From: Eric Covener <covener@apache.org>
Date: Fri, 30 Oct 2009 02:07:45 +0000 (+0000)
Subject: add LDAPLibraryDebug directive to mod_ldap to turn on
X-Git-Tag: 2.3.3~111
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4e6f442708c81b55f7ee85336d32a71fbbf0cfce;p=apache

add LDAPLibraryDebug directive to mod_ldap to turn on
tracing in underlying LDAP SDK, where all the interesting tidbits
about all kinds of LDAP errors are hidden.

Unfortunately windows doesn't implement this LDAP_OPT.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@831183 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ldap.html.en b/docs/manual/mod/mod_ldap.html.en
index 8a5cb1604e..3e12223ec0 100644
--- a/docs/manual/mod/mod_ldap.html.en
+++ b/docs/manual/mod/mod_ldap.html.en
@@ -60,6 +60,7 @@ by other LDAP modules</td></tr>
 <li><img alt="" src="../images/down.gif" /> <a href="#ldapcacheentries">LDAPCacheEntries</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ldapcachettl">LDAPCacheTTL</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ldapconnectiontimeout">LDAPConnectionTimeout</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ldaplibrarydebug">LDAPLibraryDebug</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ldapopcacheentries">LDAPOpCacheEntries</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ldapopcachettl">LDAPOpCacheTTL</a></li>
 <li><img alt="" src="../images/down.gif" /> <a href="#ldapreferralhoplimit">LDAPReferralHopLimit</a></li>
@@ -477,6 +478,34 @@ by other LDAP modules</td></tr>
     returned or the module will attempt to connect to a secondary LDAP 
     server if one is specified. The default is 10 seconds.</p>
 
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="LDAPLibraryDebug" id="LDAPLibraryDebug">LDAPLibraryDebug</a> <a name="ldaplibrarydebug" id="ldaplibrarydebug">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable debugging in the LDAP SDK</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LDAPLibraryDebug <var>7</var></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>disabled</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ldap</td></tr>
+</table>
+    <p>Turns on SDK-specific LDAP debug options that generally cause the LDAP 
+    SDK to log verbose trace information to the main Apache error log.  
+    The trace messages from the LDAP SDK provide gory details that
+    can be useful during debugging of connectivity problems with backeld LDAP servers</p>
+
+    <p>This option is only configurable when Apache HTTP Server is linked with 
+    an LDAP SDK that implements <code>LDAP_OPT_DEBUG</code> or 
+    <code>LDAP_OPT_DEBUG_LEVEL</code>, such as OpenLDAP (a value of 7 is verbose) 
+    or Tivoli Directory Server (a value of 65535 is verbose).</p>
+
+    <div class="warning">
+    <p>The logged information will likely contain plaintext credentials being used or 
+    validated by LDAP authentication, so care should be taken in protecting and purging
+    the error log when this directive is used.</p>
+    </div>
+    
+
 </div>
 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
 <div class="directive-section"><h2><a name="LDAPOpCacheEntries" id="LDAPOpCacheEntries">LDAPOpCacheEntries</a> <a name="ldapopcacheentries" id="ldapopcacheentries">Directive</a></h2>
diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml
index 28f1711170..360866c6e9 100644
--- a/docs/manual/mod/mod_ldap.xml
+++ b/docs/manual/mod/mod_ldap.xml
@@ -649,4 +649,32 @@ connection client certificates.</description>
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>LDAPLibraryDebug</name>
+<description>Enable debugging in the LDAP SDK</description>
+<syntax>LDAPLibraryDebug <var>7</var></syntax>
+<default>disabled</default>
+<contextlist><context>server config</context></contextlist>
+
+<usage>
+    <p>Turns on SDK-specific LDAP debug options that generally cause the LDAP 
+    SDK to log verbose trace information to the main Apache error log.  
+    The trace messages from the LDAP SDK provide gory details that
+    can be useful during debugging of connectivity problems with backeld LDAP servers</p>
+
+    <p>This option is only configurable when Apache HTTP Server is linked with 
+    an LDAP SDK that implements <code>LDAP_OPT_DEBUG</code> or 
+    <code>LDAP_OPT_DEBUG_LEVEL</code>, such as OpenLDAP (a value of 7 is verbose) 
+    or Tivoli Directory Server (a value of 65535 is verbose).</p>
+
+    <note type="warning">
+    <p>The logged information will likely contain plaintext credentials being used or 
+    validated by LDAP authentication, so care should be taken in protecting and purging
+    the error log when this directive is used.</p>
+    </note>
+    
+</usage>
+</directivesynopsis>
+
+
 </modulesynopsis>
diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index 0156ffc779..76d52f0c5b 100644
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -202,6 +202,7 @@
  *                         mod_logio
  * 20091011.0 (2.3.3-dev)  Move preserve_host{,_set} from proxy_server_conf to
  *                         proxy_dir_conf
+ * 20091011.1 (2.3.3-dev)  add debug_level to util_ldap_state_t
  *
  */
 
