[SERVER-45836] Provide more LDAP details (like server IP) at default log level Created: 29/Jan/20  Updated: 29/Oct/23  Resolved: 20/Apr/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.4.0-rc2, 4.2.13, 4.4.5, 4.0.24

Type: New Feature Priority: Major - P3
Reporter: Nic Cottrell Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
depends on SERVER-37155 Improve the LDAP server logging Closed
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.4, v4.2, v4.0
Sprint: Security 2020-02-10, Security 2020-02-24, Security 2020-04-20
Participants:
Case:

 Description   

At the default log level, any errors connection to down/stalled LDAP servers will be logged like:

2019-08-08T18:33:30.772-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Bind parameters were: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}

However, the "server at default" doesn't provide necessary details when security.ldap.servers are configured with CNAME alias like ldapalias.uk.bigcorp.local and ldapalias.us.bigcorp.local which may resolve to any number of hosts/IPs.

Enabling level=3 logging on accessControl is much better, and precedes the log above with lines like:

2019-08-08T18:35:46.203-0400 D3 ACCESS   [main] Binding to LDAP server "default" with bind parameters: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
2019-08-08T18:35:46.243-0400 D3 ACCESS   [main] Connected to LDAP server at 54.225.237.121:636 with LDAP URL: ldaps://ldaptest.10gen.cc:636

The small change of including the resolved IP address would help greatly with diagnosing LDAP server issues, so that the error log above appears like:

2019-08-08T18:33:30.772-0400 E  ACCESS   [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at 54.225.237.121:636 ...



 Comments   
Comment by Githook User [ 25/Feb/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-45836 Surface connected LDAP host in log messages

(cherry picked from commit fff8caf2c76f42fb76c945347fc909d28c6d98e5)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/d86f76840194d3da781df519fac730ee8eb1c5da

Comment by Githook User [ 25/Feb/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-45836 Surface connected LDAP host in log messages

(cherry picked from commit fff8caf2c76f42fb76c945347fc909d28c6d98e5)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/a6b23d822eb1cc92cff633840cd24d41610c8eb4

Comment by Githook User [ 24/Feb/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-45836 Surface connected LDAP host in log messages

(cherry picked from commit fff8caf2c76f42fb76c945347fc909d28c6d98e5)
Branch: v4.4
https://github.com/10gen/mongo-enterprise-modules/commit/365a2d43101380d304d4bd435aedd9c1a08b4b29

Comment by Githook User [ 20/Apr/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-45836 Surface connected LDAP host in log messages
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/fff8caf2c76f42fb76c945347fc909d28c6d98e5

Comment by Spencer Jackson [ 11/Mar/20 ]

The limitations of this type of logging has been communicated, so nominating this for future quick wins. It's lower priority than the tickets for improving functionality.

Comment by Spencer Jackson [ 18/Feb/20 ]

The "Connected to LDAP server at" error message is invoked from a callback which is dispatched by libldap after it establishes a physical connection. Without connection pooling enabled, libldap is what manages physical connections to LDAP servers, and so the IP information is only available inside the callback. It may be possible to propagate this information out into a cb_args variable which is attached to the ldap_conncb provided to the callback.

This would allow us to sometimes add IP address to log statements, if we successfully connected to a server.

Comment by Carl Champain (Inactive) [ 29/Jan/20 ]

Passing this ticket to the appropriate team. 

Generated at Thu Feb 08 05:09:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.