Hi team,
I have configured Google LDAP authentication for our Percona Mongo servers a while ago, like 6 months before. For security reason, we have changed the LDAP authentication to OneLogin LDAP instead of Google. We took backup of the mongod.conf prepared for Google LDAP authentication before moving to Onelogin.
When we wanted to use Google LDAP now, the ldapQuery being used is resulting in Bad search filter. The same config worked before and we are trying to use it now. Suspecting there could be some changes made in the Google LDAP schema we tried updating the ldap filter and the updated one worked fine when tested with local LDAP client but the same filter when used in Percona Mongo config it is giving us empty DN, due to which the authorization query is failing.
Also the Percona Mongo documentation for LDAP seems to be old. Is there anything to be updated there to support for Google LDAP?
We request support from the Percona community to help us fix this issue.
LDAP config:
security:
authorization: enabled
keyFile: /var/lib/mongo/mongodb-keyfile
ldap: #Authentication with LDAP
servers: "hostname:1636" (Using STUNNEL as a proxy to Google LDAP)
userToDNMapping: '[
{
match: "(.+)",
ldapQuery: "(&(objectClass=organizationalPerson)(uid={0}))"
}
]'
authz:
queryTemplate: "dc=company,dc=com??sub?(&(objectClass=groupOfNames)(member={USER}))"
bind:
queryUser: "XXXXXXXXXXXX"
queryPassword: XXXXXXXXXXXXXXXXXXX
method: "simple"
transportSecurity: "none"
Queries:
Earlier: dc=company,dc=com??sub?(&(objectClass=organizationalPerson)(uid={0}))
—> resulting in Bad search filter
Updated: (&(objectClass=organizationalPerson)(uid={0}))
—> resulting in empty DN
Error Log (after updating the ldap query):
{"t":{"$date":"2023-11-15T12:36:58.026+00:00"},"s":"I", "c":"ACCESS", "id":20249, "ctx":"conn46","msg":"Authentication failed","attr":{"mechanism":"PLAIN","speculative":false,"principalName":"","authenticationDatabase":"$external","remote":"10.100.4.5:53546","extraInfo":{},"error":"LDAPLibraryError: LDAP search failed with error: Invalid DN syntax"}}
principalName is empty where DN is expected from ldapQuery.
Version Details:
Percona Mongo - v4.4.19
OS - Debian 11 - AMD64
LDAP utilities installed on the machine:
ldap-utils - 2.4.57+dfsg-3+deb11u1
libldap-2.4-2:amd64 - 2.4.57+dfsg-3+deb11u1
libldap-common - 2.4.57+dfsg-3+deb11u1