[SERVER-43098] Further enhance LDAP log lines to reflect uncertainty from libldap Created: 30/Aug/19 Updated: 29/Oct/23 Resolved: 29/Apr/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.7.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Nic Cottrell | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Sprint: | Security 2020-05-04 |
| Participants: | |
| Case: | (copied to CRM) |
| Description |
|
The logging seems to indicate that an LDAP connection has been established correctly when it appears (in some cases at least) that the connection was failing due to a failed TLS handshake on the LDAP server-side. In the example below we see a "Connected to LDAP server" followed 10 seconds later by "failed to bind to LDAP server". This and some packet captures seems to indicate that the connection was not established. I want to request a couple of additional logging changes to those already performed in 1. Change "Connected to LDAP server..." to "Connecting to LDAP server..."
|
| Comments |
| Comment by Githook User [ 29/Apr/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |
| Comment by Sara Golemon [ 28/Apr/20 ] |
|
Gotcha. It's interesting that you see different values for that at all since it appears to reflect the value of the LDAP_OPT_CONNECT_ASYNC flag which we never actually set. My best guess is that different versions of OpenLDAP have different options for this value. That or different versions of MongoDB invoke OpenLDAP different. Either way, I'll just query ldap_get_option() and that'll give us the value that would be logged by ldap_pvt_connect. |
| Comment by Nic Cottrell [ 28/Apr/20 ] |
|
sara.golemon Thanks for all the progress so far. Sorry about 3. looks like I had missed to add that I wanted the async value . I forget the exact context, but I believe that this information was useful when debugging how the libldap library was connecting to an LDAP server with TLS. Examples: ldap_pvt_connect: fd: 19 tm: 0 async: -1 and ldap_pvt_connect: fd: 10 tm: -1 async: 0 |
| Comment by Sara Golemon [ 20/Apr/20 ] |
|