Uploaded image for project: 'Percona Server for MongoDB'
  1. Percona Server for MongoDB
  2. PSMDB-656

LDAP - user's permissions remain intact after a user is removed from LDAP

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 4.2.8-8
    • Fix Version/s: 3.6.19-7.0, 4.2.8-8, 4.0.20-13
    • Component/s: None
    • Labels:
      None

      Description

      STR:

      1) start PSMDB, LDAP server, add user testuser which belongs to group dba 

      ldapsearch -x -b "dc=perconatest,dc=com" -D "cn=admin,dc=perconatest,dc=com" -H ldap://localhost -W "cn=testuser"
      dn: cn=testuser,dc=perconatest,dc=com
      objectClass: organizationalPerson
      cn: testuser
      sn: testuser
      userPassword:: dGVzdHBhc3N3b3Jk
      
      ldapsearch -x -b "dc=perconatest,dc=com" -D "cn=admin,dc=perconatest,dc=com" -H ldap://localhost -W "cn=dba"
      dn: cn=dba,dc=perconatest,dc=com
      objectClass: groupOfNames
      cn:: ZGJhICAg
      member: cn=testuser,dc=perconatest,dc=com
      
      > db.system.roles.find().pretty();
      { "_id" : "admin.cn=dba,dc=perconatest,dc=com", 
      "role" : "cn=dba,dc=perconatest,dc=com", 
      "db" : "admin", 
      "privileges" : [ ], 
      "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" } ]}

      2) log in to DB

      > db.runCommand({connectionStatus : 1})
      { "authInfo" : 
      { "authenticatedUsers" : [ { "user" : "testuser", "db" : "$external" }],
      "authenticatedUserRoles" : [ { "role" : "cn=dba,dc=perconatest,dc=com", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" } ] }, "ok" : 1}
      

      3) remove user from LDAP and wait for ldapUserCacheInvalidationInterval value (30 seconds)

      ldapadd -D "cn=admin,dc=perconatest,dc=com" -w b0neynem -f user_delete.ldif 
      deleting entry "cn=testuser,dc=perconatest,dc=com"

      Expected result:

      User is unable to perform any commands

      Actual result:

      User's permissions remain intact, mongod log contains the following error

      > db.system.roles.find().pretty(); { "_id" : "admin.cn=dba,dc=perconatest,dc=com", "role" : "cn=dba,dc=perconatest,dc=com", "db" : "admin", "privileges" : [ ], "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" } ]}
      
      2020-07-02T08:02:33.814+0000 W ACCESS [conn13] Could not fetch updated user privilege information for testuser@$external; continuing to use old information. Reason is BadValue: Failed to map user 'testuser' to LDAP DN
      

       

        Attachments

          Activity

            People

            Assignee:
            igor.solodovnikov Igor Solodovnikov
            Reporter:
            sandra.romanchenko Sandra Romanchenko
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - Not Specified
                Not Specified
                Logged:
                Time Spent - 4 hours, 10 minutes
                4h 10m

                  Smart Checklist