www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2026-01-06 09:01:14 +03:00
Code Activity

add LDAPLibraryDebug directive to mod_ldap to turn on

Browse Source 
tracing in underlying LDAP SDK, where all the interesting tidbits
about all kinds of LDAP errors are hidden.

Unfortunately windows doesn't implement this LDAP_OPT.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@831183 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Eric Covener
2009-10-30 02:07:45 +00:00
parent 35e256eed7
commit 4e6f442708
5 changed files with 102 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/manual/mod/mod_ldap.html.en
View File

@@ -60,6 +60,7 @@ by other LDAP modules</td></tr>
<li><img alt="" src="../images/down.gif" /> <a href="#ldapcacheentries">LDAPCacheEntries</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ldapcachettl">LDAPCacheTTL</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ldapconnectiontimeout">LDAPConnectionTimeout</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ldaplibrarydebug">LDAPLibraryDebug</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ldapopcacheentries">LDAPOpCacheEntries</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ldapopcachettl">LDAPOpCacheTTL</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ldapreferralhoplimit">LDAPReferralHopLimit</a></li>
@@ -477,6 +478,34 @@ by other LDAP modules</td></tr>
returned or the module will attempt to connect to a secondary LDAP
server if one is specified. The default is 10 seconds.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPLibraryDebug" id="LDAPLibraryDebug">LDAPLibraryDebug</a> <a name="ldaplibrarydebug" id="ldaplibrarydebug">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable debugging in the LDAP SDK</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPLibraryDebug <var>7</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>disabled</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr>
</table>
<p>Turns on SDK-specific LDAP debug options that generally cause the LDAP
SDK to log verbose trace information to the main Apache error log.
The trace messages from the LDAP SDK provide gory details that
can be useful during debugging of connectivity problems with backeld LDAP servers</p>
<p>This option is only configurable when Apache HTTP Server is linked with
an LDAP SDK that implements <code>LDAP_OPT_DEBUG</code> or
<code>LDAP_OPT_DEBUG_LEVEL</code>, such as OpenLDAP (a value of 7 is verbose)
or Tivoli Directory Server (a value of 65535 is verbose).</p>
<div class="warning">
<p>The logged information will likely contain plaintext credentials being used or
validated by LDAP authentication, so care should be taken in protecting and purging
the error log when this directive is used.</p>
</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="LDAPOpCacheEntries" id="LDAPOpCacheEntries">LDAPOpCacheEntries</a> <a name="ldapopcacheentries" id="ldapopcacheentries">Directive</a></h2>

28
docs/manual/mod/mod_ldap.xml
View File

@@ -649,4 +649,32 @@ connection client certificates.</description>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>LDAPLibraryDebug</name>
<description>Enable debugging in the LDAP SDK</description>
<syntax>LDAPLibraryDebug <var>7</var></syntax>
<default>disabled</default>
<contextlist><context>server config</context></contextlist>
<usage>
<p>Turns on SDK-specific LDAP debug options that generally cause the LDAP
SDK to log verbose trace information to the main Apache error log.
The trace messages from the LDAP SDK provide gory details that
can be useful during debugging of connectivity problems with backeld LDAP servers</p>
<p>This option is only configurable when Apache HTTP Server is linked with
an LDAP SDK that implements <code>LDAP_OPT_DEBUG</code> or
<code>LDAP_OPT_DEBUG_LEVEL</code>, such as OpenLDAP (a value of 7 is verbose)
or Tivoli Directory Server (a value of 65535 is verbose).</p>
<note type="warning">
<p>The logged information will likely contain plaintext credentials being used or
validated by LDAP authentication, so care should be taken in protecting and purging
the error log when this directive is used.</p>
</note>
</usage>
</directivesynopsis>
</modulesynopsis>

3
include/ap_mmn.h
View File

@@ -202,6 +202,7 @@
* mod_logio
* 20091011.0 (2.3.3-dev) Move preserve_host{,_set} from proxy_server_conf to
* proxy_dir_conf
* 20091011.1 (2.3.3-dev) add debug_level to util_ldap_state_t
*
*/
@@ -210,7 +211,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20091011
#endif
#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a

1
include/util_ldap.h
View File

@@ -164,6 +164,7 @@ typedef struct util_ldap_state_t {
char *lock_file; /* filename for shm lock mutex */
long connectionTimeout;
int verify_svr_cert;
int debug_level; /* SDK debug level */
} util_ldap_state_t;

42
modules/ldap/util_ldap.c
View File

@@ -54,6 +54,14 @@
#define APR_LDAP_SIZELIMIT -1
#endif
#ifdef LDAP_OPT_DEBUG_LEVEL
#define AP_LDAP_OPT_DEBUG LDAP_OPT_DEBUG_LEVEL
#else
#ifdef LDAP_OPT_DEBUG
#define AP_LDAP_OPT_DEBUG LDAP_OPT_DEBUG
#endif
#endif
module AP_MODULE_DECLARE_DATA ldap_module;
#define LDAP_CACHE_LOCK() do { \
@@ -2361,6 +2369,26 @@ static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
return(NULL);
}
static const char *util_ldap_set_debug_level(cmd_parms *cmd,
void *config,
const char *arg) {
util_ldap_state_t *st =
(util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
&ldap_module);
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (err != NULL) {
return err;
}
#ifndef AP_LDAP_OPT_DEBUG
return "This directive is not supported with the currently linked LDAP library";
#endif
st->debug_level = atoi(arg);
return NULL;
}
static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd,
void *config,
const char *hop_limit)
@@ -2462,6 +2490,7 @@ static void *util_ldap_merge_config(apr_pool_t *p, void *basev,
is being enforced on this setting as well. */
st->connectionTimeout = base->connectionTimeout;
st->verify_svr_cert = base->verify_svr_cert;
st->debug_level = base->debug_level;
return st;
}
@@ -2626,6 +2655,15 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
/* Initialize the rebind callback's cross reference list. */
apr_ldap_rebind_init (p);
if (st->debug_level > 0) {
result = ldap_set_option(NULL, AP_LDAP_OPT_DEBUG, &st->debug_level);
if (result != LDAP_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
"LDAP: Could not set the LDAP library debug level to %d:(%d) %s",
st->debug_level, result, ldap_err2string(result));
}
}
return(OK);
}
@@ -2728,6 +2766,10 @@ static const command_rec util_ldap_cmds[] = {
"Limit the number of referral hops that LDAP can follow. "
"(Integer value, default=" AP_LDAP_DEFAULT_HOPLIMIT_STR ")"),
AP_INIT_TAKE1("LDAPLibraryDebug", util_ldap_set_debug_level,
NULL, RSRC_CONF,
"Enable debugging in LDAP SDK (Default: off, values: SDK specific"),
{NULL}
};