[SERVER-44926] Startup warning when both saslauthd and native LDAP are configured Created: 03/Dec/19 Updated: 29/Oct/23 Resolved: 20/Apr/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.4.0-rc2 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Nic Cottrell | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Sprint: | Security 2020-04-20 | ||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
Currently customers can create config like the following:
In the above both saslauthdPath and security.ldap.servers are configured although only one can be used when the application requests LDAP authentication. There should be: 1. A startup warning that conflicting parameters are specified |
| Comments |
| Comment by Githook User [ 20/Apr/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |
| Comment by Spencer Jackson [ 14/Apr/20 ] |
|
After some investigation, the log warning does not seem to be desirable. It is legitimate for authentication to use saslauthd and authorizaiton to use native LDAP. Explaining which implementation is used by the PLAIN authentication mechanism is legitimate though. |
| Comment by Spencer Jackson [ 03/Dec/19 ] |
|
This scenario is generally permissible because LDAP authorization and LDAP authentication are orthogonal, and saslauthd with LDAP authorization is a legal configuration. In the provided example however, no template for authorization queries has been defined, meaning that most of the native LDAP options are redundant. |