PSMDB-1573 Update documentation to add guidance on LDAP parameters en… #969
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
See screenshots from the preview: |
nastena1606
reviewed
Jan 23, 2025
igorsol
requested changes
Jan 23, 2025
docs/ldap-setup.md
Outdated
| If you don’t know what the substitution or LDAP query string should be, please consult with the LDAP administrators to figure this out. | ||
| If you don’t know what the Substitution or LDAP query string should be, please consult with the LDAP administrators to figure this out. | ||
|
|
||
| Not, you can use only the `LDAP query` or the `Substitution` stage, the combination of two is not allowed. |
radoslawszulgo
commented
Jan 23, 2025
Co-authored-by: Anastasia Alexandrova <anastasia.alexandrova@percona.com> Co-authored-by: Igor Solodovnikov <igor.solodovnikov@percona.com>
nastena1606
reviewed
Jan 23, 2025
docs/ldap-setup.md
Outdated
|
|
||
| * In this setup, we use the following OpenLDAP groups: | ||
| * The setup of an LDAP server is out of scope of this document. We assume that you are familiar with the LDAP server schema. | ||
| * An explanation of [RFC4514](https://www.ietf.org/rfc/rfc4514.txt), [RFC4515](https://tools.ietf.org/html/rfc4515), [RFC4516](https://tools.ietf.org/html/rfc4516), or LDAP queries is out of scope of this setup. Please review the RFC directly or use your preferred LDAP resource. |
There was a problem hiding this comment.
I would trade places by mentioning LDAP queries first and then RCFs that describe special character escaping in those queries
nastena1606
reviewed
Jan 23, 2025
docs/ldap-setup.md
Outdated
| @@ -31,6 +22,12 @@ cn: otherusers | |||
| member: cn=bob,dc=percona,dc=com | |||
| ``` | |||
|
|
|||
| ## Prerequisites | |||
| - To configure LDAP, you must have the `sudo` privilege to the server with the {{ product.psmdb_full_name }} installed. | |||
| - If your LDAP server disallows anonymous binds, create the user that Percona Server for MongoDB will use to connect to and query the LDAP server. Afterwards, set that username and password using`security.ldap.bind.queryUser` and `security.ldap.bind.queryPassword` parameters in the `mongod.conf` configuration file. If username or any part of it will end up substituted as distinguished name it must be escaped according to [RFC 4514](https://tools.ietf.org/html/rfc4514). It may happen when: | |||
There was a problem hiding this comment.
As I understand the requirement to escape special characters applies to all usernames, not just for the one PSMDB uses to connect to LDAP. Maybe it's worth mentioning this?
nastena1606
reviewed
Jan 23, 2025
docs/ldap-setup.md
Outdated
| - To configure LDAP, you must have the `sudo` privilege to the server with the {{ product.psmdb_full_name }} installed. | ||
| - If your LDAP server disallows anonymous binds, create the user that Percona Server for MongoDB will use to connect to and query the LDAP server. Afterwards, set that username and password using`security.ldap.bind.queryUser` and `security.ldap.bind.queryPassword` parameters in the `mongod.conf` configuration file. If username or any part of it will end up substituted as distinguished name it must be escaped according to [RFC 4514](https://tools.ietf.org/html/rfc4514). It may happen when: | ||
| - A username is a fully distinguished name and can be substituted directly into the `security.ldap.authz.queryTemplate` parameter without using any transformation via `security.ldap.userToDNMapping`. | ||
| - A username represents an email address or fullname and after transformation via `security.ldap.userToDNMapping` some parts of it may become part of distinguished name substituted into the `security.ldap.authz.queryTemplate` parameter. |
There was a problem hiding this comment.
Suggested change
| - A username represents an email address or fullname and after transformation via `security.ldap.userToDNMapping` some parts of it may become part of distinguished name substituted into the `security.ldap.authz.queryTemplate` parameter. | |
| - A username represents an email address or full name and after transformation via `security.ldap.userToDNMapping`, some parts of it may become part of a distinguished name substituted into the `security.ldap.authz.queryTemplate` parameter. |
Moved the tip to a separate subsection since it also applies to AD setup
igorsol
requested changes
Jan 27, 2025
docs/authorization.md
Outdated
| @@ -59,6 +59,34 @@ Both `substitution` and `ldapQuery` should contain placeholders to insert parts | |||
|
|
|||
| So having an array of documents, Percona Server for MongoDB tries to match each document against the provided name and if it matches, the name is replaced either with the substitution string or with the result of the LDAP query. | |||
|
|
|||
| ### Escaping special characters in usernames | |||
|
|
|||
| A username can contain special characters in any of its parts. An example of a special character is the `@` sign in an email. | |||
There was a problem hiding this comment.
The @ character in the mail is probably not the best example because not always it should be escaped. For example on userToDNMapping stage regular expression might match everything before the @ character - in this case there is no reason to esscape it.
