Commit df562e23 by Torkel Ödegaard

feat(ldap): better ldap logging, closes #6918

parent 6e27db14
# Set to true to log user information returned from LDAP
verbose_logging = false
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
......
......@@ -34,10 +34,11 @@ type ldapAuther struct {
server *LdapServerConf
conn ILdapConn
requireSecondBind bool
log log.Logger
}
var NewLdapAuthenticator = func(server *LdapServerConf) ILdapAuther {
return &ldapAuther{server: server}
return &ldapAuther{server: server, log: log.New("ldap")}
}
var ldapDial = func(network, addr string) (ILdapConn, error) {
......@@ -103,9 +104,7 @@ func (a *ldapAuther) Login(query *LoginUserQuery) error {
if ldapUser, err := a.searchForUser(query.Username); err != nil {
return err
} else {
if LdapCfg.VerboseLogging {
log.Info("Ldap User Info: %s", spew.Sdump(ldapUser))
}
a.log.Debug("Ldap User found", "info", spew.Sdump(ldapUser))
// check if a second user bind is needed
if a.requireSecondBind {
......@@ -144,7 +143,7 @@ func (a *ldapAuther) SyncSignedInUser(signedInUser *m.SignedInUser) error {
}
if ldapUser, err := a.searchForUser(signedInUser.Login); err != nil {
log.Info("ERROR while searching for user in ldap %#v", err)
a.log.Error("Failed searching for user in ldap", "error", err)
return err
} else {
......@@ -152,9 +151,7 @@ func (a *ldapAuther) SyncSignedInUser(signedInUser *m.SignedInUser) error {
return err
}
if LdapCfg.VerboseLogging {
log.Info("Ldap User Info: %s", spew.Sdump(ldapUser))
}
a.log.Debug("Got Ldap User Info", "user", spew.Sdump(ldapUser))
}
return nil
......@@ -187,7 +184,7 @@ func (a *ldapAuther) GetGrafanaUserFor(ldapUser *LdapUserInfo) (*m.User, error)
}
if !access {
log.Info("Ldap Auth: user %s does not belong in any of the specified ldap groups, ldapUser groups: %v", ldapUser.Username, ldapUser.MemberOf)
a.log.Info("Ldap Auth: user does not belong in any of the specified ldap groups", "username", ldapUser.Username, "groups", ldapUser.MemberOf)
return nil, ErrInvalidCredentials
}
......@@ -197,6 +194,7 @@ func (a *ldapAuther) GetGrafanaUserFor(ldapUser *LdapUserInfo) (*m.User, error)
if err == m.ErrUserNotFound && setting.LdapAllowSignup {
return a.createGrafanaUser(ldapUser)
} else if err == m.ErrUserNotFound {
a.log.Warn("Not allowing LDAP login, user not found in internal user database, and ldap allow signup = false")
return nil, ErrInvalidCredentials
} else {
return nil, err
......@@ -226,7 +224,7 @@ func (a *ldapAuther) syncUserInfo(user *m.User, ldapUser *LdapUserInfo) error {
return nil
}
log.Info("Ldap: Syncing user info %s", ldapUser.Username)
a.log.Debug("Syncing user info", "username", ldapUser.Username)
updateCmd := m.UpdateUserCommand{}
updateCmd.UserId = user.Id
updateCmd.Login = user.Login
......@@ -237,7 +235,7 @@ func (a *ldapAuther) syncUserInfo(user *m.User, ldapUser *LdapUserInfo) error {
func (a *ldapAuther) SyncOrgRoles(user *m.User, ldapUser *LdapUserInfo) error {
if len(a.server.LdapGroups) == 0 {
log.Warn("Ldap: no group mappings defined")
a.log.Warn("No group mappings defined")
return nil
}
......@@ -308,9 +306,7 @@ func (a *ldapAuther) SyncOrgRoles(user *m.User, ldapUser *LdapUserInfo) error {
func (a *ldapAuther) serverBind() error {
// bind_dn and bind_password to bind
if err := a.conn.Bind(a.server.BindDN, a.server.BindPassword); err != nil {
if LdapCfg.VerboseLogging {
log.Info("LDAP initial bind failed, %v", err)
}
a.log.Info("LDAP initial bind failed, %v", err)
if ldapErr, ok := err.(*ldap.Error); ok {
if ldapErr.ResultCode == 49 {
......@@ -325,9 +321,7 @@ func (a *ldapAuther) serverBind() error {
func (a *ldapAuther) secondBind(ldapUser *LdapUserInfo, userPassword string) error {
if err := a.conn.Bind(ldapUser.DN, userPassword); err != nil {
if LdapCfg.VerboseLogging {
log.Info("LDAP second bind failed, %v", err)
}
a.log.Info("Second bind failed", "error", err)
if ldapErr, ok := err.(*ldap.Error); ok {
if ldapErr.ResultCode == 49 {
......@@ -352,9 +346,7 @@ func (a *ldapAuther) initialBind(username, userPassword string) error {
}
if err := a.conn.Bind(bindPath, userPassword); err != nil {
if LdapCfg.VerboseLogging {
log.Info("LDAP initial bind failed, %v", err)
}
a.log.Info("Initial bind failed", "error", err)
if ldapErr, ok := err.(*ldap.Error); ok {
if ldapErr.ResultCode == 49 {
......@@ -418,9 +410,7 @@ func (a *ldapAuther) searchForUser(username string) (*LdapUserInfo, error) {
}
filter := strings.Replace(a.server.GroupSearchFilter, "%s", ldap.EscapeFilter(filter_replace), -1)
if LdapCfg.VerboseLogging {
log.Info("LDAP: Searching for user's groups: %s", filter)
}
a.log.Info("Searching for user's groups", "filter", filter)
groupSearchReq := ldap.SearchRequest{
BaseDN: groupSearchBase,
......
......@@ -11,8 +11,7 @@ import (
)
type LdapConfig struct {
Servers []*LdapServerConf `toml:"servers"`
VerboseLogging bool `toml:"verbose_logging"`
Servers []*LdapServerConf `toml:"servers"`
}
type LdapServerConf struct {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment