yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1776532] [NEW] LDAP backend should support python-ldap trace logging

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: John Dennis <jdennis@xxxxxxxxxx>
Date: Tue, 12 Jun 2018 17:22:14 -0000
Reply-to: Bug 1776532 <1776532@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

The python-ldap library has a diagnostic and debugging feature called
trace logging. The information in the trace log is crucial when trying
to diagnose LDAP problems, especially connection problems. This is
because what is visible at the Keystone backend is obscured by 2 other
abstraction layers, the OpenStack ldappool library and the
ReconnectLDAPObject implementation in python-ldap. When connection
problems occur you need to be able to see what happened at the lowest
level in order to understand what the upper abstraction layers are
doing. Trace logging is also useful for other LDAP information besides
connection issues.

python-ldap controls trace logging with these two parameters:

trace_level: An integer controlling the verbosity of the trace information
trace_file: A Python file object used when writing trace info.

Unfortunately as of today there is no way to turn on trace logging other
than editing the source code to change the parameters passed into
various python-ldap methods. As of python-ldap 3.1.0 you can set the
environment variables PYTHON_LDAP_TRACE_LEVEL PYTHON_LDAP_TRACE_FILE (a
pathname) to set these values without a code change. This version of
python-ldap is very new (May 2018), however setting environment
variables to turn on trace logging is not easy because of the way
Keystone is deployed as an operating system service. It would be
preferable to add two new configuration options to the LDAP section to
control the trace_level and trace_file and have the ldap backend set
these values when creating python-ldap objects. It would be good to set
the trace_file to the same logging file object the rest of the backend
uses so the information is contained in one place and interleaved.

Also note there is already a LDAP debug level in the config,
'debug_level', which turns on debugging in the openldap C library via
the OPT_DEBUG_LEVEL ldap option. python-ldap calls this library to
perform many of it's operations and as such is one level below python-
ldap. This debug feature is independent of the trace facility in python-
ldap. We need both facilities.

** Affects: keystone
     Importance: Undecided
     Assignee: John Dennis (jdennis-a)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => John Dennis (jdennis-a)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1776532

Title:
  LDAP backend should support python-ldap trace logging

Status in OpenStack Identity (keystone):
  New

Bug description:
  The python-ldap library has a diagnostic and debugging feature called
  trace logging. The information in the trace log is crucial when trying
  to diagnose LDAP problems, especially connection problems. This is
  because what is visible at the Keystone backend is obscured by 2 other
  abstraction layers, the OpenStack ldappool library and the
  ReconnectLDAPObject implementation in python-ldap. When connection
  problems occur you need to be able to see what happened at the lowest
  level in order to understand what the upper abstraction layers are
  doing. Trace logging is also useful for other LDAP information besides
  connection issues.

  python-ldap controls trace logging with these two parameters:

  trace_level: An integer controlling the verbosity of the trace information
  trace_file: A Python file object used when writing trace info.

  Unfortunately as of today there is no way to turn on trace logging
  other than editing the source code to change the parameters passed
  into various python-ldap methods. As of python-ldap 3.1.0 you can set
  the environment variables PYTHON_LDAP_TRACE_LEVEL
  PYTHON_LDAP_TRACE_FILE (a pathname) to set these values without a code
  change. This version of python-ldap is very new (May 2018), however
  setting environment variables to turn on trace logging is not easy
  because of the way Keystone is deployed as an operating system
  service. It would be preferable to add two new configuration options
  to the LDAP section to control the trace_level and trace_file and have
  the ldap backend set these values when creating python-ldap objects.
  It would be good to set the trace_file to the same logging file object
  the rest of the backend uses so the information is contained in one
  place and interleaved.

  Also note there is already a LDAP debug level in the config,
  'debug_level', which turns on debugging in the openldap C library via
  the OPT_DEBUG_LEVEL ldap option. python-ldap calls this library to
  perform many of it's operations and as such is one level below python-
  ldap. This debug feature is independent of the trace facility in
  python-ldap. We need both facilities.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1776532/+subscriptions