Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45836

Provide more LDAP details (like server IP) at default log level

    • Type: Icon: New Feature New Feature
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.4.0-rc2, 4.2.13, 4.4.5, 4.0.24
    • Affects Version/s: None
    • Component/s: None
    • None
    • Fully Compatible
    • v4.4, v4.2, v4.0
    • Security 2020-02-10, Security 2020-02-24, Security 2020-04-20

      At the default log level, any errors connection to down/stalled LDAP servers will be logged like:

      2019-08-08T18:33:30.772-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Bind parameters were: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
      

      However, the "server at default" doesn't provide necessary details when security.ldap.servers are configured with CNAME alias like ldapalias.uk.bigcorp.local and ldapalias.us.bigcorp.local which may resolve to any number of hosts/IPs.

      Enabling level=3 logging on accessControl is much better, and precedes the log above with lines like:

      2019-08-08T18:35:46.203-0400 D3 ACCESS   [main] Binding to LDAP server "default" with bind parameters: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
      2019-08-08T18:35:46.243-0400 D3 ACCESS   [main] Connected to LDAP server at 54.225.237.121:636 with LDAP URL: ldaps://ldaptest.10gen.cc:636
      

      The small change of including the resolved IP address would help greatly with diagnosing LDAP server issues, so that the error log above appears like:

      2019-08-08T18:33:30.772-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at 54.225.237.121:636 ...
      

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            nicholas.cottrell@mongodb.com Nic Cottrell
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: