[SERVER-30491] LDAP authorisation tries to transform username when GSSAPI (Kerberos) is used as authentication twice Created: 03/Aug/17 Updated: 30/Oct/23 Resolved: 01/Dec/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.4.4, 3.4.6 |
| Fix Version/s: | 3.7.1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Markus Thielsch | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v3.6
|
||||||||||||||||
| Steps To Reproduce: | 1. Kerberised mongod using LDAP authorisation mongod config used attached |
||||||||||||||||
| Sprint: | Platforms 2017-12-18 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Description |
|
A kerberised mongod using LDAP authorisation is trying to transform and bind the kerberos user principal twice when a user logs on using GSSAPI. This results in the following messages in the mongod log file entries:
The kerberos principal used here is mongomonitor@EXAMPLE.COM. First the mongod tries to transform using mongomonitor as userPrincipalName but fails. It then uses mongomonitor@EXAMPLE.COM and succeeds as this is correctly defined in LDAP. Is this intended or a bug? The error message gives the impression it fails but I can use the user to do tasks he is allowed to due to the later correct mapping:
mongod log file attached |
| Comments |
| Comment by Githook User [ 01/Dec/17 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: |
| Comment by Githook User [ 01/Dec/17 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: |