[SERVER-43090] Fix LDAP connection health tests with Okta Created: 29/Aug/19 Updated: 29/Oct/23 Resolved: 17/Oct/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 4.2.0 |
| Fix Version/s: | 4.3.1, 4.2.2, 4.0.14 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||
| Backport Requested: |
v4.2, v4.0
|
||||||||||||||||
| Sprint: | Security 2019-09-23, Security 2019-10-07, Security 2019-10-21 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Okta's LDAP frontend appears to be very aggressive about rejecting unauthenticated commands, including RootDSE requests. This is unfortunate, because we rely on RootDSE queries to validate connection health on startup, and in our LDAP connection pooling logic. If MongoDB is using connection pooling, failing RootDSE queries will prevent connections from being established. If MongoDB is started without --ldapValidateLDAPServerConfig=false, failing RootDSE queries will prevent it from starting. I haven't been able to identify an LDAP command which could be issued against Okta endpoints which would succeed without authentication. In the absence of such a command, we may wish to consider LDAP error code 50/Insufficient Access a valid response for a successfully established connection in the connection pool. |
| Comments |
| Comment by Githook User [ 24/Oct/19 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit d7f3530045d3d922b6157be098c14adcff51411f) |
| Comment by Githook User [ 24/Oct/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: (cherry picked from commit d7f3530045d3d922b6157be098c14adcff51411f) |
| Comment by Sara Golemon [ 17/Oct/19 ] |
|
This change allows LDAP servers to respond to basic liveness checks with LDAP_INSUFFICIENT_PRIVILEGES(50) and have that be taken as "Alive" since we didn't actually care about the result anyway. |
| Comment by Githook User [ 17/Oct/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: |