LDAP Security: The ldapQuery used earlier is not working now, resulting in LDAP Bad search filter (-7)

MongoDB Percona Server for MongoDB
, ,
1

Hi team,

I have configured Google LDAP authentication for our Percona Mongo servers a while ago, like 6 months before. For security reason, we have changed the LDAP authentication to OneLogin LDAP instead of Google. We took backup of the mongod.conf prepared for Google LDAP authentication before moving to Onelogin.

When we wanted to use Google LDAP now, the ldapQuery being used is resulting in Bad search filter. The same config worked before and we are trying to use it now. Suspecting there could be some changes made in the Google LDAP schema we tried updating the ldap filter and the updated one worked fine when tested with local LDAP client but the same filter when used in Percona Mongo config it is giving us empty DN, due to which the authorization query is failing.

Also the Percona Mongo documentation for LDAP seems to be old. Is there anything to be updated there to support for Google LDAP?

We request support from the Percona community to help us fix this issue.

LDAP config:

security:
  authorization: enabled
  keyFile: /var/lib/mongo/mongodb-keyfile
  ldap:   #Authentication with LDAP
    servers: "hostname:1636"  (Using STUNNEL as a proxy to Google LDAP)
    userToDNMapping: '[
        {
        match: "(.+)",
        ldapQuery: "(&(objectClass=organizationalPerson)(uid={0}))"
        }
    ]'
    authz:
      queryTemplate: "dc=company,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"
    bind:
      queryUser: "XXXXXXXXXXXX"
      queryPassword: XXXXXXXXXXXXXXXXXXX
      method: "simple"
    transportSecurity: "none"

Queries:

Earlier: dc=company,dc=com??sub?(&(objectClass=organizationalPerson)(uid={0})) —> resulting in Bad search filter
Updated: (&(objectClass=organizationalPerson)(uid={0})) —> resulting in empty DN

Error Log (after updating the ldap query):

{"t":{"$date":"2023-11-15T12:36:58.026+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn46","msg":"Authentication failed","attr":{"mechanism":"PLAIN","speculative":false,"principalName":"","authenticationDatabase":"$external","remote":"10.100.4.5:53546","extraInfo":{},"error":"LDAPLibraryError: LDAP search failed with error: Invalid DN syntax"}}

principalName is empty where DN is expected from ldapQuery.

Version Details:

Percona Mongo - v4.4.19
OS - Debian 11 - AMD64
LDAP utilities installed on the machine:
ldap-utils - 2.4.57+dfsg-3+deb11u1
libldap-2.4-2:amd64 - 2.4.57+dfsg-3+deb11u1
libldap-common - 2.4.57+dfsg-3+deb11u1

2

Hi @Suhas_Gudaboina !
Generally the first version should work, I don’t see any changes in Google LDAP scheme for the last half of a year, the error “bad search filter” in most cases means some typo in your query. Could you please try again with more verbose logging enabled, and provide us the logs from mongod.

1 Like
3

Hi @Suhas_Gudaboina
Please let us know if you updated PSMDB version recently. Did your system work with PSMDB v4.4.19 or some earlier release?
Your new query is in incorrect format. It only contains filter expression but it should be the full query containing DN, scope, and filter expression. So your “earlier” query looks more correct.
Can you please return to the previous configuration which was working earlier and provide us with the snippet from the server log containing “Bad search filter” error?