The contents of {USER} and {PROVIDED_USER} needs to be escaped when querying for the groups using LDAP server

Creating correct LDAP query may require escaping of special characters. Different parts of such query may have different escaping requirements. There are several RFC documents describing escaping for LDAP:

[RFC 4514 | LDAP: Distinguished Names](https://datatracker.ietf.org/doc/html/rfc4514) - escaping in Distinguished Names

[RFC 4515 | LDAP: String Representation of Search Filters](https://datatracker.ietf.org/doc/html/rfc4515) - LDAP search filters utilize its own escaping mechanism

[RFC 4516 | LDAP: Uniform Resource Locator](https://datatracker.ietf.org/doc/html/rfc4516) - based on general URL escaping. Most obvious example is the need to escape question mark character if it used for something which is not a separator for various parts of LDAP query

There are several parameters in LDAP configuration which require escaping of special characters:

• `security.ldap.authz.queryTemplate` and `ldapQuery` parameter inside `security.ldap.userToDNMapping`

both these parameters are LDAP queries which can contain LDAP search filter and distinguished names. So the correct way to escape special characters is to do it step by step:

1. escape special characters if there are full or partial distinguished names in the query according to RFC 4514

2. after that escape special characters inside LDAP search filter part of the query according to RFC 4515

3. after that escape special characters in the whole query according to RFC 4516. Do not escape question marks if that character is used to separate parts of the query

4. after that if you are going to use result in the YAML config file it might be necessary to do escaping according to [YAML specification](https://yaml.org/spec/)

• `substitution` parameter inside `security.ldap.userToDNMapping`

The result of this substitution becomes the value of the `{USER}` placeholder which is user in the `security.ldap.authz.queryTemplate` parameter. Generally speaking escaping requirements depends on in which part of the query template it will be substituted. For example the most frequent case result of substitution will be full or part of distinguished name. In that case you will need to escape special characters in the `substitution` parameters according to RFC 4514.

It is not necessary to use other escaping mechanisms in this parameter because Percona Server for MongoDB will apply RFC 4515 and RFC 4516 escaping as necessary while making substitutions in the `security.ldap.authz.queryTemplate` parameter.

One more place where you will need to care about special characters is the user name used while connecting using LDAP authorization. In some cases such user name might be full distinguished name and can be substituted directly into the `security.ldap.authz.queryTemplate` parameter without using any transformation via `security.ldap.userToDNMapping`. In other case such user name might represent some user ID such as email or user's real name but after transformation via `security.ldap.userToDNMapping` some parts of it may become part of distinguished name substituted into the `security.ldap.authz.queryTemplate` parameter. In any case general rule is: if user name or any part of it will end up substituted as distinguished name it must be escaped according to RFC 4514.

MongoDB documentation has following note in several places:

> An explanation of [RFC4514](https://www.ietf.org/rfc/rfc4514.txt), [RFC4515](https://tools.ietf.org/html/rfc4515), [RFC4516](https://tools.ietf.org/html/rfc4516), or LDAP queries is out of scope for the MongoDB Documentation. Please review the RFC directly or use your preferred LDAP resource.

Reference:

[Self-Managed Configuration File Options - security.ldap.userToDNMapping](https://www.mongodb.com/docs/manual/reference/configuration-options/#mongodb-setting-security.ldap.userToDNMapping)