Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45938

Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.7.0, 4.4.2, 4.2.11, 4.0.21
    • Affects Version/s: 3.2.22, 3.6.17, 3.4.24, 4.2.3, 4.3.3, 4.0.16
    • Component/s: Security
    • None
    • Fully Compatible
    • v4.4, v4.2, v4.0
    • Security 2020-02-24, Security 2020-08-24, Security 2020-09-07

      When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            james.kovacs@mongodb.com James Kovacs
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: