LDAP backend should support python-ldap trace logging

Bug #1776532 reported by John Dennis on 2018-06-12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
John Dennis

Bug Description

The python-ldap library has a diagnostic and debugging feature called trace logging. The information in the trace log is crucial when trying to diagnose LDAP problems, especially connection problems. This is because what is visible at the Keystone backend is obscured by 2 other abstraction layers, the OpenStack ldappool library and the ReconnectLDAPObject implementation in python-ldap. When connection problems occur you need to be able to see what happened at the lowest level in order to understand what the upper abstraction layers are doing. Trace logging is also useful for other LDAP information besides connection issues.

python-ldap controls trace logging with these two parameters:

trace_level: An integer controlling the verbosity of the trace information
trace_file: A Python file object used when writing trace info.

Unfortunately as of today there is no way to turn on trace logging other than editing the source code to change the parameters passed into various python-ldap methods. As of python-ldap 3.1.0 you can set the environment variables PYTHON_LDAP_TRACE_LEVEL PYTHON_LDAP_TRACE_FILE (a pathname) to set these values without a code change. This version of python-ldap is very new (May 2018), however setting environment variables to turn on trace logging is not easy because of the way Keystone is deployed as an operating system service. It would be preferable to add two new configuration options to the LDAP section to control the trace_level and trace_file and have the ldap backend set these values when creating python-ldap objects. It would be good to set the trace_file to the same logging file object the rest of the backend uses so the information is contained in one place and interleaved.

Also note there is already a LDAP debug level in the config, 'debug_level', which turns on debugging in the openldap C library via the OPT_DEBUG_LEVEL ldap option. python-ldap calls this library to perform many of it's operations and as such is one level below python-ldap. This debug feature is independent of the trace facility in python-ldap. We need both facilities.

John Dennis (jdennis-a) on 2018-06-12
Changed in keystone:
assignee: nobody → John Dennis (jdennis-a)
Adam Young (ayoung) on 2018-06-12
Changed in keystone:
importance: Undecided → Medium
Changed in keystone:
status: New → Triaged
Lance Bragstad (lbragstad) wrote :

Since this is an RFE, I think it's safe to pursue this in Stein if we don't get a patch up in the next week for Rocky RC1.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers