[SERVER-43233] Add ability to request only specific attribute(s) for the LDAP groups Created: 09/Sep/19  Updated: 29/Oct/23  Resolved: 20/Apr/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.4.0-rc4, 3.6.20, 4.7.0, 4.2.10, 4.0.21

Type: Improvement Priority: Major - P3
Reporter: Andrey Brindeyev Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
is related to DOCS-13882 [Atlas] Update Okta LDAP authorizatio... Closed
Backwards Compatibility: Minor Change
Backport Requested:
v4.4, v4.2, v4.0, v3.6
Sprint: Security 2020-04-20, Security 2020-05-04
Participants:
Case:

 Description   
Issue Status as of Aug 28, 2020

ISSUE DESCRIPTION AND IMPACT

Affected versions of MongoDB Enterprise do not allow asking for only the DN (Distinguished Name) attribute when making LDAP (Lightweight Directory Access Protocol) authorization requests. This leads to longer authorization request times and in certain cases to unnecessary additional requests.

DIAGNOSIS AND AFFECTED VERSIONS

This behavior occurs on MongoDB Enterprise versions 4.2.9 and earlier, 4.0.20 and earlier, and 3.6.19 and earlier.

MongoDB Enterprise users that rely on LDAP authorization and have a large number of LDAP users in their organization will see more LDAP requests from these versions of MongoDB.

Users that rely on Okta LDAP in particular can even hit their API request limit (500 per minute by default).

REMEDIATION AND WORKAROUNDS

A fix is included in the 4.4.0, 4.2.10, 4.0.21 and 3.6.20 Enterprise releases of MongoDB. These versions of MongoDB Enterprise allow explicitly requesting the DN attribute from the LDAP server. The result of adding DN is that more requests are treated as faster, base DN queries and fewer requests are necessary overall.

Affected users should upgrade to one of these versions, but in most cases, MongoDB will not add the DN attribute to LDAP queries automatically.

To benefit from the fix in versions 4.2.10, 4.0.21, and 3.6.20 you must explicitly add the DN attribute to all templates. For example, if the current ldapAuthzQueryTemplate setting is:

ou=Groups,dc=10gen,dc=cc??one?(&(objectClass=groupOfNames)(member={USER}))

Change it to:

ou=Groups,dc=10gen,dc=cc?dn?one?(&(objectClass=groupOfNames)(member={USER}))

MongoDB version 4.4.0 adds the DN attribute to LDAP queries that don't request any other attributes. So, for version 4.4.0, you must explicitly add the DN attribute to all queries that request any other attributes.

Original description

For the certain LDAP implementations it is beneficial to request only DN attribute for the groups instead of requesting all of them by default. Regretfully, once you specify the list of attributes, mongod currently expects only a single LDAP result and errors out, for example:

$ mongoldap --user 'uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com' --password 'REDACTED' -f ./mongod-okta.conf
Running MongoDB LDAP authorization validation checks...
Version: 4.2.0
 
Checking that an LDAP server has been specified...
[OK] LDAP server(s) provided in configuration
 
Connecting to LDAP server...
2019-09-09T09:58:46.074-0700 W  ACCESS   [main] LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP.
[OK] Connected to LDAP server
 
Attempting to authenticate against the LDAP server...
[OK] Successful authentication performed
 
Checking if LDAP authorization has been enabled by configuration...
[OK] LDAP authorization enabled
 
Parsing LDAP query template...
[OK] LDAP query configuration template appears valid
 
Executing query against LDAP server...
2019-09-09T09:58:48.679-0700 E  ACCESS   [main] Expected exactly one LDAP entity from which to parse attributes. Found 2.
[FAIL] Unable to acquire roles
	* Error: UserDataInconsistent: Failed to obtain LDAP entities for query 'BaseDN: "ou=groups,dc=REDACTED,dc=oktapreview,dc=com", Scope: "sub", Filter: "(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com)", Attributes: "dn", ' :: caused by :: Expected exactly one LDAP entity from which to parse attributes.

The LDAP response is provided significantly faster if you request only DN attribute:

$ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))' dn
dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com
 
dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co
 m
 
 
real	0m1.198s
user	0m0.021s
sys	0m0.021s

vs

$ time ldapsearch -LLL -H 'ldaps://REDACTED.ldap.oktapreview.com' -D "uid=REDACTED,dc=REDACTED,dc=oktapreview,dc=com" -w "$PASS" -b 'ou=groups,dc=REDACTED,dc=oktapreview,dc=com' '(&(objectClass=groupofUniqueNames)(uniqueMember=uid=REDACTED,ou=users,dc=REDACTED,dc=oktapreview,dc=com))'
dn: cn=Everyone,ou=groups,dc=REDACTED,dc=oktapreview,dc=com
objectClass: top
objectClass: groupofUniqueNames
cn: Everyone
uniqueIdentifier: REDACTED
description: All users in your organization
( 1988 uniqueMember attributes skipped)
 
dn: cn=REDACTED,ou=groups,dc=REDACTED,dc=oktapreview,dc=co
 m
objectClass: top
objectClass: groupofUniqueNames
cn: REDACTED
uniqueIdentifier: REDACTED
uniqueMember: uid=REDACTED1,ou=users,dc=REDACTED
 REDACTED,dc=oktapreview,dc=com
uniqueMember: uid=REDACTED2,ou=users,dc=REDACTED
 REDACTED,dc=oktapreview,dc=com
 
 
real	0m41.067s
user	0m0.024s
sys	0m0.027s



 Comments   
Comment by Githook User [ 27/Aug/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43233 LDAP query; treat request for 'dn' attribute as non-attribute query

(cherry picked from commit ed9e437522d0f3cd3c3f1903c92120d9a04cb5ad)
Branch: v3.6
https://github.com/10gen/mongo-enterprise-modules/commit/89017499425e8dd15a5b7557310c2627cf4265dc

Comment by Githook User [ 26/Aug/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43233 LDAP query; treat request for 'dn' attribute as non-attribute query

(cherry picked from commit ed9e437522d0f3cd3c3f1903c92120d9a04cb5ad)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/d2cbe428fe8e45ff5fde4fe7aa91e5ea8e5f6868

Comment by Githook User [ 26/Aug/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43233 LDAP query; treat request for 'dn' attribute as non-attribute query

(cherry picked from commit ed9e437522d0f3cd3c3f1903c92120d9a04cb5ad)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/297f3e3020217d94066af0fda2674efc1da7bcf7

Comment by Andrey Brindeyev [ 19/Aug/20 ]

The customer in the https://support.mongodb.com/case/00681064 support case is severely affected by this issue on 3.6.

Comment by Githook User [ 04/May/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43233 LDAP query; treat request for 'dn' attribute as non-attribute query

(cherry picked from commit ed9e437522d0f3cd3c3f1903c92120d9a04cb5ad)
Branch: v4.4
https://github.com/10gen/mongo-enterprise-modules/commit/7629fbed39ea5aab5d56bead65572e52835dc806

Comment by Githook User [ 20/Apr/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43233 LDAP query; treat request for 'dn' attribute as non-attribute query
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/ed9e437522d0f3cd3c3f1903c92120d9a04cb5ad

Comment by Sara Golemon [ 13/Apr/20 ]

andrey.brindeyev What are the contents of `mongod-okta.conf`?

Generated at Thu Feb 08 05:02:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.