outposts/ldap: improve logging,return success for empty DN

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

outpost/pkg/ldap/bind.go

@@ -6,15 +6,14 @@ import (
 	"github.com/nmcclain/ldap"
 )
 
-
 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
-	ls.log.WithField("dn", bindDN).Info("bind")
+	ls.log.WithField("boundDN", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
 			return instance.Bind(username, bindPW, conn)
 		}
 	}
-	ls.log.WithField("dn", bindDN).WithField("request", "bind").Warning("No provider found for request")
+	ls.log.WithField("boundDN", bindDN).WithField("request", "bind").Warning("No provider found for request")
 	return ldap.LDAPResultOperationsError, nil
 }

outpost/pkg/ldap/instance_bind.go

@@ -53,7 +53,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	}
 	passed, err := pi.solveFlowChallenge(username, bindPW, client)
 	if err != nil {
-		pi.log.WithField("dn", username).WithError(err).Warning("failed to solve challenge")
+		pi.log.WithField("boundDN", username).WithError(err).Warning("failed to solve challenge")
 		return ldap.LDAPResultOperationsError, nil
 	}
 	if !passed {
@@ -66,13 +66,13 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
 	}, httptransport.PassThroughAuth)
 	if err != nil {
 		if _, denied := err.(*core.CoreApplicationsCheckAccessForbidden); denied {
-			pi.log.WithField("dn", username).Info("Access denied for user")
+			pi.log.WithField("boundDN", username).Info("Access denied for user")
 			return ldap.LDAPResultInsufficientAccessRights, nil
 		}
-		pi.log.WithField("dn", username).WithError(err).Warning("failed to check access")
+		pi.log.WithField("boundDN", username).WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
-	pi.log.WithField("dn", username).Info("User has access")
+	pi.log.WithField("boundDN", username).Info("User has access")
 	return ldap.LDAPResultSuccess, nil
 }
 

outpost/pkg/ldap/instance_search.go

@@ -34,6 +34,7 @@ func (pi *ProviderInstance) Search(bindDN string, searchReq ldap.SearchRequest,
 		if err != nil {
 			return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("API Error: %s", err)
 		}
+		pi.log.WithField("count", len(groups.Payload.Results)).Trace("Got results from API")
 		for _, g := range groups.Payload.Results {
 			attrs := []*ldap.EntryAttribute{
 				{

outpost/pkg/ldap/search.go

@@ -9,9 +9,13 @@ import (
 )
 
 func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn net.Conn) (ldap.ServerSearchResult, error) {
-	ls.log.WithField("dn", boundDN).Info("search")
-	bd, err := goldap.ParseDN(boundDN)
+	ls.log.WithField("boundDN", boundDN).WithField("baseDN", searchReq.BaseDN).Info("search")
+	if searchReq.BaseDN == "" {
+		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultSuccess}, nil
+	}
+	bd, err := goldap.ParseDN(searchReq.BaseDN)
 	if err != nil {
+		ls.log.WithField("baseDN", searchReq.BaseDN).WithError(err).Info("failed to parse basedn")
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
 	}
 	for _, provider := range ls.providers {
@@ -20,5 +24,5 @@ func (ls *LDAPServer) Search(boundDN string, searchReq ldap.SearchRequest, conn
 			return provider.Search(boundDN, searchReq, conn)
 		}
 	}
-	return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("invalid DN")
+	return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, errors.New("no provider could handle request")
 }