456 MongoD does not support kerberos on W... Closed
Related
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Requested:
v3.6
Steps To Reproduce:

1. Kerberised mongod using LDAP authorisation
2. kinit the user you want to authenticate with
3. logon to the mongod and db.auth() the user on the $external database

mongod config used attached

Sprint: Platforms 2017-12-18
Participants:
Case:

 Description   

A kerberised mongod using LDAP authorisation is trying to transform and bind the kerberos user principal twice when a user logs on using GSSAPI. This results in the following messages in the mongod log file entries:

2017-08-03T02:14:09.627+0000 E ACCESS   [conn18] LDAP authorization failed: FailedToParse: Failed to transform bind user name to LDAP DN: Failed to transform user 'mongomonitor'. No matching transformation out of 1 available transformations. Results: { rule: { match: "(.+)" ldapQuery: "CN=USERS,DC=BEAGLE,DC=MONGODB,DC=COM??sub?(userPrincipalName={0})" } error: "UserNotFound: LDAP query 'BaseDN: "CN=USERS,DC=BEAGLE,DC=MONGODB,DC=COM", Scope: "sub", Filter: "(userPrincipalName=mongomonitor)"' returned no results" }, 
2017-08-03T02:14:09.627+0000 D ACCESS   [conn18] auxpropMongoDBInternal failed to find privilege document: OperationFailed: Failed to acquire LDAP group membership
2017-08-03T02:14:11.161+0000 I ACCESS   [conn18] Successfully authenticated as principal mongomonitor@EXAMPLE.COM on $external
2017-08-03T02:14:11.161+0000 I COMMAND  [conn18] command $external.$cmd command: saslContinue { saslContinue: 1, conversationId: 1, mechanism: "GSSAPI", payload: BinData(0, 050404FF000C0000000000002B6C707F010000006D6F6E676F6D6F6E69746F72404558414D504C452E434F4DB6CCC2E495461D03D086DB4A) } numYields:0 reslen:78 locks:{} protocol:op_query 2293ms

The kerberos principal used here is mongomonitor@EXAMPLE.COM. First the mongod tries to transform using mongomonitor as userPrincipalName but fails. It then uses mongomonitor@EXAMPLE.COM and succeeds as this is correctly defined in LDAP.

Is this intended or a bug?

The error message gives the impression it fails but I can use the user to do tasks he is allowed to due to the later correct mapping:

2017-08-03T02:14:11.161+0000 I COMMAND  [conn18] command $external.$cmd command: saslContinue { saslContinue: 1, conversationId: 1, mechanism: "GSSAPI", payload: BinData(0, 050404FF000C0000000000002B6C707F010000006D6F6E676F6D6F6E69746F72404558414D504C452E434F4DB6CCC2E495461D03D086DB4A) } numYields:0 reslen:78 locks:{} protocol:op_query 2293ms
2017-08-03T02:14:11.161+0000 I COMMAND  [conn18] command admin.$cmd command: isMaster { isMaster: 1 } numYields:0 reslen:524 locks:{} protocol:op_query 0ms
2017-08-03T02:14:11.162+0000 I COMMAND  [conn18] command admin.$cmd command: replSetGetStatus { replSetGetStatus: 1 } numYields:0 reslen:1288 locks:{} protocol:op_query 0ms
2017-08-03T02:14:11.163+0000 I COMMAND  [conn18] command local.oplog.rs command: serverStatus { serverStatus: 1, oplog: 1, tcmalloc: 1 } numYields:0 reslen:23388 locks:{ Global: { acquireCount: { r: 2 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 0ms
2017-08-03T02:14:11.164+0000 I COMMAND  [conn18] command local.oplog.rs command: collStats { collstats: "oplog.rs" } numYields:0 reslen:5810 locks:{ Global: { acquireCount: { r: 2 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 0ms

mongod log file attached



 Comments   
Comment by Githook User [ 01/Dec/17 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-30491 Remove cyrus auxprop module
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/8fa68a5884a79b71db5fea9bdc3415aa339e837a

Comment by Githook User [ 01/Dec/17 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-30491 Remove CRAM-MD5
Branch: master
https://github.com/mongodb/mongo/commit/4a5f07ba38561db71727fe4254de5e9c24053645

Generated at Thu Feb 08 04:24:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.