MongoDB Ldap Authentication - parsing CN with backslashes and commas issue

Hi,
I’m trying to set up LDAP (AD) based authentication in my Percona MongoDB cluster hosted via Percona MongoDB operator in k8s.

My ldap config looks like this:

....
ldap:
              servers: company.com:1234
              transportSecurity: none
              bind:
                queryUser: queryUser@company.com
                queryPassword: {{ queryUser__password}}
              authz:
                queryTemplate: "OU=Managed,OU=Groups,DC=company,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))"
              userToDNMapping: >-
                [
                  {
                    match: "(.+)",
                    ldapQuery: "OU=Workers,DC=company,DC=com??sub?(&(objectClass=organizationalPerson)(sAMAccountName={0}))"
                  }
                ]

My example user full dn looks like this:
CN=Surname\, Name,OU=Workers,DC=company,DC=com

And the user is a member of the group:
CN=MongoDB - Admin,OU=Managed,OU=Groups,DC=company,DC=com

Authentication does succeed, however, during role mapping, I get the following error:
MongoServerError: LDAP search failed with error: Bad search filter

I’ve tried testing with ldapsearch and my conclusion is that there is an issue with passing to queryTemplate a dn with backslash and comma as in ldapsearch the following query does result in the same error
ldapsearch -x -LLL -H ldap://company.com:1234 -D "queryUser" -w queryPwd-b "OU=Managed,OU=Groups,DC=company,DC=com" "(&(member=CN=Surname\, Name,OU=Workers,DC=company,DC=com)(objectClass=group))"

while this one does succeed (multiplied backslashes in user cn):
ldapsearch -x -LLL -H ldap://company.com:1234 -D "queryUser" -w queryPwd-b "OU=Managed,OU=Groups,DC=company,DC=com" "(&(member=CN=Surname\\\, Name,OU=Workers,DC=company,DC=com)(objectClass=group))"

Do you have any suggestions on how to solve that setup so that I’ll be able to use group-based authentication?

Regards,
Bartosz

I’m facing the same issue. Is there any BKM on that?

@Ivan_Groenewold any ideas would be appreciated :slight_smile: