[SERVER-59048] Add support for SRV and SRV raw to LDAPDNSResolverCache Created: 02/Aug/21 Updated: 29/Oct/23 Resolved: 31/Aug/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 5.1.0-rc0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Mark Benvenuto | Assignee: | Mark Benvenuto |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||
| Sprint: | Security 2021-08-23, Security 2021-09-06 | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||
| Description |
|
Add the ability for users to prefix LDAP servers with "srv:" and "srv_raw:" so that the code automatically does the DNS lookups for SRV records. Enhance mongoldap to advise users when they make mistakes around srv vs srv_raw.
|
| Comments |
| Comment by Vivian Ge (Inactive) [ 06/Oct/21 ] |
|
Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you! |
| Comment by Githook User [ 21/Sep/21 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |
| Comment by Githook User [ 02/Sep/21 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |
| Comment by Githook User [ 31/Aug/21 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |
| Comment by Githook User [ 31/Aug/21 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |
| Comment by Githook User [ 20/Aug/21 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |
| Comment by Mark Benvenuto [ 05/Aug/21 ] |
|
We also need to add a warning to documentation about the risks of DNS Cache poisoning. A DNS cache could be posioned with incorrect SRV records which redirects the LDAP client code in MongoDB to connect to a server under an attacker's control. DNSSEC and/or strict management of root CAs will manage the risk of this. |
| Comment by Mark Benvenuto [ 04/Aug/21 ] |
|
Under SRV mode, probe for |