[SERVER-36117] LDAP Authorization add support for posixGroup schema (RFC2307) Created: 13/Jul/18  Updated: 29/Oct/23  Resolved: 29/Jan/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.1.8

Type: Improvement Priority: Major - P3
Reporter: Emilio Scalise Assignee: Jonathan Reams
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-12399 Docs for SERVER-36117: LDAP Authoriza... Closed
Related
Backwards Compatibility: Fully Compatible
Sprint: Security 2018-12-17, Security 2019-01-14, Security 2019-01-28, Security 2019-02-11
Participants:
Case:

 Description   

When LDAP authentication and authorization is enabled in the Server, there is a variable

{USER}

that can be used in the security.ldap.authz.queryTemplate configuration option.

That variable will contain the DN of the user after the security.ldap.userToDNMapping expression is processed.

Please add another variable, such as

{0}

that allows to use the non-mapped username (the username passed to the client.

This will be useful for LDAP environments where the posixGroup schema is used (RFC2307) and the member field contains the user uid instead of the full DN:

Example posixGroup element:

dn: cn=Administrators,ou=group,ou=engineering,dc=example,dc=com
memberUid: bob
memberUid: eve
memberUid: tom
cn: Administrators
objectClass: posixgroup
objectClass: top
gidNumber: 12345

Possible configuration settings for MongoDB once the {0} variable is available:

security.ldap.authz.queryTemplate = ou=group,ou=engineering,dc=example,dc=com??base?(&(objectClass=posixGroup)(memberUid=\{0}))
security.ldap.userToDNMapping=[{match : "(.+)",substitution:"uid=\{0},ou=people,ou=engineering,dc=example,dc=com"}]

If the username is "bob":

  • {0} will be "bob" in the security.ldap.userToDNMapping parameter and the security.ldap.authz.queryTemplate
  • {USER} will be "uid=bob,ou=people,ou=engineering,dc=example,dc=com"


 Comments   
Comment by Githook User [ 30/Jan/19 ]

Author:

{'email': 'jbreams@mongodb.com', 'name': 'Jonathan Reams'}

Message: SERVER-36117 Allow substituting the original username in LDAP query templates
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/2f3cfa6c3b42c063d3b1d716d59d7d3a02441dec

Comment by Githook User [ 29/Jan/19 ]

Author:

{'username': 'jbreams', 'email': 'jbreams@mongodb.com', 'name': 'Jonathan Reams'}

Message: SERVER-36117 Allow substituting the original username in LDAP query templates
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/91939b89d53425fe2ceaeb878d0bf1c21d5ce6f1

Comment by Githook User [ 28/Jan/19 ]

Author:

{'username': 'jbreams', 'email': 'jbreams@mongodb.com', 'name': 'Jonathan Reams'}

Message: Revert "SERVER-36117 Allow substituting the original username in LDAP query templates"

This reverts commit 2f3cfa6c3b42c063d3b1d716d59d7d3a02441dec.
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/c3e5ce10477371a2c68f52c0ac038d9d2c4105e7

Generated at Thu Feb 08 04:42:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.