[SERVER-59048] Add support for SRV and SRV raw to LDAPDNSResolverCache Created: 02/Aug/21  Updated: 29/Oct/23  Resolved: 31/Aug/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.1.0-rc0

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-32948 LDAP enhancement for Active Directory... Closed
Documented
is documented by DOCS-14832 DOCS-14832: Investigate changes in SE... Closed
Related
is related to SERVER-59527 Bug: dns_container_tester crashes on ... Closed
is related to SERVER-32948 LDAP enhancement for Active Directory... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2021-08-23, Security 2021-09-06
Participants:
Case:

 Description   

Add the ability for users to prefix LDAP servers with "srv:" and "srv_raw:" so that the code automatically does the DNS lookups for SRV records.

Enhance mongoldap to advise users when they make mistakes around srv vs srv_raw.

When a user specifies "srv:<DNS NAME>", mongoldap will check and verify "_ldap._tcp.<DNS NAME>" exists for SRV. If an SRV record cannot be found, it will check "<DNS NAME>" for SRV, and warn the user they should use "srv_raw:<DNS_NAME>" instead. MongoLDAP will do the reverse check for "srv_raw:<DNS_NAME>" by checking for "_ldap._tcp.<DNS NAME>". When a user specifies "multi:<DNS_NAME>", mongoldap will check for "SRV" and suggest the user should use "srv_raw:<DNS_NAME>" instead.



 Comments   
Comment by Vivian Ge (Inactive) [ 06/Oct/21 ]

Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you!

Comment by Githook User [ 21/Sep/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-59048 Add support for SRV and SRV raw to LDAPDNSResolverCache
Branch: SERVER-58852
https://github.com/10gen/mongo-enterprise-modules/commit/c0ed5f1b199af223114e86b8347acfa1c04ebca1

Comment by Githook User [ 02/Sep/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-59048 Add support for SRV and SRV raw to LDAPDNSResolverCache
Branch: SERVER-57819
https://github.com/10gen/mongo-enterprise-modules/commit/c0ed5f1b199af223114e86b8347acfa1c04ebca1

Comment by Githook User [ 31/Aug/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-59048 Add support for SRV and SRV raw to LDAPDNSResolverCache
Branch: master
https://github.com/mongodb/mongo/commit/85f87c6f17a46c41e840a41bde03870589b9b103

Comment by Githook User [ 31/Aug/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-59048 Add support for SRV and SRV raw to LDAPDNSResolverCache
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/c0ed5f1b199af223114e86b8347acfa1c04ebca1

Comment by Githook User [ 20/Aug/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-59048 Add support for SRV and SRV raw to LDAPDNSResolverCache
Branch: markbenvenuto/SERVER_59048_srv_support
https://github.com/10gen/mongo-enterprise-modules/commit/6691e3141242fb3a2211b9377d1df22b3472be21

Comment by Mark Benvenuto [ 05/Aug/21 ]

We also need to add a warning to documentation about the risks of DNS Cache poisoning. A DNS cache could be posioned with incorrect SRV records which redirects the LDAP client code in MongoDB to connect to a server under an attacker's control. DNSSEC and/or strict management of root CAs will manage the risk of this.

Comment by Mark Benvenuto [ 04/Aug/21 ]

Under SRV mode, probe for 
_ldap._tcp.gc_msdcs.<DNSDomainName>
then
_ldap._tcp.<DNSDomainName>
 
It is not an error if the GC entry is missing, the server will ignore the missing record. MongoLDAP will also not warn the user since this is only present in AD deployments. 
 

Generated at Thu Feb 08 05:46:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.