diff --git a/outpost/pkg/ldap/bind.go b/outpost/pkg/ldap/bind.go index 9418fe563..8ebdabcd6 100644 --- a/outpost/pkg/ldap/bind.go +++ b/outpost/pkg/ldap/bind.go @@ -6,15 +6,14 @@ import ( "github.com/nmcclain/ldap" ) - func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) { - ls.log.WithField("dn", bindDN).Info("bind") + ls.log.WithField("boundDN", bindDN).Info("bind") for _, instance := range ls.providers { username, err := instance.getUsername(bindDN) if err == nil { return instance.Bind(username, bindPW, conn) } } - ls.log.WithField("dn", bindDN).WithField("request", "bind").Warning("No provider found for request") + ls.log.WithField("boundDN", bindDN).WithField("request", "bind").Warning("No provider found for request") return ldap.LDAPResultOperationsError, nil } diff --git a/outpost/pkg/ldap/instance_bind.go b/outpost/pkg/ldap/instance_bind.go index 4f722c3a7..d1607c7cb 100644 --- a/outpost/pkg/ldap/instance_bind.go +++ b/outpost/pkg/ldap/instance_bind.go @@ -53,7 +53,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn) } passed, err := pi.solveFlowChallenge(username, bindPW, client) if err != nil { - pi.log.WithField("dn", username).WithError(err).Warning("failed to solve challenge") + pi.log.WithField("boundDN", username).WithError(err).Warning("failed to solve challenge") return ldap.LDAPResultOperationsError, nil } if !passed { @@ -66,13 +66,13 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn) }, httptransport.PassThroughAuth) if err != nil { if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied { - pi.log.WithField("dn", username).Info("Access denied for user") + pi.log.WithField("boundDN", username).Info("Access denied for user") return ldap.LDAPResultInsufficientAccessRights, nil } - pi.log.WithField("dn", username).WithError(err).Warning("failed to check access") + pi.log.WithField("boundDN", username).WithError(err).Warning("failed to check access") return ldap.LDAPResultOperationsError, nil } - pi.log.WithField("dn", username).Info("User has access") + pi.log.WithField("boundDN", username).Info("User has access") return ldap.LDAPResultSuccess, nil } diff --git a/outpost/pkg/ldap/instance_search.go b/outpost/pkg/ldap/instance_search.go index 3e2b1c92f..a7548e57b 100644 --- a/outpost/pkg/ldap/instance_search.go +++ b/outpost/pkg/ldap/instance_search.go @@ -34,6 +34,7 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest, if err != nil { return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err) } + pi.log.WithField("count", len(groups.Payload.Results)).Trace("Got results from API") for _, g := range groups.Payload.Results { attrs := []*ldap.EntryAttribute{ { diff --git a/outpost/pkg/ldap/search.go b/outpost/pkg/ldap/search.go index ac50f3824..ecc5f35e6 100644 --- a/outpost/pkg/ldap/search.go +++ b/outpost/pkg/ldap/search.go @@ -9,9 +9,13 @@ import ( ) func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) { - ls.log.WithField("dn", boundDN).Info("search") - bd, err := goldap.ParseDN(boundDN) + ls.log.WithField("boundDN", boundDN).WithField("baseDN", searchReq.BaseDN).Info("search") + if searchReq.BaseDN == "" { + return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultSuccess}, nil + } + bd, err := goldap.ParseDN(searchReq.BaseDN) if err != nil { + ls.log.WithField("baseDN", searchReq.BaseDN).WithError(err).Info("failed to parse basedn") return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN") } for _, provider := range ls.providers { @@ -20,5 +24,5 @@ func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn return provider.Search(boundDN, searchReq, conn) } } - return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN") + return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("no provider could handle request") }