Uploaded image for project: 'Percona Server for MongoDB'
  1. Percona Server for MongoDB
  2. PSMDB-630

Some LDAP servers drop idle connections upon timeout

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 4.2.6-6
    • Fix Version/s: 4.2.8-8
    • Component/s: Core
    • Labels:
      None

      Description

      PMDS LDAP is working just fine when the MongoDB server is freshly started.  Users can connect and authenticate/authorized via LDAP without issue.  After a period of time, users become unable to connect and receive:

      connecting to: mongodb://hq-1papcmongo:27017/?authMechanism=PLAIN&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb
      2020-05-19T11:58:53.466-0400 E  QUERY    [js] Error: LDAP search failed with error: Can't contact LDAP server :
      connect@src/mongo/shell/mongo.js:341:17
      @(connect):3:6
      2020-05-19T11:58:53.470-0400 F  -        [main] exception: connect failed
      2020-05-19T11:58:53.470-0400 E  -        [main] exiting with code 1
      

      The following is logged in mongod.log

      2020-05-21T09:11:59.548-0400 I  NETWORK  [listener] connection accepted from 10.85.148.142:65276 #7 (1 connection now open)
      2020-05-21T09:11:59.555-0400 D2 COMMAND  [conn7] run command admin.$cmd { isMaster: 1, saslSupportedMechs: "$external.mdiorio", hostInfo: "Maxs-MacBook-Pro.local:27017", client: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "4.2.0" }, os: { type: "Darwin", name: "Mac OS X", architecture: "x86_64", version: "19.4.0" } }, $db: "admin" }
      2020-05-21T09:11:59.555-0400 I  NETWORK  [conn7] received client metadata from 10.85.148.142:65276 conn7: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "4.2.0" }, os: { type: "Darwin", name: "Mac OS X", architecture: "x86_64", version: "19.4.0" } }
      2020-05-21T09:11:59.555-0400 D1 ACCESS   [conn7] Getting user mdiorio@$external from disk
      2020-05-21T09:11:59.555-0400 D1 ACCESS   [conn7] Parsing LDAP URL: ldap://10.85.128.5/ou=Accounts,dc=internal,dc=domain,dc=com??sub?(&(objectClass=person)(sAMAccountName=mdiorio)); dn: ou=Accounts,dc=internal,dc=domain,dc=com; scope: 2; filter: (&(objectClass=person)(sAMAccountName=mdiorio))
      2020-05-21T09:11:59.555-0400 D1 -        [conn7] User Assertion: LDAPLibraryError: LDAP search failed with error: Can't contact LDAP server src/mongo/db/auth/sasl_mechanism_registry.cpp 114
      2020-05-21T09:11:59.556-0400 D1 COMMAND  [conn7] assertion while executing command 'isMaster' on database 'admin' with arguments '{ isMaster: 1, saslSupportedMechs: "$external.mdiorio", hostInfo: "Maxs-MacBook-Pro.local:27017", client: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "4.2.0" }, os: { type: "Darwin", name: "Mac OS X", architecture: "x86_64", version: "19.4.0" } }, $db: "admin" }': LDAPLibraryError: LDAP search failed with error: Can't contact LDAP server
      2020-05-21T09:11:59.556-0400 I  COMMAND  [conn7] command admin.$cmd appName: "MongoDB Shell" command: isMaster { isMaster: 1, saslSupportedMechs: "$external.mdiorio", hostInfo: "Maxs-MacBook-Pro.local:27017", client: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "4.2.0" }, os: { type: "Darwin", name: "Mac OS X", architecture: "x86_64", version: "19.4.0" } }, $db: "admin" } numYields:0 ok:0 errMsg:"LDAP search failed with error: Can't contact LDAP server" errName:LDAPLibraryError errCode:9390 reslen:163 locks:{} protocol:op_query 0ms
      2020-05-21T09:11:59.605-0400 D2 NETWORK  [conn7] Session from 10.85.148.142:65276 encountered a network error during SourceMessage: HostUnreachable: Connection closed by peer
      2020-05-21T09:11:59.605-0400 I  NETWORK  [conn7] end connection 10.85.148.142:65276 (0 connections now open)
      

      I have tried using hostname, IP address, and our LDAP load balancer and all 3 produce the same can't contact ldap server eventually.

      We are connecting to Microsoft Active Directory 2012 R2 servers, and no other application has an issue with connecting.

      During the time when MongoDB says it can't connect, I am able to perform ldapsearch queries from the command line of the MongoDB server without issue.

      MongoDB and the domain controllers sit on the same network with <0.300 ms ping response times.  

       

      // mongod.conf
      security:
        authorization: enabled
        ldap:
          transportSecurity: none
          servers: 10.85.128.5
          bind:
            queryUser: "CN=SVC_LDAP_RO,OU=General,OU=Service,OU=Accounts,DC=internal,DC=domain,DC=com"
            queryPassword: "password"
          userToDNMapping: >-
            [
              {
                match: "(.+)",
                ldapQuery: "ou=Accounts,dc=internal,dc=domain,dc=com??sub?(&(objectClass=person)(sAMAccountName={0}))"
              }
            ]
          authz:
            queryTemplate: "{USER}?memberOf?base"
      setParameter:
      

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              igor.solodovnikov Igor Solodovnikov
              Reporter:
              mdiorio Max DiOrio
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Smart Checklist