[SERVER-33593] Heavy escaping required in shell for LDAP DNs with special characters Created: 01/Mar/18  Updated: 21/Jun/22  Resolved: 06/Mar/18

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 3.4.13, 3.6.3
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Andrey Brindeyev Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-33489 Cannot authenticate as LDAP user with... Closed
Related
Operating System: ALL
Steps To Reproduce:

mongod.conf excerpt:

security:
  authorization: enabled
  ldap:
    servers: "ad.acme.qa"
    bind:
      queryUser: "mdb@acme.qa"
      queryPassword: 'Pa$$w0rd'
    transportSecurity: none
setParameter:
  authenticationMechanisms: "PLAIN,GSSAPI,SCRAM-SHA-1"

LDAP object's definition:

$ ldapsearch -LLL -H ldaps://ad.acme.qa:636 -D "mdb@acme.qa" -w 'Pa$$w0rd' -x -b 'DC=acme,DC=qa' '(samAccountName=john.doe)' dn
dn: CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right par
 ens),DC=ACME,DC=QA

1. Unsuccessful authentication
1.1. MongoDB user creation:

MongoDB Enterprise > db.getSiblingDB('$external').createUser({user: 'CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA', roles: [ { role: 'root', db: 'admin' } ] });
Successfully added user: {
	"user" : "CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA",
	"roles" : [
		{
			"role" : "root",
			"db" : "admin"
		}
	]
}

1.2. Authentication attempt in MongoDB Shell:

MongoDB Enterprise > db.getSiblingDB('$external').auth({user: "CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA", pwd: 'Pa$$w0rd', mechanism: 'PLAIN'});
Error: Authentication failed.
0

1.3. MongoDB log entries:

2018-03-01T03:13:16.267-0800 D ACCESS   [conn3] Binding to LDAP server "default" with bind parameters: {BindDN: CN=Doe, authenticationType: simple}
2018-03-01T03:13:16.270-0800 E ACCESS   [conn3] Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: CN=Doe, authenticationType: simple}
2018-03-01T03:13:16.270-0800 I ACCESS   [conn3] PLAIN authentication failed for CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right parens),DC=ACME,DC=QA on $external from client 127.0.0.1:39416 ; OperationFailed: LDAP bind failed with error: Invalid credentials

2. Successful authentication
2.1. MongoDB user creation:

MongoDB Enterprise > db.getSiblingDB('$external').createUser({user: 'CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA', roles: [ { role: 'root', db: 'admin' } ] });
Successfully added user: {
	"user" : "CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA",
	"roles" : [
		{
			"role" : "root",
			"db" : "admin"
		}
	]
}

2.2. Authentication attempt in MongoDB Shell:

MongoDB Enterprise > db.getSiblingDB('$external').auth({user: "CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA", pwd: 'Pa$$w0rd', mechanism: 'PLAIN'});
1

2.3. MongoDB log entries:

2018-03-01T03:22:05.621-0800 D ACCESS   [conn4] Binding to LDAP server "default" with bind parameters: {BindDN: CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right parens),DC=ACME,DC=QA, authenticationType: simple}
2018-03-01T03:22:05.631-0800 I ACCESS   [conn4] Successfully authenticated as principal CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA on $external

Participants:

 Description   

Users currently need to use 4 backslashes instead of expected 2 to escape LDAP DNs with special characters in order to authenticate.



 Comments   
Comment by Spencer Jackson [ 06/Mar/18 ]

It appears a ticket describing the same issue was reported before this one, in the triage batch. I'm going to close this as a duplicate.

Generated at Thu Feb 08 04:33:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.