@@ -119,7 +119,6 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
119119 }
120120
121121 void Handle (TEvLdapAuthProvider::TEvEnrichGroupsRequest::TPtr& ev) {
122- // LDAP_LOG_D("+++ TEvLdapAuthProvider::TEvEnrichGroupsRequest");
123122 TEvLdapAuthProvider::TEvEnrichGroupsRequest* request = ev->Get ();
124123 LDAP* ld = nullptr ;
125124 auto initAndBindResult = InitAndBind (&ld, [&request](const TEvLdapAuthProvider::EStatus& status, const TEvLdapAuthProvider::TError& error) {
@@ -174,12 +173,12 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
174173
175174 int result = 0 ;
176175 if (Settings.GetScheme () != NKikimrLdap::LDAPS_SCHEME && Settings.GetUseTls ().GetEnable ()) {
176+ LDAP_LOG_D (" start TLS"
177177 result = NKikimrLdap::StartTLS (*ld);
178178 if (!NKikimrLdap::IsSuccess (result)) {
179- LDAP_LOG_D (" Could not start TLS. " + NKikimrLdap::ErrorToString (result));
179+ LDAP_LOG_D (" Could not start TLS. " << NKikimrLdap::ErrorToString (result));
180180 TEvLdapAuthProvider::TError error {
181- .Message = " Could not start TLS\n " NKikimrLdap::ErrorToString (result),
182- .Retryable = NKikimrLdap::IsRetryableError (result)
181+ .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError (result)
183182 };
184183 // The Unbind operation is not the antithesis of the Bind operation as the name implies.
185184 // Close the LDAP connection, free the resources contained in the LDAP structure
@@ -188,14 +187,13 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
188187 }
189188 }
190189
190+ LDAP_LOG_D (" bind: bindDn: " GetBindDn ());
191191 result = NKikimrLdap::Bind (*ld, Settings.GetBindDn (), Settings.GetBindPassword ());
192192 if (!NKikimrLdap::IsSuccess (result)) {
193- LDAP_LOG_D (" Could not perform initial LDAP bind for dn " + Settings.GetBindDn () + " on server " GetUris () + " . "
194- + NKikimrLdap::ErrorToString (result));
193+ LDAP_LOG_D (" Could not perform initial LDAP bind for dn " << Settings.GetBindDn () << " on server " GetUris () << " . "
194+ << NKikimrLdap::ErrorToString (result));
195195 TEvLdapAuthProvider::TError error {
196- .Message = " Could not perform initial LDAP bind for dn " GetBindDn () + " on server " GetUris () + " \n "
197- + NKikimrLdap::ErrorToString (result),
198- .Retryable = NKikimrLdap::IsRetryableError (result)
196+ .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError (result)
199197 };
200198 // The Unbind operation is not the antithesis of the Bind operation as the name implies.
