[SERVER-56712] MongoLDAP should advise using Global Catalog on Active Directory instances Created: 06/May/21  Updated: 29/Oct/23  Resolved: 27/Jul/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.1.0-rc0

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Aldo Aguilar
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: Security 2021-07-12, Security 2021-07-26, Security 2021-08-09
Participants:

 Description   

Active Directory deployments are often composed of "forests", where multiple Active Directory instances maintain a tree of information, and delegate ownership of some subtrees to other instances. The means, when searching for information in the root, LDAP clients may receive one or more referrals to other instances that they will need to "chase", meaning they must connect to the referred server, rebind, and and re-run the query in question.

Active Directory provides a Global Catalog, which is an eventually consistent locally cached copy of a subset of the data in the forest. Generally, it will contain all authorization state across the forest. If it stores the data a query needs, directing your LDAP queries to a local Global Catalog will allow them to execute more quickly, without needing to chase referals, establish new connections, or rebind. Avoiding referal chasing improves LDAP performance, and avoids a number of failure scenarios.

 

When communicating with Active Directory, if mongoldap is not configured to use the Global Catalog LDAP ports, it should recommend adjusting the configuration to use them.



 Comments   
Comment by Vivian Ge (Inactive) [ 06/Oct/21 ]

Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you!

Comment by Githook User [ 27/Jul/21 ]

Author:

{'name': 'aldo-aguilar', 'email': 'aldo.aguilar@mongodb.com'}

Message: SERVER-56712 Advising user to use LDAP Host as GC if not possible and not already
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/854c7d08aafcf46fcfeb1d9a8f5397c5b01d358c

Comment by Mark Benvenuto [ 28/Jun/21 ]

If MongoLDAP is not talking to port 3268 or 3269, MongoLDAP will check if it is talking to Microsoft AD. If it is AD, MongoLDAP will advise the user that they should change the server and port to be the GC since it offers better performance due to its avoidance of referrals. MongoLDAP will query the RootDSE for forestFunctionality, if it is present, it will consider it an AD.

Generated at Thu Feb 08 05:40:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.