[SERVER-56617] Reconsider advice to switch to the libldap_r Created: 04/May/21  Updated: 29/Oct/23  Resolved: 03/Sep/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.4.5, 4.2.14
Fix Version/s: 5.1.0-rc0

Type: Improvement Priority: Major - P3
Reporter: Andrey Brindeyev Assignee: Sergey Galtsev (Inactive)
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-59824 Build failure: openssl/opensslv.h mis... Closed
Problem/Incident
causes SERVER-78193 setParameter ldapForceMultiThreadMode... Closed
causes SERVER-78188 Permit default use of multithreaded L... Closed
Related
Backwards Compatibility: Fully Compatible
Sprint: Security 2021-08-09, Security 2021-08-23, Security 2021-09-06
Participants:
Case:
Linked BF Score: 68

 Description   

Majority of current installations in the field are still using RHEL 7/CentOS 7. It seems that most customers upgrade their operating system. Since NSS is no longer in use, we may need to adjust the warning printed because it may be harmful: if the server uses LDAPS connections, then libldap_r library may remove mitigations for SERVER-30643 set by the mongod process in RHEL 7.5+.

This is the current log line:

{"t":{"$date":"2021-05-04T15:32:54.939+00:00"},"s":"W", "c":"ACCESS", "id":24052, "ctx":"main","msg":"LDAP library does not advertise support for thread safety. All access will be serialized and connection pooling will be disabled. Link mongod against libldap_r to enable concurrent use of LDAP."}

The server may advice to disable the NSS shim layer (present only in RHEL7/CentOS 7) to achieve better stability instead of the switch to the libldap_r: TLS_MOZNSS_COMPATIBILITY off setting in the ldap.conf



 Comments   
Comment by Githook User [ 21/Sep/21 ]

Author:

{'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}

Message: SERVER-56617 fix mac os compile when ssl provider is not openssl
Branch: SERVER-58852
https://github.com/10gen/mongo-enterprise-modules/commit/cbf378000530c74c8b7b378f2f609fa2a89025d4

Comment by Githook User [ 21/Sep/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-56617 Reconsider advice to switch to the libldap_r
Branch: SERVER-58852
https://github.com/10gen/mongo-enterprise-modules/commit/20a4e3b601be73dfe3fa3d2282e70111f1202c5b

Comment by Githook User [ 05/Sep/21 ]

Author:

{'name': 'Benety Goh', 'email': 'benety@mongodb.com', 'username': 'benety'}

Message: SERVER-56617 fix mac os compile when ssl provider is not openssl
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/cbf378000530c74c8b7b378f2f609fa2a89025d4

Comment by Githook User [ 03/Sep/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-56617 Reconsider advice to switch to the libldap_r
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/20a4e3b601be73dfe3fa3d2282e70111f1202c5b

Comment by Sergey Galtsev (Inactive) [ 03/Sep/21 ]
  • some startup log lines would be different (as per design)
  • on enterprise-amazon2-arm64, some tests would fail after this patch. SERVER-59598
Comment by Githook User [ 30/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-56617 Reconsider advice to switch to the libldap_r
Branch: SERVER-56617
https://github.com/10gen/mongo-enterprise-modules/commit/9948cab512d46717e2cdce7cb628d910e5dc16c5

Comment by Sergey Galtsev (Inactive) [ 25/Aug/21 ]

https://github.com/10gen/mongo-enterprise-modules/pull/60

Comment by Githook User [ 25/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-56617 Reconsider advice to switch to the libldap_r
Branch: SERVER-56617
https://github.com/10gen/mongo-enterprise-modules/commit/81d4cc4070095adb74f1f1c139458d0951f62892

Comment by Githook User [ 25/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-56617 Reconsider advice to switch to the libldap_r
Branch: SERVER-56617
https://github.com/10gen/mongo-enterprise-modules/commit/41e62f5eed05f3f3e0463fa8594ba4d3ae90eed1

Comment by Githook User [ 25/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-56617 Reconsider advice to switch to the libldap_r
Branch: SERVER-56617
https://github.com/10gen/mongo-enterprise-modules/commit/f8bf2ffa6a002db67f0a4f687dcb076cf7f895f6

Comment by Githook User [ 25/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-56617 Reconsider advice to switch to the libldap_r
Branch: SERVER-56617
https://github.com/10gen/mongo-enterprise-modules/commit/f645d52086c9ca903f74082928349d231e4f73f5

Comment by Sergey Galtsev (Inactive) [ 18/Aug/21 ]

Clarification, per conversation with mark.benvenuto:

  • if ldap_get_option(LDAP_OPT_X_TLS_PACKAGE) == “GnuTLS”, also enable connection pool by default
  • if ldap_get_option(TLS_MOZNSS_COMPATIBILITY) == “on”, advise the customer to turn it off TLS_MOZNSS_COMPATIBILITY in /etc/openldap/ldap.conf only when ldap_get_option(THREAD_SAFE) = False
Comment by Mark Benvenuto [ 02/Aug/21 ]

If a customer is using MozNSS;

  • If ldap_get_option(LDAP_OPT_X_TLS_PACKAGE) == “MozNSS” and ldap_get_option(THREAD_SAFE) = False, log a warning informing the user that should use to use libldap_r

If a customer is using OpenSSL:
i.e. ldap_get_option(LDAP_OPT_X_TLS_PACKAGE) == “OpenSSL”

  • If OpenSSL Version < 1.1.1 and libldap_r, log a warning informing the user about SSL performance impact because of OpenSSL locking
    -if OpenSSL >= 1.1.1 and and ldap_get_option(THREAD_SAFE) = False, log a warning informing the user they should use libldap_r
  • If ldap_get_option(TLS_MOZNSS_COMPATIBILITY) == “on”, advise the customer to turn it off TLS_MOZNSS_COMPATIBILITY in /etc/openldap/ldap.conf. This will only impact RHEL 7/AL2
  • If no warnings are logged about OpenSSL, enable connection pool by default
Generated at Thu Feb 08 05:39:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.