Merge pull request #3585 from Icinga/feature/enhanced-ldap-logging

Feature/enhanced ldap logging
This commit is contained in:
Eric Lippmann 2018-11-15 11:28:47 +01:00 committed by GitHub
commit d919e23d0b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 54 additions and 4 deletions

View File

@ -84,6 +84,7 @@ class Web extends EmbeddedWeb
->setupLogging() ->setupLogging()
->setupErrorHandling() ->setupErrorHandling()
->loadConfig() ->loadConfig()
->setupLogger()
->setupRequest() ->setupRequest()
->setupSession() ->setupSession()
->setupNotifications() ->setupNotifications()
@ -97,7 +98,6 @@ class Web extends EmbeddedWeb
->setupUserBackendFactory() ->setupUserBackendFactory()
->setupUser() ->setupUser()
->setupTimezone() ->setupTimezone()
->setupLogger()
->setupInternationalization() ->setupInternationalization()
->setupFatalErrorHandling(); ->setupFatalErrorHandling();
} }

View File

@ -153,9 +153,20 @@ class Auth
continue; continue;
} }
if (empty($groupsFromBackend)) { if (empty($groupsFromBackend)) {
Logger::debug(
'No groups found in backend "%s" which the user "%s" is a member of.',
$name,
$user->getUsername()
);
continue; continue;
} }
$groupsFromBackend = array_values($groupsFromBackend); $groupsFromBackend = array_values($groupsFromBackend);
Logger::debug(
'Groups found in backend "%s" for user "%s": %s',
$name,
$user->getUsername(),
join(', ', $groupsFromBackend)
);
$groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend)); $groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend));
} }
$user->setGroups($groups); $user->setGroups($groups);

View File

@ -466,15 +466,41 @@ class LdapUserGroupBackend extends LdapRepository implements Inspectable, UserGr
); );
} }
$sampleValue = $this->ds $sampleValues = $this->ds
->select() ->select()
->from($this->groupClass, array($this->groupMemberAttribute)) ->from($this->groupClass, array($this->groupMemberAttribute))
->where($this->groupMemberAttribute, '*') ->where($this->groupMemberAttribute, '*')
->limit(Logger::getInstance()->getLevel() === Logger::DEBUG ? 3 : 1)
->setUnfoldAttribute($this->groupMemberAttribute) ->setUnfoldAttribute($this->groupMemberAttribute)
->setBase($this->groupBaseDn) ->setBase($this->groupBaseDn)
->fetchOne(); ->fetchAll();
$this->ambiguousMemberAttribute = ! LdapUtils::isDn($sampleValue); Logger::debug('Ambiguity query returned %d results', count($sampleValues));
$i = 0;
$sampleValue = null;
foreach ($sampleValues as $key => $value) {
if ($sampleValue === null) {
$sampleValue = $value;
}
Logger::debug('Result %d: %s (%s)', ++$i, $value, $key);
}
if (is_object($sampleValue) && isset($sampleValue->{$this->groupMemberAttribute})) {
$this->ambiguousMemberAttribute = ! LdapUtils::isDn($sampleValue->{$this->groupMemberAttribute});
Logger::debug(
'Ambiguity check came to the conclusion that the member attribute %s ambiguous. Tested sample: %s',
$this->ambiguousMemberAttribute ? 'is' : 'is not',
$sampleValue->{$this->groupMemberAttribute}
);
} else {
Logger::warning(
'Ambiguity query returned zero or invalid results. Sample value is `%s`',
print_r($sampleValue, true)
);
}
} }
return $this->ambiguousMemberAttribute; return $this->ambiguousMemberAttribute;

View File

@ -3,6 +3,8 @@
namespace Icinga\Protocol\Ldap; namespace Icinga\Protocol\Ldap;
use Icinga\Application\Logger;
/** /**
* The properties and capabilities of an LDAP server * The properties and capabilities of an LDAP server
* *
@ -347,6 +349,17 @@ class LdapCapabilities
$cap = new LdapCapabilities($connection->cleanupAttributes(ldap_get_attributes($ds, $entry), $fields)); $cap = new LdapCapabilities($connection->cleanupAttributes(ldap_get_attributes($ds, $entry), $fields));
$cap->discoverAdConfigOptions($connection); $cap->discoverAdConfigOptions($connection);
if (isset($cap->attributes) && Logger::getInstance()->getLevel() === Logger::DEBUG) {
Logger::debug('Capability query discovered the following attributes:');
foreach ($cap->attributes as $name => $value) {
if ($value !== null) {
Logger::debug(' %s = %s', $name, $value);
}
}
Logger::debug('Capability query attribute listing ended.');
}
return $cap; return $cap;
} }