Description of problem:
SSSD makes LDAP queries which are encrypted using kerberos/gssapi. This means that the LDAP queries cannot easily be investgated using tcpdump or wireshark, even when the decrypt kerberos packets option is used with the host keytab file.
It would be useful for debugging purposes to see exactly what LDAP queries are being made and to which servers. Also the results from these queries.
The existing debug output from SSSD is quite helpful in this respect, but it would be better if a small enhancement were made so that for a specific debug level ( eg 0x0400), SSSD would print out all the details of the LDAP search it is doing, ie the LDAP server IP(and port), the base dn, the scope, filter and attributes requested. Currently the server and filter are printed on two different lines at different debug levels and there is no indication of base dn, scope or attributes used in the search. Similarly if the raw results could be displayed (maybe use a different debug level for that in case a large number of results are returned).
This would be extremely useful in debugging what is requested by SSSD and what is returned by the AD server. Although it is possible to turn on event log debugging on the AD servers themselves, that is not practical in a large environment where there are literally millions of requests each day and the event log would fill far too quickly to be of use.
Version-Release number of selected component (if applicable):
I would say we should provides probes for e.g. systemtap so that the admin can watch the LDAP searches. I don't think debug messages are the right place.
Please see man sssd-systemtap for example of what is already supported (sorry, I don't know if RHEL already has the man page, here is a link to upstream: https://jhrozek.fedorapeople.org/sssd/1.16.0/man/sssd-systemtap.5.html)
Chances are the probes might even do what the customer wants or that the existing probes need to be adjusted, but I think it's a better way of fulfilling the request than the debug messages.
(In reply to Jakub Hrozek from comment #6)
> I would say we should provides probes for e.g. systemtap so that the admin
> can watch the LDAP searches. I don't think debug messages are the right
It will be really handy for troubleshooting.
Updating RFE title, to reflect the adjusted scope - adding systemtap probes.
Upstream PR https://github.com/SSSD/sssd/pull/841