201199 // Close the LDAP connection, free the resources contained in the LDAP structure
@@ -215,36 +213,37 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
215213 const TString& caCertificateFile = Settings.GetUseTls ().GetCaCertFile ();
216214 result = NKikimrLdap::SetOption (*ld, NKikimrLdap::EOption::TLS_CACERTFILE, caCertificateFile.c_str ());
217215 if (!NKikimrLdap::IsSuccess (result)) {
216+ LDAP_LOG_D (" Could not set LDAP ca certificate file \" " " \" : " NKikimrLdap::ErrorToString (result));
218217 NKikimrLdap::Unbind (*ld);
219218 return {{NKikimrLdap::ErrorToStatus (result),
220- {.Message = " Could not set LDAP ca certificate file \" " " \" : " NKikimrLdap::ErrorToString (result),
221- .Retryable = NKikimrLdap::IsRetryableError (result)}}};
219+ {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError (result)}}};
222220 }
223221 }
224222
223+ LDAP_LOG_D (" init: scheme: " GetScheme () << " , uris: " GetUris () << " , port: " GetConfiguredPort ());
225224 result = NKikimrLdap::Init (ld, Settings.GetScheme (), UrisCreator.GetUris (), UrisCreator.GetConfiguredPort ());
226225 if (!NKikimrLdap::IsSuccess (result)) {
226+ LDAP_LOG_D (" Could not initialize LDAP connection for uris: " GetUris () << " . " NKikimrLdap::LdapError (*ld));
227227 return {{TEvLdapAuthProvider::EStatus::UNAVAILABLE,
228- {.Message = " Could not initialize LDAP connection for uris: " GetUris () + " . " NKikimrLdap::LdapError (*ld),
229- .Retryable = false }}};
228+ {.Message = ERROR_MESSAGE, .Retryable = false }}};
230229 }
231230
232231 result = NKikimrLdap::SetProtocolVersion (*ld);
233232 if (!NKikimrLdap::IsSuccess (result)) {
234233 NKikimrLdap::Unbind (*ld);
234+ LDAP_LOG_D (" Could not set LDAP protocol version: " NKikimrLdap::ErrorToString (result));
235235 return {{NKikimrLdap::ErrorToStatus (result),
236- {.Message = " Could not set LDAP protocol version: " NKikimrLdap::ErrorToString (result),
237- .Retryable = NKikimrLdap::IsRetryableError (result)}}};
236+ {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError (result)}}};
238237 }
239238
240239 if (Settings.GetScheme () == NKikimrLdap::LDAPS_SCHEME || Settings.GetUseTls ().GetEnable ()) {
241240 int requireCert = NKikimrLdap::ConvertRequireCert (Settings.GetUseTls ().GetCertRequire ());
242241 result = NKikimrLdap::SetOption (*ld, NKikimrLdap::EOption::TLS_REQUIRE_CERT, &requireCert);
243242 if (!NKikimrLdap::IsSuccess (result)) {
244243 NKikimrLdap::Unbind (*ld);
244+ LDAP_LOG_D (" Could not set require certificate option: " NKikimrLdap::ErrorToString (result));
245245 return {{NKikimrLdap::ErrorToStatus (result),
246- {.Message = " Could not set require certificate option: " NKikimrLdap::ErrorToString (result),
247- .Retryable = NKikimrLdap::IsRetryableError (result)}}};
246+ {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError (result)}}};
248247 }
249248 }
250249
@@ -254,20 +253,18 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
254253 TAuthenticateUserResponse AuthenticateUser (const TAuthenticateUserRequest& request) {
255254 char * dn = NKikimrLdap::GetDn (*request.Ld , request.Entry );
256255 if (dn == nullptr ) {
257- LDAP_LOG_D (" Could not get dn for the first entry matching " + FilterCreator.GetFilter (request.Login ) + " on server " + UrisCreator.GetUris () + " . "
258- + NKikimrLdap::LdapError (*request.Ld ));
256+ LDAP_LOG_D (" Could not get dn for the first entry matching " << FilterCreator.GetFilter (request.Login ) << " on server " << UrisCreator.GetUris () << " . "
257+ << NKikimrLdap::LdapError (*request.Ld ));
259258 return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED,
260- {.Message = " Could not get dn for the first entry matching " GetFilter (request.Login ) + " on server " GetUris () + " \n "
