HPCC-31963 Improve LDAP server initialization failure log messages

Added additional information to log messages issued when initial connection to the Active Directory fails during initialization Signed-Off-By: Kenneth Rowland [email protected]
kenrowland · Aug 23, 2024 · 16a92df · 16a92df
1 parent 8525136
commit 16a92df
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/system/security/LdapSecurity/ldaputils.cpp b/system/security/LdapSecurity/ldaputils.cpp
@@ -302,12 +302,26 @@ int LdapUtils::getServerInfo(const char* ldapserver, const char* userDN, const c
             ld = ldapInitAndSimpleBind(ldapserver, nullptr, nullptr, "ldap", 389, cipherSuite, timeout, &err);
         }
 
-        // for new versions of openldap, version 2.2.*
-        if(nullptr == ld   &&  err == LDAP_PROTOCOL_ERROR  &&  stype != ACTIVE_DIRECTORY)
-            DBGLOG("If you're trying to connect to an OpenLdap server, make sure you have \"allow bind_v2\" enabled in slapd.conf");
-
-        if(nullptr == ld)
+        if (ld == nullptr)
+        {
+            if (err == LDAP_PROTOCOL_ERROR && stype != ACTIVE_DIRECTORY)
+            {
+                WARNLOG("Unable to connect. If you're trying to connect to an OpenLdap server, make sure you have \"allow bind_v2\" enabled in slapd.conf");
+            }
+            else
+            {
+                // If no cipher suite is specified, tell user they may need to provide one, otherwise tell them they may need to provide a different one
+                if (isEmptyString(cipherSuite))
+                {
+                    WARNLOG("Unable to connect. if you're trying to connect to an LDAPS server, you may need to specify a cipher suite using the 'ldapCipherSuite' attribute in the LDAP configuration.");
+                }
+                else
+                {
+                    WARNLOG("Unable to connect. If you're trying to connect to an LDAPS server, you may need to specify a different cipher suite using the 'ldapCipherSuite' attribute in the LDAP configuration.");
+                }
+            }
             return err;//unable to connect, give up
+        }
     }
 
     LDAPMessage* msg = NULL;
@@ -316,7 +330,7 @@ int LdapUtils::getServerInfo(const char* ldapserver, const char* userDN, const c
     err = ldap_search_ext_s(ld, NULL, LDAP_SCOPE_BASE, "objectClass=*", attrs, false, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &msg);
     if(err != LDAP_SUCCESS)
     {
-        DBGLOG("ldap_search_ext_s error: %s", ldap_err2string( err ));
+        WARNLOG("ldap_search_ext_s error: %s", ldap_err2string( err ));
         if (msg)
             ldap_msgfree(msg);
         return err;