LDAP backend should support python-ldap trace logging
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Triaged
|
Medium
|
John Dennis | ||
Bug Description
The python-ldap library has a diagnostic and debugging feature called trace logging. The information in the trace log is crucial when trying to diagnose LDAP problems, especially connection problems. This is because what is visible at the Keystone backend is obscured by 2 other abstraction layers, the OpenStack ldappool library and the ReconnectLDAPObject implementation in python-ldap. When connection problems occur you need to be able to see what happened at the lowest level in order to understand what the upper abstraction layers are doing. Trace logging is also useful for other LDAP information besides connection issues.
python-ldap controls trace logging with these two parameters:
trace_level: An integer controlling the verbosity of the trace information
trace_file: A Python file object used when writing trace info.
Unfortunately as of today there is no way to turn on trace logging other than editing the source code to change the parameters passed into various python-ldap methods. As of python-ldap 3.1.0 you can set the environment variables PYTHON_
Also note there is already a LDAP debug level in the config, 'debug_level', which turns on debugging in the openldap C library via the OPT_DEBUG_LEVEL ldap option. python-ldap calls this library to perform many of it's operations and as such is one level below python-ldap. This debug feature is independent of the trace facility in python-ldap. We need both facilities.
| Changed in keystone: | |
| assignee: | nobody → John Dennis (jdennis-a) |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| Changed in keystone: | |
| status: | New → Triaged |
| Lance Bragstad (lbragstad) wrote | #1 |
Since this is an RFE, I think it's safe to pursue this in Stein if we don't get a patch up in the next week for Rocky RC1.