When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.
- is caused by
-
SERVER-11025 Adding a user with x509 certificate = server certificate appears to work
- Closed
-
SERVER-15459 Check new X509 user names against _clusterIdMatch
- Closed
- is related to
-
SERVER-73576 enforceUserClusterSeparation authenticate validation incorrect
- Closed
- related to
-
SERVER-54136 Make the authenticate command respect enforceUserClusterSeparation
- Closed
-
SERVER-14655 x.509 certificate authentication requires O,OU to differ between client and server
- Closed