[SERVER-43090] Fix LDAP connection health tests with Okta Created: 29/Aug/19  Updated: 29/Oct/23  Resolved: 17/Oct/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 4.2.0
Fix Version/s: 4.3.1, 4.2.2, 4.0.14

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Problem/Incident
causes SERVER-45309 Ensure bind credentials live longer t... Closed
Related
Backwards Compatibility: Minor Change
Backport Requested:
v4.2, v4.0
Sprint: Security 2019-09-23, Security 2019-10-07, Security 2019-10-21
Participants:

 Description   

Okta's LDAP frontend appears to be very aggressive about rejecting unauthenticated commands, including RootDSE requests. This is unfortunate, because we rely on RootDSE queries to validate connection health on startup, and in our LDAP connection pooling logic. If MongoDB is using connection pooling, failing RootDSE queries will prevent connections from being established. If MongoDB is started without --ldapValidateLDAPServerConfig=false, failing RootDSE queries will prevent it from starting.

I haven't been able to identify an LDAP command which could be issued against Okta endpoints which would succeed without authentication. In the absence of such a command, we may wish to consider LDAP error code 50/Insufficient Access a valid response for a successfully established connection in the connection pool.



 Comments   
Comment by Githook User [ 24/Oct/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-43090 Refactor LDAP liveness check

(cherry picked from commit d7f3530045d3d922b6157be098c14adcff51411f)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/f5024fc0e3d7b03728e2232fda44dc3f565e391c

Comment by Githook User [ 24/Oct/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43090 Refactor LDAP liveness check

(cherry picked from commit d7f3530045d3d922b6157be098c14adcff51411f)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/f8e4b7b51b436977607d2ef0009c657707c059e1

Comment by Sara Golemon [ 17/Oct/19 ]

This change allows LDAP servers to respond to basic liveness checks with LDAP_INSUFFICIENT_PRIVILEGES(50) and have that be taken as "Alive" since we didn't actually care about the result anyway.

Comment by Githook User [ 17/Oct/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43090 Refactor LDAP liveness check
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/d7f3530045d3d922b6157be098c14adcff51411f

Generated at Thu Feb 08 05:02:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.