[SERVER-44926] Startup warning when both saslauthd and native LDAP are configured Created: 03/Dec/19  Updated: 29/Oct/23  Resolved: 20/Apr/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.4.0-rc2

Type: Improvement Priority: Major - P3
Reporter: Nic Cottrell Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to DOCS-12947 Configuring both setParameter.saslaut... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2020-04-20
Participants:
Case:

 Description   

Currently customers can create config like the following:

{ 
  ....
   security: { 
     authorization: "enabled", 
     clusterAuthMode: "x509", 
     ldap: { 
       authz: { queryTemplate: "{USER}?memberOf?base" }, 
       bind: { method: "simple", queryPassword: "<password>", queryUser: "ldapuser@intranet.....com" }, 
       servers: "ldapad.....", 
       transportSecurity: "tls", 
       userToDNMapping: ...
ldapQuery:  ...
      sasl: { serviceName: "myKerbService" } }, 
      setParameter: { 
         authenticationMechanisms: "GSSAPI,PLAIN", 
          saslServiceName: "myKerbService", saslauthdPath: "/var/run/saslauthd/mux" }, 
      ...
   

In the above both saslauthdPath and security.ldap.servers are configured although only one can be used when the application requests LDAP authentication.

There should be:

1. A startup warning that conflicting parameters are specified
2. A log line explicitly stating which LDAP method will be used for authentication



 Comments   
Comment by Githook User [ 20/Apr/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-44926 Log DEBUG(2) info about which LDAP provider we're using
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/79555825ee8e350c502ebc6e4511d7c3c6fd21f8

Comment by Spencer Jackson [ 14/Apr/20 ]

After some investigation, the log warning does not seem to be desirable. It is legitimate for authentication to use saslauthd and authorizaiton to use native LDAP. Explaining which implementation is used by the PLAIN authentication mechanism is legitimate though.

Comment by Spencer Jackson [ 03/Dec/19 ]

This scenario is generally permissible because LDAP authorization and LDAP authentication are orthogonal, and saslauthd with LDAP authorization is a legal configuration. In the provided example however, no template for authorization queries has been defined, meaning that most of the native LDAP options are redundant.

Generated at Thu Feb 08 05:07:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.