Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-41083

Update LDAP logging to include connection failures to LDAP servers and retry logic

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Logging
    • Labels:
      None
    • Sprint:
      Security 2019-06-03, Security 2019-06-17, Security 2019-07-01, Security 2019-07-15, Security 2019-07-29

      Description

      Follow up from SERVER-37155

      Update LDAP logging to include connection failures to LDAP servers and retry logic:

      Current logs below show a successful authentication that is missing a failed authentication attempt:

      2019-05-10T09:56:04.661-0500 D ACCESS   [conn20] Binding to LDAP server "default" with bind parameters: {BindDN: mongodb, authenticationType: simple}
      2019-05-10T09:56:04.663-0500 D ACCESS   [conn20] Connected to LDAP server at 10.0.8.254:389 with LDAP URL: ldap://dcs:389
      

      Suggested Update:

      2019-05-10T09:56:01.661-0500 D ACCESS   [conn20] Binding to LDAP server "default" with bind parameters: {BindDN: mongodb, authenticationType: simple}
       
      ---List "default" servers---
       
      2019-05-10T09:56:02.663-0500 E ACCESS   [conn20] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at 10.0.8.200:389 with LDAP URL: ldap://dcs:389. (-1/Can't contact LDAP server): No error could be retrieved from the LDAP server.. Bind parameters were: {BindDN: mongodb, authenticationType: simple}
       
      2019-05-10T09:56:03.663-0500 D ACCESS   [conn20] Retrying LDAP connection to server at 10.0.8.254:389 with LDAP URL: ldap://dcs:389
       
      2019-05-10T09:56:04.663-0500 D ACCESS   [conn20] Connected to LDAP server at 10.0.8.254:389 with LDAP URL: ldap://dcs:389
      

      In addition, the logs indicating the LDAP server connections are only exposed with verbosity 3 on accessControl. At least the retries and failures should be listed in the default logging for troubleshooting outages.

        Attachments

          Activity

            People

            Assignee:
            jonathan.reams Jonathan Reams
            Reporter:
            kip.iwakiri Kip Iwakiri (Inactive)
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: