[SERVER-32948] LDAP enhancement for Active Directory SRV discovery Created: 29/Jan/18  Updated: 29/Oct/23  Resolved: 30/Sep/21

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.6.2
Fix Version/s: 5.1.0-rc0

Type: Improvement Priority: Major - P3
Reporter: Luke Prochazka Assignee: Backlog - Security Team
Resolution: Fixed Votes: 7
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-59048 Add support for SRV and SRV raw to LD... Closed
Related
related to SERVER-59048 Add support for SRV and SRV raw to LD... Closed
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Participants:
Case:

 Description   

This is an LDAP improvement request to enhance support for Active Directory LDAP server discovery via DNS SRV records. Active Directory will by default dynamically publish all LDAP servers available in the domain. This client feature would apply to all platform builds, not just Windows.

I suggest adding a configuration option say security.ldap.msad (default false) to explicitly enable AD discovery. The corresponding security.ldap.servers parameter would need to contain the AD domain name where the SRV records are populated. Optionally, you may attempt to detect the domain name by truncating the hostname and/or traversing up towards the TLD of the FQDN. A successful query against the "_ldap._tcp." SRV records will indicate success of discovery, as this sample indicates:

nslookup
> set q=SRV
> _ldap._tcp.mongodb.org.
Server:  UnKnown
Address:  172.31.1.5
 
_ldap._tcp.mongodb.org  SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = adc1.mongodb.org
adc1.mongodb.org        internet address = 172.31.1.5

The other resource records can be used to specify the LDAP port. In the likely case that multiple servers are discovered, you may optionally consider the priority and weight to determine LDAP server preference.

Additional reference material can be found on a MSKB here.



 Comments   
Comment by Mark Benvenuto [ 30/Sep/21 ]

We added SRV support in SERVER-59048.

Customers will need to prefix ldap server entries with "srv:" to instruct MongoDB to do SRV lookups. 

Comment by Dayo Lasode [ 26/Apr/18 ]

This will be an invaluable feature in my opinion
We are currently wrestling with tcp issues around LDAP authentication and a DNS SRV record makes managing LDAP server availability less cumbersome

Regards,
Dayo

Generated at Thu Feb 08 04:31:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.