261- + NKikimrLdap::LdapError (*request.Ld ),
262- .Retryable = false }}};
259+ {.Message = ERROR_MESSAGE, .Retryable = false }}};
263260 }
264261 TEvLdapAuthProvider::TError error;
262+ LDAP_LOG_D (" bind: bindDn: "
265263 int result = NKikimrLdap::Bind (*request.Ld , dn, request.Password );
266264 if (!NKikimrLdap::IsSuccess (result)) {
267- LDAP_LOG_D (" LDAP login failed for user " TString (dn) + " on server " GetUris () + " . "
268- + NKikimrLdap::ErrorToString ((result)));
269- error.Message = " LDAP login failed for user " TString (dn) + " on server " GetUris () + " \n "
270- + NKikimrLdap::ErrorToString ((result));
265+ LDAP_LOG_D (" LDAP login failed for user " TString (dn) << " on server " GetUris () << " . "
266+ << NKikimrLdap::ErrorToString ((result)));
267+ error.Message = ERROR_MESSAGE;
271268 error.Retryable = NKikimrLdap::IsRetryableError (result);
272269 }
273270 NKikimrLdap::MemFree (dn);
@@ -278,6 +275,10 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
278275 LDAPMessage* searchMessage = nullptr ;
279276 const TString searchFilter = FilterCreator.GetFilter (request.User );
280277
278+ LDAP_LOG_D (" search: baseDn: " GetBaseDn ()
279+ << " , scope: " ConvertSearchScopeToString (NKikimrLdap::EScope::SUBTREE)
280+ << " , filter: "
281+ << " , attributes: " GetStringOfRequestedAttributes (request.RequestedAttributes ));
281282 int result = NKikimrLdap::Search (request.Ld ,
282283 Settings.GetBaseDn (),
283284 NKikimrLdap::EScope::SUBTREE,
@@ -287,29 +288,22 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
287288 &searchMessage);
288289 TSearchUserResponse response;
289290 if (!NKikimrLdap::IsSuccess (result)) {
290- LDAP_LOG_D (" Could not search for filter " + searchFilter + " on server " + UrisCreator.GetUris () + " . "
291- + NKikimrLdap::ErrorToString (result));
291+ LDAP_LOG_D (" Could not search for filter " << searchFilter << " on server " << UrisCreator.GetUris () << " . "
292+ << NKikimrLdap::ErrorToString (result));
292293 response.Status = NKikimrLdap::ErrorToStatus (result);
293- response.Error = {.Message = " Could not search for filter " " on server " GetUris () + " \n "
294- + NKikimrLdap::ErrorToString (result),
295- .Retryable = NKikimrLdap::IsRetryableError (result)};
294+ response.Error = {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError (result)};
296295 return response;
297296 }
298297 const int countEntries = NKikimrLdap::CountEntries (request.Ld , searchMessage);
299298 if (countEntries != 1 ) {
300299 if (countEntries == 0 ) {
301- LDAP_LOG_D (" LDAP user " User + " does not exist. "
302- " LDAP search for filter " " on server " GetUris () + " return no entries"
303- response.Error = {.Message = " LDAP user " User + " does not exist. "
304- " LDAP search for filter " " on server " GetUris () + " return no entries"
305- .Retryable = false };
300+ LDAP_LOG_D (" LDAP user " User << " does not exist. "
301+ " LDAP search for filter " " on server " GetUris () << " return no entries"
306302 } else {
307- LDAP_LOG_D (" LDAP user " User + " is not unique. "
308- " LDAP search for filter " " on server " GetUris () + " return " " entries"
309- response.Error = {.Message = " LDAP user " User + " is not unique. "
310- " LDAP search for filter " " on server " GetUris () + " return " " entries"
311- .Retryable = false };
303+ LDAP_LOG_D (" LDAP user " User << " is not unique. "
304+ " LDAP search for filter " " on server " GetUris () << " return " " entries"
312305 }
306+ response.Error = {.Message = ERROR_MESSAGE, .Retryable = false };
313307 response.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED;
314308 NKikimrLdap::MsgFree (searchMessage);