Probably it would be better to say that any character which is not alphanumeric or is not an ASCII character may require escaping but which exact characters require escaping depends on all parts of configuration and especially on our LDAP query templates and on our regular expressions inside userToDNMapping.
docs/ldap-setup.md
Outdated
| @@ -4,32 +4,32 @@ This document describes an example configuration of LDAP authentication and auth | |||
|
|
|||
| ## Assumptions | |||
|
|
|||
| 1. The setup of an LDAP server is out of scope of this document. We assume that you are familiar with the LDAP server schema. | |||
| * The setup of an LDAP server is out of scope of this document. We assume that you are familiar with the LDAP server schema. | |||
| * If usernames contain special characters, they must be escaped as described in [RFC4514](https://www.ietf.org/rfc/rfc4514.txt), [RFC4515](https://tools.ietf.org/html/rfc4515), [RFC4516](https://tools.ietf.org/html/rfc4516). An explanation of escaping rules or LDAP queries is out of scope of this setup. Please review the RFC directly or use your preferred LDAP resource. | |||
There was a problem hiding this comment.
Suggested change
| * If usernames contain special characters, they must be escaped as described in [RFC4514](https://www.ietf.org/rfc/rfc4514.txt), [RFC4515](https://tools.ietf.org/html/rfc4515), [RFC4516](https://tools.ietf.org/html/rfc4516). An explanation of escaping rules or LDAP queries is out of scope of this setup. Please review the RFC directly or use your preferred LDAP resource. | |
| * If usernames contain special characters, they must be escaped as described in [RFC4514](https://www.ietf.org/rfc/rfc4514.txt), [RFC4515](https://tools.ietf.org/html/rfc4515), [RFC4516](https://tools.ietf.org/html/rfc4516). Usage of particular escaping methods depends on the part of the LDAP query which will contain substituted value. An explanation of escaping rules or LDAP queries is out of scope of this setup. Please review the RFC directly or use your preferred LDAP resource. |
| version: 8.0.4-1 | ||
| --- | ||
|
|
||
| # {{ product.psmdb_full_name }} {{ page.meta.version }} ({{date.8_0_4}}) |
There was a problem hiding this comment.
Not sure if this change is part of this PR or the "8.0.4 release notes" PR.
There was a problem hiding this comment.
that's a fix "by chance" :)
|
Thanks for changes Nastya. That also works for me. |
Can I consider this answer as approval?:) |
|
Yes!
…On Tue, 28 Jan 2025 at 16:36, Anastasia Alexandrova < ***@***.***> wrote:
Thanks for changes Nastya. That also works for me.
Can I consider this answer as approval?:)
—
Reply to this email directly, view it on GitHub
<#969 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BJXQMX5S2F5N5SNTQDIYCJL2M6PWNAVCNFSM6AAAAABVV5K73KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJZGM2DQMJZGU>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
nastena1606
reviewed
Jan 28, 2025
igorsol
requested changes
Jan 28, 2025
Co-authored-by: Igor Solodovnikov <igor.solodovnikov@percona.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add documentation based on @igorsol guidance below:
LDAP documentation refinements
for Set up LDAP authentication and authorization using NativeLDAP - Percona Server for MongoDB 8.0
Creating correct LDAP query may require escaping of special characters. Different parts of such query may have different escaping requirements. There are several RFC documents describing escaping for LDAP:
RFC 4514 | LDAP: Distinguished Names - escaping in Distinguished Names
RFC 4515 | LDAP: String Representation of Search Filters - LDAP search filters utilize its own escaping mechanism
RFC 4516 | LDAP: Uniform Resource Locator - based on general URL escaping. Most obvious example is the need to escape question mark character if it used for something which is not a separator for various parts of LDAP query
There are several parameters in LDAP configuration which require escaping of special characters:
security.ldap.authz.queryTemplateandldapQueryparameter insidesecurity.ldap.userToDNMappingboth these parameters are LDAP queries which can contain LDAP search filter and distinguished names. So the correct way to escape special characters is to do it step by step:
substitutionparameter insidesecurity.ldap.userToDNMappingThe result of this substitution becomes the value of the
{USER}placeholder which is user in thesecurity.ldap.authz.queryTemplateparameter. Generally speaking escaping requirements depends on in which part of the query template it will be substituted. For example the most frequent case result of substitution will be full or part of distinguished name. In that case you will need to escape special characters in thesubstitutionparameters according to RFC 4514.It is not necessary to use other escaping mechanisms in this parameter because Percona Server for MongoDB will apply RFC 4515 and RFC 4516 escaping as necessary while making substitutions in the
security.ldap.authz.queryTemplateparameter.One more place where you will need to care about special characters is the user name used while connecting using LDAP authorization. In some cases such user name might be full distinguished name and can be substituted directly into the
security.ldap.authz.queryTemplateparameter without using any transformation viasecurity.ldap.userToDNMapping. In other case such user name might represent some user ID such as email or user's real name but after transformation viasecurity.ldap.userToDNMappingsome parts of it may become part of distinguished name substituted into thesecurity.ldap.authz.queryTemplateparameter. In any case general rule is: if user name or any part of it will end up substituted as distinguished name it must be escaped according to RFC 4514.MongoDB documentation has following note in several places:
Reference:
Self-Managed Configuration File Options - security.ldap.userToDNMapping