[SERVER-59734] Enforce connection pool timeouts during LDAP liveness checks Created: 01/Sep/21 Updated: 29/Oct/23 Resolved: 10/Sep/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 5.1.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Varun Ravichandran | Assignee: | Varun Ravichandran |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Sprint: | Security 2021-09-06, Security 2021-09-20 | ||||||||
| Participants: | |||||||||
| Description |
|
When the connection pool is used, we enforce timeouts for binds and queries to the LDAP server. This adds a layer of protection over raw LDAP connections, which rely entirely on the system LDAP library to enforce timeouts. However, the code path for liveness checks is slightly different from other queries (it flows through `WrappedConnection::checkLiveness()` rather than `WrappedConnection::query()`). `WrappedConnection::query()` enforces a timeout on the corresponding LDAP connection's query call, but `WrappedConnection::checkLiveness()` does not. As a result, all instances where `WrappedConnection::checkLiveness()` is used (notably in `PooledLDAPConnection::setup()` and `PooledLDAPConnection::refresh()`) are fully reliant on the system LDAP library for timeout enforcement rather than enforcing it directly.
To remain consistent with how we enforce timeouts for other LDAP network operations, we should ensure that `WrappedConnection::checkLiveness()` also enforces timeouts. |
| Comments |
| Comment by Vivian Ge (Inactive) [ 06/Oct/21 ] |
|
Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you! |
| Comment by Githook User [ 21/Sep/21 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |
| Comment by Githook User [ 10/Sep/21 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |
| Comment by Githook User [ 10/Sep/21 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |