VAULT-31594 Add debug level logging to the LDAP auth library (#28881)

* initial commit of debug error handling * adding changelog
hashicorp · Nov 18, 2024 · 3f62ae7 · 3f62ae7
1 parent dce93e3
commit 3f62ae7
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/builtin/credential/ldap/backend.go b/builtin/credential/ldap/backend.go
@@ -83,6 +83,9 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 
 	ldapClient, err := ldap.NewClient(ctx, ldaputil.ConvertConfig(cfg.ConfigEntry))
 	if err != nil {
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("error creating client", "error", err)
+		}
 		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
 	}
 
@@ -93,12 +96,19 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 	if err != nil {
 		if strings.Contains(err.Error(), "discovery of user bind DN failed") ||
 			strings.Contains(err.Error(), "unable to bind user") {
+			if b.Logger().IsDebug() {
+				b.Logger().Debug("error getting user bind DN", "error", err)
+			}
 			return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
 		}
 
 		return "", nil, logical.ErrorResponse(err.Error()), nil, nil
 	}
 
+	if b.Logger().IsDebug() {
+		b.Logger().Debug("user binddn fetched", "username", username, "binddn", c.UserDN)
+	}
+
 	ldapGroups := c.Groups
 	ldapResponse := &logical.Response{
 		Data: map[string]interface{}{},
@@ -107,10 +117,17 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 		errString := fmt.Sprintf(
 			"no LDAP groups found in groupDN %q; only policies from locally-defined groups available",
 			cfg.GroupDN)
+
+		if b.Logger().IsDebug() {
+			b.Logger().Debug(errString)
+		}
 		ldapResponse.AddWarning(errString)
 	}
 
 	for _, warning := range c.Warnings {
+		if b.Logger().IsDebug() {
+			b.Logger().Debug(string(warning))
+		}
 		ldapResponse.AddWarning(string(warning))
 	}
 
@@ -160,6 +177,9 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 
 	userAttrValues := c.UserAttributes[cfg.UserAttr]
 	if len(userAttrValues) == 0 {
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("missing entity alias attribute value")
+		}
 		return "", nil, logical.ErrorResponse("missing entity alias attribute value"), nil, nil
 	}
 	entityAliasAttribute := userAttrValues[0]

diff --git a/builtin/credential/ldap/path_config_rotate_root.go b/builtin/credential/ldap/path_config_rotate_root.go
@@ -51,6 +51,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R
 
 	u, p := cfg.BindDN, cfg.BindPassword
 	if u == "" || p == "" {
+		// Logging this is as it may be useful to know that the binddn/bindpass is not set.
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("auth is not using authenticated search, no root to rotate")
+		}
 		return logical.ErrorResponse("auth is not using authenticated search, no root to rotate"), nil
 	}
 

diff --git a/changelog/28881.txt b/changelog/28881.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/ldap: Fixed an issue where debug level logging was not emitted.
+```