[SERVER-59734] Enforce connection pool timeouts during LDAP liveness checks Created: 01/Sep/21  Updated: 29/Oct/23  Resolved: 10/Sep/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Varun Ravichandran
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-56183 Prevent LDAP connection pool from sta... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Security 2021-09-06, Security 2021-09-20
Participants:

 Description   

When the connection pool is used, we enforce timeouts for binds and queries to the LDAP server. This adds a layer of protection over raw LDAP connections, which rely entirely on the system LDAP library to enforce timeouts. However, the code path for liveness checks is slightly different from other queries (it flows through `WrappedConnection::checkLiveness()` rather than `WrappedConnection::query()`). `WrappedConnection::query()` enforces a timeout on the corresponding LDAP connection's query call, but `WrappedConnection::checkLiveness()` does not. As a result, all instances where `WrappedConnection::checkLiveness()` is used (notably in `PooledLDAPConnection::setup()` and `PooledLDAPConnection::refresh()`) are fully reliant on the system LDAP library for timeout enforcement rather than enforcing it directly. 

 

To remain consistent with how we enforce timeouts for other LDAP network operations, we should ensure that `WrappedConnection::checkLiveness()` also enforces timeouts.



 Comments   
Comment by Vivian Ge (Inactive) [ 06/Oct/21 ]

Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you!

Comment by Githook User [ 21/Sep/21 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-59734: Enforce timeout in pooled LDAP connection liveness check
Branch: SERVER-58852
https://github.com/10gen/mongo-enterprise-modules/commit/832db4c9f33426d5f95873e5af6916501f6701f9

Comment by Githook User [ 10/Sep/21 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-59734: Enforce timeout in pooled LDAP connection liveness check
Branch: master
https://github.com/mongodb/mongo/commit/6fe24f53eb15a29249e3042609c9bd87d5e147ec

Comment by Githook User [ 10/Sep/21 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-59734: Enforce timeout in pooled LDAP connection liveness check
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/832db4c9f33426d5f95873e5af6916501f6701f9

Generated at Thu Feb 08 05:47:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.