Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Duplicate
Priority: Minor - P4
Fix Version/s: None
Affects Version/s: 3.4.13, 3.6.3
Component/s: Shell
Labels:
None

Operating System:
ALL
Steps To Reproduce:
Hide

mongod.conf excerpt:

security: authorization: enabled ldap: servers: "ad.acme.qa" bind: queryUser: "mdb@acme.qa" queryPassword: 'Pa$$w0rd' transportSecurity: none setParameter: authenticationMechanisms: "PLAIN,GSSAPI,SCRAM-SHA-1"

LDAP object's definition:

$ ldapsearch -LLL -H ldaps://ad.acme.qa:636 -D "mdb@acme.qa" -w 'Pa$$w0rd' -x -b 'DC=acme,DC=qa' '(samAccountName=john.doe)' dn dn: CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right par ens),DC=ACME,DC=QA

1. Unsuccessful authentication
1.1. MongoDB user creation:

MongoDB Enterprise > db.getSiblingDB('$external').createUser({user: 'CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA', roles: [ { role: 'root', db: 'admin' } ] }); Successfully added user: { "user" : "CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA", "roles" : [ { "role" : "root", "db" : "admin" } ] }

1.2. Authentication attempt in MongoDB Shell:

MongoDB Enterprise > db.getSiblingDB('$external').auth({user: "CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA", pwd: 'Pa$$w0rd', mechanism: 'PLAIN'}); Error: Authentication failed. 0

1.3. MongoDB log entries:

2018-03-01T03:13:16.267-0800 D ACCESS [conn3] Binding to LDAP server "default" with bind parameters: {BindDN: CN=Doe, authenticationType: simple} 2018-03-01T03:13:16.270-0800 E ACCESS [conn3] Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: CN=Doe, authenticationType: simple} 2018-03-01T03:13:16.270-0800 I ACCESS [conn3] PLAIN authentication failed for CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right parens),DC=ACME,DC=QA on $external from client 127.0.0.1:39416 ; OperationFailed: LDAP bind failed with error: Invalid credentials

2. Successful authentication
2.1. MongoDB user creation:

MongoDB Enterprise > db.getSiblingDB('$external').createUser({user: 'CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA', roles: [ { role: 'root', db: 'admin' } ] }); Successfully added user: { "user" : "CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA", "roles" : [ { "role" : "root", "db" : "admin" } ] }

2.2. Authentication attempt in MongoDB Shell:

MongoDB Enterprise > db.getSiblingDB('$external').auth({user: "CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA", pwd: 'Pa$$w0rd', mechanism: 'PLAIN'}); 1

2.3. MongoDB log entries:

2018-03-01T03:22:05.621-0800 D ACCESS [conn4] Binding to LDAP server "default" with bind parameters: {BindDN: CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right parens),DC=ACME,DC=QA, authenticationType: simple} 2018-03-01T03:22:05.631-0800 I ACCESS [conn4] Successfully authenticated as principal CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA on $external
Show
mongod.conf excerpt: security: authorization: enabled ldap: servers: "ad.acme.qa" bind: queryUser: "mdb@acme.qa" queryPassword: 'Pa$$w0rd' transportSecurity: none setParameter: authenticationMechanisms: "PLAIN,GSSAPI,SCRAM-SHA-1" LDAP object's definition: $ ldapsearch -LLL -H ldaps://ad.acme.qa:636 -D "mdb@acme.qa" -w 'Pa$$w0rd' -x -b 'DC=acme,DC=qa' '(samAccountName=john.doe)' dn dn: CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right par ens),DC=ACME,DC=QA 1. Unsuccessful authentication 1.1. MongoDB user creation: MongoDB Enterprise > db.getSiblingDB('$external').createUser({user: 'CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA', roles: [ { role: 'root', db: 'admin' } ] }); Successfully added user: { "user" : "CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA", "roles" : [ { "role" : "root", "db" : "admin" } ] } 1.2. Authentication attempt in MongoDB Shell: MongoDB Enterprise > db.getSiblingDB('$external').auth({user: "CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA", pwd: 'Pa$$w0rd', mechanism: 'PLAIN'}); Error: Authentication failed. 0 1.3. MongoDB log entries: 2018-03-01T03:13:16.267-0800 D ACCESS [conn3] Binding to LDAP server "default" with bind parameters: {BindDN: CN=Doe, authenticationType: simple} 2018-03-01T03:13:16.270-0800 E ACCESS [conn3] Failed to bind to LDAP server at default: Invalid credentials. Bind parameters were: {BindDN: CN=Doe, authenticationType: simple} 2018-03-01T03:13:16.270-0800 I ACCESS [conn3] PLAIN authentication failed for CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right parens),DC=ACME,DC=QA on $external from client 127.0.0.1:39416 ; OperationFailed: LDAP bind failed with error: Invalid credentials 2. Successful authentication 2.1. MongoDB user creation: MongoDB Enterprise > db.getSiblingDB('$external').createUser({user: 'CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA', roles: [ { role: 'root', db: 'admin' } ] }); Successfully added user: { "user" : "CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA", "roles" : [ { "role" : "root", "db" : "admin" } ] } 2.2. Authentication attempt in MongoDB Shell: MongoDB Enterprise > db.getSiblingDB('$external').auth({user: "CN=Doe\\\\, John (the second one),OU=FooBar (with commas\\\\, left and right parens),DC=ACME,DC=QA", pwd: 'Pa$$w0rd', mechanism: 'PLAIN'}); 1 2.3. MongoDB log entries: 2018-03-01T03:22:05.621-0800 D ACCESS [conn4] Binding to LDAP server "default" with bind parameters: {BindDN: CN=Doe\, John (the second one),OU=FooBar (with commas\, left and right parens),DC=ACME,DC=QA, authenticationType: simple} 2018-03-01T03:22:05.631-0800 I ACCESS [conn4] Successfully authenticated as principal CN=Doe\\, John (the second one),OU=FooBar (with commas\\, left and right parens),DC=ACME,DC=QA on $external

Users currently need to use 4 backslashes instead of expected 2 to escape LDAP DNs with special characters in order to authenticate.

is duplicated by

SERVER-33489 Cannot authenticate as LDAP user with escaped characters in name when authorization is not enabled

Closed

Assignee:: DO NOT USE - Backlog - Platform Team

Reporter:: Andrey Brindeyev

Participants:: Andrey Brindeyev, DO NOT USE - Backlog - Platform Team, Spencer Jackson

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: Mar 01 2018 09:59:23 PM UTC

Updated:: Jun 21 2022 02:43:20 PM UTC

Resolved:: Mar 06 2018 07:53:58 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates