[SERVER-78188] Permit default use of multithreaded LDAP connection pool with libldap and OpenSSL 1.1.1 Created: 16/Jun/23  Updated: 01/Feb/24  Resolved: 24/Jul/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Varun Ravichandran
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-78193 setParameter ldapForceMultiThreadMode... Closed
Problem/Incident
is caused by SERVER-56617 Reconsider advice to switch to the li... Closed
Related
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Sprint: Security 2023-07-10, Security 2023-07-24, Security 2023-08-07
Participants:
Case:

 Description   

Today, if the server starts and finds itself using OpenSSL 1.1.1 or newer, and the standard libldap library, it will warn:

"OpenSSL 1.1.1 and higher has no performance impact "
"with libldap_r. Link mongod against libldap_r to enable "
"concurrent use of LDAP. "
"Your OpenSSL version is: " OPENSSL_VERSION_TEXT

The server will also disable its use of the multithreaded LDAP connection pool.

We should remove this behavior because:

  • Switching from libldap to libldap_r is very hard. We should not ask the user to do so without a very good reason.
  • Running without the connection pool by default is a poor experience.
  • We do not have evidence of reliability concerns with libldap when used in conjunction with OpenSSL 1.1.1

Generated at Thu Feb 08 06:37:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.