315309 return response;
@@ -321,7 +315,14 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
321315 std::vector<TString> TryToGetGroupsUseMatchingRuleInChain (LDAP* ld, LDAPMessage* entry) const {
322316 static const TString matchingRuleInChain = " 1.2.840.113556.1.4.1941" // Only Active Directory supports
323317 TStringBuilder filter;
324- filter << " (member:" " :=" NKikimrLdap::GetDn (ld, entry) << ' )'
318+ char * dn = NKikimrLdap::GetDn (ld, entry);
319+ filter << " (member:" " :=" ' )'
320+ NKikimrLdap::MemFree (dn);
321+ dn = nullptr ;
322+ LDAP_LOG_D (" search: baseDn: " GetBaseDn ()
323+ << " , scope: " ConvertSearchScopeToString (NKikimrLdap::EScope::SUBTREE)
324+ << " , filter: "
325+ << " , attributes: " GetStringOfRequestedAttributes (NKikimrLdap::noAttributes));
325326 LDAPMessage* searchMessage = nullptr ;
326327 int result = NKikimrLdap::Search (ld, Settings.GetBaseDn (), NKikimrLdap::EScope::SUBTREE, filter, NKikimrLdap::noAttributes, 0 , &searchMessage);
327328 if (!NKikimrLdap::IsSuccess (result)) {
@@ -335,13 +336,18 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
335336 std::vector<TString> groups;
336337 groups.reserve (countEntries);
337338 for (LDAPMessage* groupEntry = NKikimrLdap::FirstEntry (ld, searchMessage); groupEntry != nullptr ; groupEntry = NKikimrLdap::NextEntry (ld, groupEntry)) {
338- groups.push_back (NKikimrLdap::GetDn (ld, groupEntry));
339+ dn = NKikimrLdap::GetDn (ld, groupEntry);
340+ groups.push_back (dn);
341+ NKikimrLdap::MemFree (dn);
342+ dn = nullptr ;
339343 }
340344 NKikimrLdap::MsgFree (searchMessage);
341345 return groups;
342346 }
343347
344348 void GetNestedGroups (LDAP* ld, std::vector<TString>* groups) {
349+ LDAP_LOG_D (" Try to get nested groups - tree traversal"
350+
345351 std::unordered_set<TString> viewedGroups (groups->cbegin (), groups->cend ());
346352 std::queue<TString> queue;
347353 for (const auto & group : *groups) {
@@ -359,6 +365,10 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
359365 queue.pop ();
360366 }
361367 filter << ' )'
368+ LDAP_LOG_D (" search: baseDn: " GetBaseDn ()
369+ << " , scope: " ConvertSearchScopeToString (NKikimrLdap::EScope::SUBTREE)
370+ << " , filter: "
371+ << " , attributes: " GetStringOfRequestedAttributes (RequestedAttributes));
362372 LDAPMessage* searchMessage = nullptr ;
363373 int result = NKikimrLdap::Search (ld, Settings.GetBaseDn (), NKikimrLdap::EScope::SUBTREE, filter, RequestedAttributes, 0 , &searchMessage);
364374 if (!NKikimrLdap::IsSuccess (result)) {
@@ -407,7 +417,35 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
407417 return {TEvLdapAuthProvider::EStatus::SUCCESS, {}};
408418 }
409419
420+ static TString ConvertSearchScopeToString (const NKikimrLdap::EScope& scope) {
421+ switch (scope) {
422+ case NKikimrLdap::EScope::BASE:
423+ return " base"
424+ case NKikimrLdap::EScope::ONE_LEVEL:
425+ return " one level"
426+ case NKikimrLdap::EScope::SUBTREE:
427+ return " subtree"
428+ }
429+ }
430+
431+ static TString GetStringOfRequestedAttributes (char ** attributes) {
432+ if (!attributes) {
433+ return " "
434+ }
435+ TStringBuilder result;
436+ char * firstAttribute = *attributes;
437+ if (firstAttribute) {
438+ result << firstAttribute;
439+ for (char * currentAttribute = *(++attributes); currentAttribute != nullptr ; currentAttribute = *(++attributes)) {
440+ result << " , "
441+ }
442+ }
443+ return result;
444+ }
445+
410446private:
447+ static constexpr const char * ERROR_MESSAGE = " User is unauthorized in LDAP server"
448+
411449 const NKikimrProto::TLdapAuthentication Settings;
412450 const TSearchFilterCreator FilterCreator;
413451 const TLdapUrisCreator UrisCreator;
0 commit comments