[SERVER-78829] Server does not anonymously bind to LDAP servers in the absence of ldapQueryUser Created: 10/Jul/23  Updated: 05/Feb/24

Status: In Progress
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Adrian Gonzalez Montemayor
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Sprint: Security 2024-01-22, Security 2024-02-05, Security 2024-02-19
Participants:

 Description   

The server's docs publicly state that MongoDB performs an anonymous bind to all LDAP servers before performing queries if the ldapQueryUser configuration option is unspecified.

In reality, this does not happen. When connection pooling is disabled, the server simply runs the search operation on a new connection without performing any kind of bind, anonymous or otherwise. When connection pooling is enabled, the server grabs an existing connection from the pool and runs the search operation on it, regardless of whether the previous connection was previously bound to the LDAP server as some different user.

We should standardize this behavior with our docs and always anonymously bind before running search operations.


Generated at Thu Feb 08 06:39:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.