Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VAULT-31594 Add debug level logging to the LDAP auth library #28881

Merged
merged 2 commits into from
Nov 18, 2024
Merged

VAULT-31594 Add debug level logging to the LDAP auth library #28881

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
682c7be
initial commit of debug error handling
JMGoldsmith Nov 11, 2024
a9092d0
adding changelog
JMGoldsmith Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions builtin/credential/ldap/backend.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri

ldapClient, err := ldap.NewClient(ctx, ldaputil.ConvertConfig(cfg.ConfigEntry))
if err != nil {
if b.Logger().IsDebug() {
b.Logger().Debug("error creating client", "error", err)
}
return "", nil, logical.ErrorResponse(err.Error()), nil, nil
}

Expand All @@ -93,12 +96,19 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
if err != nil {
if strings.Contains(err.Error(), "discovery of user bind DN failed") ||
strings.Contains(err.Error(), "unable to bind user") {
if b.Logger().IsDebug() {
b.Logger().Debug("error getting user bind DN", "error", err)
}
return "", nil, logical.ErrorResponse(errUserBindFailed), nil, logical.ErrInvalidCredentials
}

return "", nil, logical.ErrorResponse(err.Error()), nil, nil
}

if b.Logger().IsDebug() {
b.Logger().Debug("user binddn fetched", "username", username, "binddn", c.UserDN)
}

ldapGroups := c.Groups
ldapResponse := &logical.Response{
Data: map[string]interface{}{},
Expand All @@ -107,10 +117,17 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
errString := fmt.Sprintf(
"no LDAP groups found in groupDN %q; only policies from locally-defined groups available",
cfg.GroupDN)

if b.Logger().IsDebug() {
b.Logger().Debug(errString)
}
ldapResponse.AddWarning(errString)
}

for _, warning := range c.Warnings {
if b.Logger().IsDebug() {
b.Logger().Debug(string(warning))
}
ldapResponse.AddWarning(string(warning))
}

Expand Down Expand Up @@ -160,6 +177,9 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri

userAttrValues := c.UserAttributes[cfg.UserAttr]
if len(userAttrValues) == 0 {
if b.Logger().IsDebug() {
b.Logger().Debug("missing entity alias attribute value")
}
return "", nil, logical.ErrorResponse("missing entity alias attribute value"), nil, nil
}
entityAliasAttribute := userAttrValues[0]
Expand Down
4 changes: 4 additions & 0 deletions builtin/credential/ldap/path_config_rotate_root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R

u, p := cfg.BindDN, cfg.BindPassword
if u == "" || p == "" {
// Logging this is as it may be useful to know that the binddn/bindpass is not set.
if b.Logger().IsDebug() {
b.Logger().Debug("auth is not using authenticated search, no root to rotate")
}
return logical.ErrorResponse("auth is not using authenticated search, no root to rotate"), nil
}

Expand Down
3 changes: 3 additions & 0 deletions changelog/28881.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
auth/ldap: Fixed an issue where debug level logging was not emitted.
```
Loading