Hi @mdiorio,
Thank you for this detailed question. I tried to reproduce this issue. Here are my steps:
1. I created a user with comma in its DN, common name of this user is “ln, fn”. DN name looks like this in “ADSI edit” utility: “CN=ln, fn,CN=Users,DC=engineering,DC=example,DC=com”
2. I also assigned userPrincipalName attribute to “lnfn@engineering.example.com”.
3. My config file is here:
security:
authorization: enabled
ldap:
userToDNMapping: >-
[
{
match: "(.+)",
ldapQuery: "dc=example,dc=com??sub?(&(objectClass=organizationalPerson)(userPrincipalName={0}))"
}
]
bind:
queryUser: "CN=alice,CN=Users,DC=engineering,DC=example,DC=com"
queryPassword: "alice"
authz:
queryTemplate: "{USER}?memberOf?base"
setParameter:
authenticationMechanisms: PLAIN,SCRAM-SHA-256,SCRAM-SHA-1
- Now I start mongo shell with these parameters:
./mongo -u "lnfn@engineering.example.com" -p --authenticationDatabase '$external' --authenticationMechanism 'PLAIN'
and it succesfully authenticates to the server
5. Here is what I see in the server log:
2020-05-14T14:54:07.012+0300 D1 ACCESS [conn1] Getting user lnfn@engineering.example.com@$external from disk
2020-05-14T14:54:07.012+0300 D1 ACCESS [conn1] Parsing LDAP URL: ldap://192.168.79.154:389/dc=example,dc=com??sub?(&(objectClass=organizationalPerson)(userPrincipalName=lnfn@engineering.example.com)); dn: dc=example,dc=com; scope: 2; filter: (&(objectClass=organizationalPerson)(userPrincipalName=lnfn@engineering.example.com))
2020-05-14T14:54:07.013+0300 D1 ACCESS [conn1] Parsing LDAP URL: ldap://192.168.79.154:389/CN=ln\, fn,CN=Users,DC=engineering,DC=example,DC=com?memberOf?base; dn: CN=ln\, fn,CN=Users,DC=engineering,DC=example,DC=com; scope: 0; filter: nullptr
2020-05-14T14:54:07.014+0300 I COMMAND [conn1] command admin.$cmd appName: "MongoDB Shell" command: isMaster { isMaster: 1, saslSupportedMechs: "$external.lnfn@engineering.example.com", hostInfo: "u64vm:27017", client: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "4.2.3" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } }, $db: "admin" } numYields:0 reslen:282 locks:{ ReplicationStateTransition: { acquireCount: { w: 1 } }, Global: { acquireCount: { r: 1 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } }, Mutex: { acquireCount: { r: 1 } } } storage:{ data: { bytesRead: 2708, timeReadingMicros: 3 } } protocol:op_query 2ms
2020-05-14T14:54:07.015+0300 D1 ACCESS [conn1] Parsing LDAP URL: ldap://192.168.79.154:389/dc=example,dc=com??sub?(&(objectClass=organizationalPerson)(userPrincipalName=lnfn@engineering.example.com)); dn: dc=example,dc=com; scope: 2; filter: (&(objectClass=organizationalPerson)(userPrincipalName=lnfn@engineering.example.com))
2020-05-14T14:54:07.019+0300 D1 ACCESS [conn1] Returning user lnfn@engineering.example.com@$external from cache
2020-05-14T14:54:07.019+0300 I ACCESS [conn1] Successfully authenticated as principal lnfn@engineering.example.com on $external from client 127.0.0.1:41518
So it looks like comma in the DN is not source of this “Operations error” message.I am not sure why you observe this error message, but one suspicious thing I noticed in your config is that you use sAMAccountName attribute in the ldapQuery but not in your examples with ldapsearch utility. Please try to execute ldapsearch with query based on sAMAccountName attribute.
Another issue in your config file is this line:
queryTemplate: "{USER},memberOf,base"
correct syntax of this query is with question marks:
queryTemplate: "{USER}?memberOf?base"