@@ -210,7 +211,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20091011
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 0                     /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 1                     /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
diff --git a/include/util_ldap.h b/include/util_ldap.h
index e782276fd7..de5c617439 100644
--- a/include/util_ldap.h
+++ b/include/util_ldap.h
@@ -164,6 +164,7 @@ typedef struct util_ldap_state_t {
     char *lock_file;           /* filename for shm lock mutex */
     long  connectionTimeout;
     int   verify_svr_cert;
+    int debug_level;                    /* SDK debug level */
 
 } util_ldap_state_t;
 
diff --git a/modules/ldap/util_ldap.c b/modules/ldap/util_ldap.c
index dc489a7110..eb962b85b9 100644
--- a/modules/ldap/util_ldap.c
+++ b/modules/ldap/util_ldap.c
@@ -54,6 +54,14 @@
 #define APR_LDAP_SIZELIMIT -1
 #endif
 
+#ifdef LDAP_OPT_DEBUG_LEVEL
+#define AP_LDAP_OPT_DEBUG LDAP_OPT_DEBUG_LEVEL
+#else
+#ifdef LDAP_OPT_DEBUG
+#define AP_LDAP_OPT_DEBUG LDAP_OPT_DEBUG
+#endif
+#endif
+
 module AP_MODULE_DECLARE_DATA ldap_module;
 
 #define LDAP_CACHE_LOCK() do {                                  \
@@ -2361,6 +2369,26 @@ static const char *util_ldap_set_chase_referrals(cmd_parms *cmd,
     return(NULL);
 }
 
+static const char *util_ldap_set_debug_level(cmd_parms *cmd,
+                                             void *config,
+                                             const char *arg) { 
+    util_ldap_state_t *st =
+        (util_ldap_state_t *)ap_get_module_config(cmd->server->module_config,
+                                                  &ldap_module);
+
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err != NULL) {
+        return err;
+    }
+
+#ifndef AP_LDAP_OPT_DEBUG
+    return "This directive is not supported with the currently linked LDAP library";
+#endif
+
+    st->debug_level = atoi(arg);
+    return NULL;
+} 
+
 static const char *util_ldap_set_referral_hop_limit(cmd_parms *cmd,
                                                     void *config,
                                                     const char *hop_limit)
@@ -2462,6 +2490,7 @@ static void *util_ldap_merge_config(apr_pool_t *p, void *basev,
         is being enforced on this setting as well. */
     st->connectionTimeout = base->connectionTimeout;
     st->verify_svr_cert = base->verify_svr_cert;
+    st->debug_level = base->debug_level;
 
     return st;
 }
@@ -2626,6 +2655,15 @@ static int util_ldap_post_config(apr_pool_t *p, apr_pool_t *plog,
     /* Initialize the rebind callback's cross reference list. */
     apr_ldap_rebind_init (p);
 
+    if (st->debug_level > 0) { 
+        result = ldap_set_option(NULL, AP_LDAP_OPT_DEBUG, &st->debug_level);
+        if (result != LDAP_SUCCESS) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                    "LDAP: Could not set the LDAP library debug level to %d:(%d) %s", 
+                    st->debug_level, result, ldap_err2string(result));
+        }
+    }
+
     return(OK);
 }
 
@@ -2728,6 +2766,10 @@ static const command_rec util_ldap_cmds[] = {
                   "Limit the number of referral hops that LDAP can follow. "
                   "(Integer value, default=" AP_LDAP_DEFAULT_HOPLIMIT_STR ")"),
 
+    AP_INIT_TAKE1("LDAPLibraryDebug", util_ldap_set_debug_level,
+                  NULL, RSRC_CONF,
+                  "Enable debugging in LDAP SDK (Default: off, values: SDK specific"),
+
     {NULL}
 };