[SERVER-31625] The contents of {USER} needs to be escaped when querying for the groups using LDAP server Created: 18/Oct/17  Updated: 30/Oct/23  Resolved: 05/Dec/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.4.9
Fix Version/s: 3.4.11, 3.6.2, 3.7.1

Type: Bug Priority: Major - P3
Reporter: Andrey Brindeyev Assignee: Andrey Brindeyev
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Documented
is documented by DOCS-11100 Docs for SERVER-31625: The contents o... Closed
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v3.6, v3.4
Sprint: Platforms 2017-11-13, Platforms 2017-12-04
Participants:
Case:

 Description   

When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below:

$ mongo --host rhel-73.acme.qa --authenticationDatabase '$external' --authenticationMechanism PLAIN --username peter.pan -p
MongoDB shell version v3.4.9
Enter password:
connecting to: mongodb://rhel-73.acme.qa:27017/
MongoDB server version: 3.4.9
2017-10-18T11:37:14.679-0700 E QUERY    [thread1] Error: Failed to acquire LDAP group membership :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20
@(auth):7:1
@(auth):1:2
exception: login failed

mongod.log:

2017-10-18T11:37:14.679-0700 E ACCESS   [conn5] LDAP authorization failed: UnknownError: Failed to obtain LDAP entities for query 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"': LDAP Operation <ldap_search_ext_s>, Failed to perform query: Bad search filter' Query was: 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"'". (-7/Bad search filter)

Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character):

$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie'"'"'s fictional character),CN=Users,DC=ACME,DC=QA))' cn
Enter LDAP Password:
ldap_search_ext: Bad search filter (-7)

Correct search filter syntax (please disregard bash-related escaping of the single quote character):

$ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\\2c Peter \\28J.M. Barrie'"'"'s fictional character\\29,CN=Users,DC=ACME,DC=QA))' cn
Enter LDAP Password:
dn: CN=Global-Admins-Database,CN=Users,DC=ACME,DC=QA
cn: Global-Admins-Database



 Comments   
Comment by Githook User [ 04/Jan/18 ]

Author:

{'name': 'Andrey Brindeyev', 'email': 'andrey.brindeyev@mongodb.com'}

Message: SERVER-31625 RFC4515 escape DNs substituted in LDAP query filter

Closes #32

(cherry picked from commit bd0e263e5813659193bfc53a92a908f64d3344d5)
Branch: v3.4
https://github.com/10gen/mongo-enterprise-modules/commit/aa831a2e71bffbae8e2398851be13111ad525686

Comment by Githook User [ 04/Jan/18 ]

Author:

{'name': 'Andrey Brindeyev', 'email': 'andrey.brindeyev@mongodb.com'}

Message: SERVER-31625 RFC4515 escape DNs substituted in LDAP query filter

Closes #32

(cherry picked from commit bd0e263e5813659193bfc53a92a908f64d3344d5)
Branch: v3.6
https://github.com/10gen/mongo-enterprise-modules/commit/0439ffb780809d3561061542bedefeff917fb159

Comment by Githook User [ 05/Dec/17 ]

Author:

{'email': 'andrey.brindeyev@mongodb.com', 'name': 'Andrey Brindeyev'}

Message: SERVER-31625 RFC4515 escape DNs substituted in LDAP query filter

Closes #32
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/bd0e263e5813659193bfc53a92a908f64d3344d5

Generated at Thu Feb 08 04:27:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.