Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancing LDAP Integration Logs and Auditing for Better Debugging #28467

Open
paulothread opened this issue Sep 23, 2024 · 0 comments
Open

Enhancing LDAP Integration Logs and Auditing for Better Debugging #28467

paulothread opened this issue Sep 23, 2024 · 0 comments
Labels
core/telemetry enhancement secret/ldap

Comments

@paulothread
Copy link

When configuring Vault's LDAP integration, administrators face significant difficulties in debugging issues related to group mappings and LDAP queries. Currently, even with detailed logging enabled (debug mode), the Vault audit logs do not provide enough insight into the LDAP queries being made, particularly during group search operations.

This lack of visibility makes it difficult to identify and troubleshoot issues like incorrect group filters or attribute mappings. The administrator is left guessing the exact LDAP queries Vault is executing, leading to a trial-and-error approach that is time-consuming and error-prone.

Request:

Enhancing the LDAP authentication backend by adding more detailed logging, specifically:

Log exact LDAP queries performed (including filters, attributes requested, and base DNs used) during both user and group search operations.

Audit log entries for LDAP queries should include:
    The full query issued (base DN, filter, attributes requested).
    Whether the query succeeded or failed.
    The number of entries returned from the LDAP server.
    Any specific errors encountered during the search.

If possible, provide an option to toggle the verbosity of LDAP-related logs (to balance performance and debugging needs).

Use Case:

In a situation where LDAP group policies are not being applied correctly, the administrator currently has no way of knowing:

What exact LDAP query Vault is sending to retrieve groups.
Whether the query returned results and if so, what results were returned.

This information is critical for fine-tuning LDAP configurations such as groupdn, groupfilter, groupattr, and troubleshooting why certain groups are not being found or mapped correctly. Having this visibility would significantly reduce the time spent diagnosing LDAP issues.

Steps to Reproduce:

Configure Vault with LDAP authentication backend.
Set up group filters and policies.
Attempt to log in as a user who should inherit policies from LDAP groups.
Observe the lack of detailed LDAP query logs in the debug or audit logs.

Expected Outcome: The Vault logs or audit logs should show:

The exact LDAP query that was issued.
Information on whether the query returned results or failed.
The groups and attributes returned by the LDAP server.

This would allow administrators to compare the actual query with their expected configuration and make adjustments accordingly.

Impact:

This improvement would drastically improve the efficiency of debugging LDAP issues in Vault, providing administrators with the necessary insight into LDAP operations and helping to prevent unnecessary misconfigurations or extended downtime.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/telemetry enhancement secret/ldap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulothread @heatherezell