Hi,
I’m trying to set up LDAP (AD) based authentication in my Percona MongoDB cluster hosted via Percona MongoDB operator in k8s.
My ldap config looks like this:
....
ldap:
servers: company.com:1234
transportSecurity: none
bind:
queryUser: queryUser@company.com
queryPassword: {{ queryUser__password}}
authz:
queryTemplate: "OU=Managed,OU=Groups,DC=company,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))"
userToDNMapping: >-
[
{
match: "(.+)",
ldapQuery: "OU=Workers,DC=company,DC=com??sub?(&(objectClass=organizationalPerson)(sAMAccountName={0}))"
}
]
My example user full dn looks like this:
CN=Surname\, Name,OU=Workers,DC=company,DC=com
And the user is a member of the group:
CN=MongoDB - Admin,OU=Managed,OU=Groups,DC=company,DC=com
Authentication does succeed, however, during role mapping, I get the following error:
MongoServerError: LDAP search failed with error: Bad search filter
I’ve tried testing with ldapsearch and my conclusion is that there is an issue with passing to queryTemplate a dn with backslash and comma as in ldapsearch the following query does result in the same error
ldapsearch -x -LLL -H ldap://company.com:1234 -D "queryUser" -w queryPwd-b "OU=Managed,OU=Groups,DC=company,DC=com" "(&(member=CN=Surname\, Name,OU=Workers,DC=company,DC=com)(objectClass=group))"
while this one does succeed (multiplied backslashes in user cn):
ldapsearch -x -LLL -H ldap://company.com:1234 -D "queryUser" -w queryPwd-b "OU=Managed,OU=Groups,DC=company,DC=com" "(&(member=CN=Surname\\\, Name,OU=Workers,DC=company,DC=com)(objectClass=group))"
Do you have any suggestions on how to solve that setup so that I’ll be able to use group-based authentication?
Regards,
Bartosz