Dark Light

Authorizing MongoDB Atlas users against Okta's LDAP Groups

Home / Blog / Authorizing MongoDB Atlas users against Okta's LDAP Groups

Authorizing MongoDB Atlas users against Okta's LDAP Groups

Published: Sep 22, 2020 / By Andrew Doering.

Introduction

As could be understood by my recent blog postings, we have been migrating to an Okta LDAP entry point as our primary LDAP service. Working towards a Cloud Centric first expectation. As could be imagined, there have been some issues popping up while moving infrastructure and making necessary changes. This describes one of these issues. One of these issues was the way that MongoDB Atlas handled LDAP look ups during the authorization process.

Issue

When running MongoDB Versions equal to or lower than, 3.6.19, 4.0.20, 4.2.9 and using the Mongo Query Template for Authorization on LDAP Interface :

ou=groups,dc=<okta-instance-id>,dc=okta,dc=com??sub?(&(objectClass=groupofUniqueNames)(uniqueMember={USER}))

We would receive failed messages in the shell for MongoDB Atlas. While on the Okta side, we saw several rate limit messages.

MongoDB did group lookups in an inefficient way due to excluding the DN value and/or specifying a specific CN value from the lookup and attempting to broadly search for a single user within the group that the lookup is being performed on. Binding on every attempt to make a connection to Okta’s LDAP Interface. Effectively hammering Okta’s LDAP server - which has API limitations outlined here. There was an issue present on MongoDB’s public facing issue tracker (however, not realizing this before hand - we would never have known to look through 47968+ potential issues.)

We reached out to Okta to request an increase to the API limit in the mean time while continuing to test around the issue which they performed on the following:

/api/v1/users/{id}/groups | READ / WRITE | EXACT_MATCH | 1000 / minute

However, even with the API increase, we still ended up running into events in the Okta System Log resulting in group lookups not being completed due to rate limiting, and on the MongoDB/Authorization side - failed authorization results.

We ultimately raised a ticket internally with MongoDB Support, to ask if back porting the fix introduced into 4.4.* would be possible, however there was not an ETA at the present time.

Solution

After several weeks of waiting for the issue to be back ported. It finally has! Beginning with MongoDB Atlas Versions 3.6.20, 4.0.21, and 4.2.10 you can use Okta’s LDAP Interface Okta mastered Groups for Authorization.

The comments written directly by the PoC in charge of the incident filed:

1
2
3
4
5
6
7
8
9
10
    Please note that in order to utilize the Okta-optimized codepath, you MUST request the DN attribute in the authorization query explicitly.

    Here's the example configuration (swap the `yourdomain` below to your okta tenant domain, as well as be aware of the `your_service_account` ):


    LDAP server: yourdomain.ldap.okta.com
    Server Port: 636
    Bind Username: uid=your_service_account@domain.tld,dc=yourdomain,dc=okta,dc=com
    User To DN Mapping: [ { "match": "(.+)", "substitution": "uid={0},ou=users,dc=yourdomain,dc=okta,dc=com" } ]
    Query Template: ou=groups,dc=yourdomain,dc=okta,dc=com?dn?one?(&(objectClass=groupofUniqueNames)(uniqueMember={USER}))

Once configured, you should be able to use Okta’s LDAP Interface in MongoDB Atlas and have successful Authorization results!