Skip to content

LDAP Authenticator: Improve error reporting.

taylan requested to merge taylan/pleroma:develop into develop

Just a small change to log errors if something goes wrong during LDAP authentication. Also changes error return values in two places to wrap the returned object in {:error, {:ldap_xyz_error, ...}} (with appropriate xyz) instead of returning the object as-is.

Pros:

  • Makes it easier to troubleshoot issues if something goes wrong with LDAP authentication.

Possible cons:

  • Log output may contain sensitive information, such as the password hash of an LDAP user entry. This would happen, for example, if the eldap search record format changes again as was the case recently, so the search result isn't matched by our code and is treated as an "error" value and logged. (In pathological cases, like if the LDAP server stores plaintext passwords, log output may even contain passwords verbatim, but that would really be a bigger problem with the LDAP server and I don't think we should take such a possibility into account.)

Checklist

  • Adding a changelog: In the changelog.d directory, create a file named <code>.<type>.

    <code> can be anything, but we recommend using a more or less unique identifier to avoid collisions, such as the branch name.

    <type> can be add, change, remove, fix, security or skip. skip is only used if there is no user-visible change in the MR (for example, only editing comments in the code). Otherwise, choose a type that corresponds to your change.

    In the file, write the changelog entry. For example, if an MR adds group functionality, we can create a file named group.add and write Add group functionality in it.

    If one changelog entry is not enough, you may add more. But that might mean you can split it into two MRs. Only use more than one changelog entry if you really need to (for example, when one change in the code fix two different bugs, or when refactoring).

Merge request reports