At the default log level, any errors connection to down/stalled LDAP servers will be logged like:
2019-08-08T18:33:30.772-0400 E ACCESS [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at default". (-1/Can't contact LDAP server): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). Bind parameters were: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple}
However, the "server at default" doesn't provide necessary details when security.ldap.servers are configured with CNAME alias like ldapalias.uk.bigcorp.local and ldapalias.us.bigcorp.local which may resolve to any number of hosts/IPs.
Enabling level=3 logging on accessControl is much better, and precedes the log above with lines like:
2019-08-08T18:35:46.203-0400 D3 ACCESS [main] Binding to LDAP server "default" with bind parameters: {BindDN: cn=ldapz_admin,ou=Users,dc=10gen,dc=cc, authenticationType: simple} 2019-08-08T18:35:46.243-0400 D3 ACCESS [main] Connected to LDAP server at 54.225.237.121:636 with LDAP URL: ldaps://ldaptest.10gen.cc:636
The small change of including the resolved IP address would help greatly with diagnosing LDAP server issues, so that the error log above appears like:
2019-08-08T18:33:30.772-0400 E ACCESS [main] OperationFailed: LDAP operation <ldap_sasl_bind_s>, failed to bind to LDAP server at 54.225.237.121:636 ...
- depends on
-
SERVER-37155 Improve the LDAP server logging
- Closed