From d27dfcc1e325a707d4d013ed9bfc6eb8bd151a86 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 26 Apr 2021 23:25:31 +0200
Subject: [PATCH] outposts/ldap: improve logging,return success for empty DN

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 outpost/pkg/ldap/bind.go            |  5 ++---
 outpost/pkg/ldap/instance_bind.go   |  8 ++++----
 outpost/pkg/ldap/instance_search.go |  1 +
 outpost/pkg/ldap/search.go          | 10 +++++++---
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/outpost/pkg/ldap/bind.go b/outpost/pkg/ldap/bind.go
index 9418fe563..8ebdabcd6 100644
--- a/outpost/pkg/ldap/bind.go
+++ b/outpost/pkg/ldap/bind.go
@@ -6,15 +6,14 @@ import (
 	"github.com/nmcclain/ldap"
 )
 
-
 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
-	ls.log.WithField("dn", bindDN).Info("bind")
+	ls.log.WithField("boundDN", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
 			return instance.Bind(username, bindPW, conn)
 		}
 	}
-	ls.log.WithField("dn", bindDN).WithField("request", "bind").Warning("No provider found for request")
+	ls.log.WithField("boundDN", bindDN).WithField("request", "bind").Warning("No provider found for request")
 	return ldap.LDAPResultOperationsError, nil
 }
diff --git a/outpost/pkg/ldap/instance_bind.go b/outpost/pkg/ldap/instance_bind.go
index 4f722c3a7..d1607c7cb 100644
--- a/outpost/pkg/ldap/instance_bind.go
+++ b/outpost/pkg/ldap/instance_bind.go
@@ -53,7 +53,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	}
 	passed, err := pi.solveFlowChallenge(username, bindPW, client)
 	if err != nil {
-		pi.log.WithField("dn", username).WithError(err).Warning("failed to solve challenge")
+		pi.log.WithField("boundDN", username).WithError(err).Warning("failed to solve challenge")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	if !passed {
@@ -66,13 +66,13 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	}, httptransport.PassThroughAuth)
 	if err != nil {
 		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
-			pi.log.WithField("dn", username).Info("Access denied for user")
+			pi.log.WithField("boundDN", username).Info("Access denied for user")
 			return ldap.LDAPResultInsufficientAccessRights, nil
 		}
-		pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
+		pi.log.WithField("boundDN", username).WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
-	pi.log.WithField("dn", username).Info("User has access")
+	pi.log.WithField("boundDN", username).Info("User has access")
 	return ldap.LDAPResultSuccess, nil
 }
 
diff --git a/outpost/pkg/ldap/instance_search.go b/outpost/pkg/ldap/instance_search.go
index 3e2b1c92f..a7548e57b 100644
--- a/outpost/pkg/ldap/instance_search.go
+++ b/outpost/pkg/ldap/instance_search.go
@@ -34,6 +34,7 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 		if err != nil {
 			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
 		}
+		pi.log.WithField("count", len(groups.Payload.Results)).Trace("Got results from API")
 		for _, g := range groups.Payload.Results {
 			attrs := []*ldap.EntryAttribute{
 				{
diff --git a/outpost/pkg/ldap/search.go b/outpost/pkg/ldap/search.go
index ac50f3824..ecc5f35e6 100644
--- a/outpost/pkg/ldap/search.go
+++ b/outpost/pkg/ldap/search.go
@@ -9,9 +9,13 @@ import (
 )
 
 func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
-	ls.log.WithField("dn", boundDN).Info("search")
-	bd, err := goldap.ParseDN(boundDN)
+	ls.log.WithField("boundDN", boundDN).WithField("baseDN", searchReq.BaseDN).Info("search")
+	if searchReq.BaseDN == "" {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultSuccess}, nil
+	}
+	bd, err := goldap.ParseDN(searchReq.BaseDN)
 	if err != nil {
+		ls.log.WithField("baseDN", searchReq.BaseDN).WithError(err).Info("failed to parse basedn")
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
 	}
 	for _, provider := range ls.providers {
@@ -20,5 +24,5 @@ func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn
 			return provider.Search(boundDN, searchReq, conn)
 		}
 	}
-	return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
+	return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("no provider could handle request")
 }