Bug 1542137 - [RFE] Add systemtap probes to display ldapsearch requests and results
Summary: [RFE] Add systemtap probes to display ldapsearch requests and results
Keywords:
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: pre-dev-freeze
: 8.1
Assignee: Tomas Halman
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On: 1682305
Blocks: 1547051 1689138 1679810
TreeView+ depends on / blocked
 
Reported: 2018-02-05 16:28 UTC by afox@redhat.com
Modified: 2019-12-05 11:15 UTC (History)
10 users (show)

Fixed In Version: sssd-2.2.3-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description afox@redhat.com 2018-02-05 16:28:32 UTC
Description of problem:
SSSD makes LDAP queries which are encrypted using kerberos/gssapi.  This means that the LDAP queries cannot easily be investgated using tcpdump or wireshark, even when the decrypt kerberos packets option is used with the host keytab file.
It would be useful for debugging purposes to see exactly what LDAP queries are being made and to which servers.  Also the results from these queries.

The existing debug output from SSSD is quite helpful in this respect, but it would be better if a small enhancement were made so that for a specific debug level ( eg 0x0400), SSSD would print out all the details of the LDAP search it is doing, ie the LDAP server IP(and port), the base dn, the scope, filter and attributes requested.  Currently the server and filter are printed on two different lines at different debug levels and there is no indication of base dn, scope or attributes used in the search.  Similarly if the raw results could be displayed (maybe use a different debug level for that in case a large number of results are returned).

This would be extremely useful in debugging what is requested by SSSD and what is returned by the AD server.  Although it is possible to turn on event log debugging on the AD servers themselves, that is not practical in a large environment where there are literally millions of requests each day and the event log would fill far too quickly to be of use.

Version-Release number of selected component (if applicable):
sssd-client-1.14.0-43.el7.x86_64

Comment 6 Jakub Hrozek 2018-02-21 16:50:35 UTC
I would say we should provides probes for e.g. systemtap so that the admin can watch the LDAP searches. I don't think debug messages are the right place.

Please see man sssd-systemtap for example of what is already supported (sorry, I don't know if RHEL already has the man page, here is a link to upstream: https://jhrozek.fedorapeople.org/sssd/1.16.0/man/sssd-systemtap.5.html)

Chances are the probes might even do what the customer wants or that the existing probes need to be adjusted, but I think it's a better way of fulfilling the request than the debug messages.

Comment 8 Lukas Slebodnik 2018-02-21 19:59:44 UTC
(In reply to Jakub Hrozek from comment #6)
> I would say we should provides probes for e.g. systemtap so that the admin
> can watch the LDAP searches. I don't think debug messages are the right
> place.
> 

+1.
It will be really handy for troubleshooting.

Comment 13 Martin Kosek 2019-03-12 13:07:36 UTC
Updating RFE title, to reflect the adjusted scope - adding systemtap probes.

Comment 19 Tomas Halman 2019-11-26 15:10:04 UTC
Upstream PR https://github.com/SSSD/sssd/pull/841


Note You need to log in before you can comment on or make changes to this bug.