[SERVER-56712] MongoLDAP should advise using Global Catalog on Active Directory instances Created: 06/May/21 Updated: 29/Oct/23 Resolved: 27/Jul/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 5.1.0-rc0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Aldo Aguilar |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Sprint: | Security 2021-07-12, Security 2021-07-26, Security 2021-08-09 |
| Participants: |
| Description |
|
Active Directory deployments are often composed of "forests", where multiple Active Directory instances maintain a tree of information, and delegate ownership of some subtrees to other instances. The means, when searching for information in the root, LDAP clients may receive one or more referrals to other instances that they will need to "chase", meaning they must connect to the referred server, rebind, and and re-run the query in question. Active Directory provides a Global Catalog, which is an eventually consistent locally cached copy of a subset of the data in the forest. Generally, it will contain all authorization state across the forest. If it stores the data a query needs, directing your LDAP queries to a local Global Catalog will allow them to execute more quickly, without needing to chase referals, establish new connections, or rebind. Avoiding referal chasing improves LDAP performance, and avoids a number of failure scenarios.
When communicating with Active Directory, if mongoldap is not configured to use the Global Catalog LDAP ports, it should recommend adjusting the configuration to use them. |
| Comments |
| Comment by Vivian Ge (Inactive) [ 06/Oct/21 ] |
|
Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you! |
| Comment by Githook User [ 27/Jul/21 ] |
|
Author: {'name': 'aldo-aguilar', 'email': 'aldo.aguilar@mongodb.com'}Message: |
| Comment by Mark Benvenuto [ 28/Jun/21 ] |
|
If MongoLDAP is not talking to port 3268 or 3269, MongoLDAP will check if it is talking to Microsoft AD. If it is AD, MongoLDAP will advise the user that they should change the server and port to be the GC since it offers better performance due to its avoidance of referrals. MongoLDAP will query the RootDSE for forestFunctionality, if it is present, it will consider it an AD. |