Info

When LDAP authentication and authorization is enabled in the Server, the contents of {USER} value in the security.ldap.authz.queryTemplate configuration option needs to be escaped in accordance to the RFC4515. Please see the example below: $ mongo --host rhel-73.acme.qa --authenticationDatabase '$external' --authenticationMechanism PLAIN --username peter.pan -p MongoDB shell version v3.4.9 Enter password: connecting to: mongodb://rhel-73.acme.qa:27017/ MongoDB server version: 3.4.9 2017-10-18T11:37:14.679-0700 E QUERY [thread1] Error: Failed to acquire LDAP group membership : DB.prototype._authOrThrow@src/mongo/shell/db.js:1461:20 @(auth):7:1 @(auth):1:2 exception: login failed mongod.log: 2017-10-18T11:37:14.679-0700 E ACCESS [conn5] LDAP authorization failed: UnknownError: Failed to obtain LDAP entities for query 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"': LDAP Operation , Failed to perform query: Bad search filter' Query was: 'BaseDN: "cn=Users,dc=ACME,dc=QA", Scope: "sub", Filter: "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie's fictional character),CN=Users,DC=ACME,DC=QA))"'". (-7/Bad search filter) Correspondent ldapsearch reproduction (please disregard bash-related escaping of the single quote character): $ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\, Peter (J.M. Barrie'"'"'s fictional character),CN=Users,DC=ACME,DC=QA))' cn Enter LDAP Password: ldap_search_ext: Bad search filter (-7) Correct search filter syntax (please disregard bash-related escaping of the single quote character): $ ldapsearch -LLL -H ldap://ad.acme.qa -D 'mdb@acme.qa' -W -b "CN=Users,DC=ACME,DC=QA" -s sub '(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Pan\\2c Peter \\28J.M. Barrie'"'"'s fictional character\\29,CN=Users,DC=ACME,DC=QA))' cn Enter LDAP Password: dn: CN=Global-Admins-Database,CN=Users,DC=ACME,DC=QA cn: Global-Admins-Database

Top User Comments

xgen-internal-githook commented on Thu, 4 Jan 2018 18:59:03 +0000: Author: {'name': 'Andrey Brindeyev', 'email': 'andrey.brindeyev@mongodb.com'} Message: SERVER-31625 RFC4515 escape DNs substituted in LDAP query filter Closes #32 (cherry picked from commit bd0e263e5813659193bfc53a92a908f64d3344d5) Branch: v3.4 https://github.com/10gen/mongo-enterprise-modules/commit/aa831a2e71bffbae8e2398851be13111ad525686 xgen-internal-githook commented on Thu, 4 Jan 2018 17:13:46 +0000: Author: {'name': 'Andrey Brindeyev', 'email': 'andrey.brindeyev@mongodb.com'} Message: SERVER-31625 RFC4515 escape DNs substituted in LDAP query filter Closes #32 (cherry picked from commit bd0e263e5813659193bfc53a92a908f64d3344d5) Branch: v3.6 https://github.com/10gen/mongo-enterprise-modules/commit/0439ffb780809d3561061542bedefeff917fb159 xgen-internal-githook commented on Tue, 5 Dec 2017 20:33:20 +0000: Author: {'email': 'andrey.brindeyev@mongodb.com', 'name': 'Andrey Brindeyev'} Message: SERVER-31625 RFC4515 escape DNs substituted in LDAP query filter Closes #32 Branch: master https://github.com/10gen/mongo-enterprise-modules/commit/bd0e263e5813659193bfc53a92a908f64d3344d5

Steps to Reproduce