Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45836

Provide more LDAP details (like server IP) at default log level

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.4.0-rc2
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Sprint:
      Security 2020-02-10, Security 2020-02-24, Security 2020-04-20
    • Case:

      Description

      At the default log level, any errors connection to down/stalled LDAP servers will be logged like:

      2019-08-08T18:33:30.772-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Bind parameters were: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
      

      However, the "server at default" doesn't provide necessary details when security.ldap.servers are configured with CNAME alias like ldapalias.uk.bigcorp.local and ldapalias.us.bigcorp.local which may resolve to any number of hosts/IPs.

      Enabling level=3 logging on accessControl is much better, and precedes the log above with lines like:

      2019-08-08T18:35:46.203-0400 D3 ACCESS   [main] Binding to LDAP server "default" with bind parameters: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
      2019-08-08T18:35:46.243-0400 D3 ACCESS   [main] Connected to LDAP server at 54.225.237.121:636 with LDAP URL: ldaps://ldaptest.10gen.cc:636
      

      The small change of including the resolved IP address would help greatly with diagnosing LDAP server issues, so that the error log above appears like:

      2019-08-08T18:33:30.772-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at 54.225.237.121:636 ...
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sara.golemon Sara Golemon
              Reporter:
              nicholas.cottrell Nic Cottrell
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: