[SERVER-45836] Provide more LDAP details (like server IP) at default log level Created: 29/Jan/20 Updated: 29/Oct/23 Resolved: 20/Apr/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.4.0-rc2, 4.2.13, 4.4.5, 4.0.24 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Nic Cottrell | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Backport Requested: |
v4.4, v4.2, v4.0
|
||||||||||||
| Sprint: | Security 2020-02-10, Security 2020-02-24, Security 2020-04-20 | ||||||||||||
| Participants: | |||||||||||||
| Case: | (copied to CRM) | ||||||||||||
| Description |
|
At the default log level, any errors connection to down/stalled LDAP servers will be logged like:
However, the "server at default" doesn't provide necessary details when security.ldap.servers are configured with CNAME alias like ldapalias.uk.bigcorp.local and ldapalias.us.bigcorp.local which may resolve to any number of hosts/IPs. Enabling level=3 logging on accessControl is much better, and precedes the log above with lines like:
The small change of including the resolved IP address would help greatly with diagnosing LDAP server issues, so that the error log above appears like:
|
| Comments |
| Comment by Githook User [ 25/Feb/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit fff8caf2c76f42fb76c945347fc909d28c6d98e5) |
| Comment by Githook User [ 25/Feb/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit fff8caf2c76f42fb76c945347fc909d28c6d98e5) |
| Comment by Githook User [ 24/Feb/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit fff8caf2c76f42fb76c945347fc909d28c6d98e5) |
| Comment by Githook User [ 20/Apr/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |
| Comment by Spencer Jackson [ 11/Mar/20 ] |
|
The limitations of this type of logging has been communicated, so nominating this for future quick wins. It's lower priority than the tickets for improving functionality. |
| Comment by Spencer Jackson [ 18/Feb/20 ] |
|
The "Connected to LDAP server at" error message is invoked from a callback which is dispatched by libldap after it establishes a physical connection. Without connection pooling enabled, libldap is what manages physical connections to LDAP servers, and so the IP information is only available inside the callback. It may be possible to propagate this information out into a cb_args variable which is attached to the ldap_conncb provided to the callback. This would allow us to sometimes add IP address to log statements, if we successfully connected to a server. |
| Comment by Carl Champain (Inactive) [ 29/Jan/20 ] |
|
Passing this ticket to the appropriate team. |