[SERVER-33489] Cannot authenticate as LDAP user with escaped characters in name when authorization is not enabled Created: 26/Feb/18  Updated: 12/Mar/18  Resolved: 06/Mar/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Marko Vojvodic Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-33593 Heavy escaping required in shell for ... Closed
Operating System: ALL
Participants:

 Description   

It appears as though there is a discrepancy in the way MongoDB handles usernames during authentication that are LDAP DNs with escaped characters. The following behavior was observed on 3.4.13 and 3.6.2.

I have tested this with two users, one with escaped characters and one without:

CN=Vojvodic\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com

CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com

Both users are members of the group:

CN=DBAs\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com

First, I added to users to MongoDB configured for LDAP authentication (no authorization).

Connecting with the username with escaped special characters fails (note the necessary escaping \ before the \,):

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:41:15.077-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:41:15.237-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:41:15.237-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:41:15.456-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
2018-02-26T11:41:15.608-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:15.801-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 0 second timeout)
2018-02-26T11:41:15.913-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:16.117-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 0 second timeout)
2018-02-26T11:41:16.200-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:16.355-0500 I NETWORK  [thread1] Marking host marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 as failed :: caused by :: UserNotFound: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external
2018-02-26T11:41:16.355-0500 E QUERY    [thread1] Error: can't authenticate against replica set node marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017: Could not find user CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com@$external :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1608:20
@(auth):7:1
@(auth):1:2
exception: login failed

Connecting with the username with no special characters succeeds as expected:

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:46:11.891-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:46:12.250-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:46:12.345-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:46:12.724-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs
admin  0.000GB
local  0.000GB

Next, I configured authorization on MongoDB with the following security.ldap.authz.queryTemplate:

CN=DBAs\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))

Connecting with the username with escaped special characters succeeds:

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=Vojvodic\\, Marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:43:11.655-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:43:11.909-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:43:11.910-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:43:12.146-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs
admin  0.000GB
local  0.000GB

Connecting with the username with no special characters succeeds as well:

marko$ mongo "mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0" --ssl --authenticationMechanism PLAIN --authenticationDatabase '$external' --username 'CN=marko,CN=Users,DC=aws-atlas-ads-test-01,DC=mmscloudteam,DC=com' --password
MongoDB shell version v3.6.2
Enter password: 
connecting to: mongodb://marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017/test?replicaSet=marko-2-shard-0
2018-02-26T11:44:32.540-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-2-shard-0/marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017,marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017
2018-02-26T11:44:32.818-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-01-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:44:32.835-0500 I NETWORK  [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-02-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
2018-02-26T11:44:33.106-0500 I NETWORK  [thread1] Successfully connected to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 (1 connections now open to marko-2-shard-00-00-sfl7e.mmscloudteam.com:27017 with a 5 second timeout)
MongoDB server version: 3.4.13
WARNING: shell and server versions do not match
MongoDB Enterprise marko-2-shard-0:PRIMARY> show dbs
admin  0.000GB
local  0.000GB



 Comments   
Comment by Marko Vojvodic [ 06/Mar/18 ]

spencer.jackson the workaround you suggested works. I think it makes more sense for us to implement the workaround in the application codebase than potentially break existing databases and applications. Thanks for the detailed response - I don't think anything else needs to be done on this ticket.

Comment by Spencer Jackson [ 06/Mar/18 ]

I believe there is an issue with our use of PCRECPP. We attempt to transform the usernames, with the userToDNMapping, regardless of whether one has been set. However, the function we call treats '\' as a special character. '\' followed by a non-numeric gets skipped, '\' followed by another '\' gets mapped to a single '\'.

When using LDAP authorization, I suspect your '
' is getting remapped to '\'. This user can be queried for from the LDAP server.

When you're using LDAP authentication, I suspect a user with the exact name you entered is pulled out of the admin.system.users collection. Try creating the user with a second '\' character.

Let me know if this workaround works for you.

This would likely be very easy to fix. All we'd have to do is duplicate any '\' characters which occurred in the username before it touched PCRECPP. However, this would break the usernames encoded into existing databases and applications.

Generated at Thu Feb 08 04:33:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.