Product Documentation

FairCom RTG V3 Update Guide

Previous Topic

Next Topic

LDAP Authentication Diagnostic Logging

LDAP diagnostic logging is now available. LDAP diagnostic log messages are written to CTSTATUS.FCS and start with "LDAP_DIAG:"

Recommendation: It is best to use this feature only when resolving connection issues and then turn it off for production use. This practice minimizes the increase in information this feature writes to the log.

Specify DIAGNOSTICS LDAP in ctsrvr.cfg to enable the diagnostic logging at server startup. This logging can be enabled at runtime using ctadmn:

10. Change Server Settings

9. Change a DIAGNOSTICS option

Enter the DIAGNOSTICS option to enable or disable >> LDAP

(or ~LDAP to turn it off)

The annotated example below shows LDAP diagnostic logging messages that are written when a user connects and its LDAP groups are checked and updated in FAIRCOM.FCS (when the LDAP_GROUP_CHECK configuration option is used):

The LDAP_GROUP_CHECK setting:

- User# 00020 LDAP_DIAG: chkldapusr: LDAP_GROUP_CHECK=[(objectclass=groupOfNames)]

- User# 00020 LDAP_DIAG: chkldapusr: pgroupflt=[(&(objectclass=groupOfNames)(member=cn=jeff,ou=people,dc=faircom,dc=com))]

The group base and filter that are sent to the LDAP server:

- User# 00020 LDAP_DIAG: getldapusergroups: grp=[ou=groups,dc=faircom,dc=com], flt=[(&(objectclass=groupOfNames)(member=cn=jeff,ou=people,dc=faircom,dc=com))]

- User# 00020 LDAP_DIAG: getldapusergroups: ngroups=[5]

The groups read from the LDAP server:

- User# 00020 LDAP_DIAG: getldapusergroups: group[0]: dn=[cn=dev,ou=groups,dc=faircom,dc=com]

- User# 00020 LDAP_DIAG: getldapusergroups: dp=[dev]

- User# 00020 LDAP_DIAG: getldapusergroups: group[1]: dn=[cn=support,ou=groups,dc=faircom,dc=com]

- User# 00020 LDAP_DIAG: getldapusergroups: dp=[support]

- User# 00020 LDAP_DIAG: getldapusergroups: group[2]: dn=[cn=qalongerthanoursupportedmaximumgroupname,ou=groups,dc=faircom,dc=com]

- User# 00020 LDAP_DIAG: getldapusergroups: dp=[qalongerthanoursupportedmaximumg]

- User# 00020 LDAP_DIAG: getldapusergroups: group[3]: dn=[cn=ctreeisamusers,ou=groups,dc=faircom,dc=com]

- User# 00020 LDAP_DIAG: getldapusergroups: dp=[ctreeisamusers]

- User# 00020 LDAP_DIAG: getldapusergroups: group[4]: dn=[cn=ctreesqlusers,ou=groups,dc=faircom,dc=com]

- User# 00020 LDAP_DIAG: getldapusergroups: dp=[ctreesqlusers]

The groups returned to the calling function:

- User# 00020 LDAP_DIAG: chkldapusr: numldapgroups=5

- User# 00020 LDAP_DIAG: chkldapusr: ldapgroup[0]=[dev]

- User# 00020 LDAP_DIAG: chkldapusr: ldapgroup[1]=[support]

- User# 00020 LDAP_DIAG: chkldapusr: ldapgroup[2]=[qalongerthanoursupportedmaximumgctreeisamusers]

- User# 00020 LDAP_DIAG: chkldapusr: ldapgroup[3]=[ctreeisamusers]

- User# 00020 LDAP_DIAG: chkldapusr: ldapgroup[4]=[ctreesqlusers]

The updating of groups in FAIRCOM.FCS:

- User# 00020 LDAP_DIAG: updatectreeusergroups: ctreegroups=0, ldapgroups=5

- User# 00020 LDAP_DIAG: updatectreeusergroups: deleted all c-tree groups for user [JEFF]

- User# 00020 LDAP_DIAG: updatectreeusergroups: added c-tree group [CTREEISAMUSERS]

- User# 00020 LDAP_DIAG: updatectreeusergroups: added c-tree group [CTREESQLUSERS]

- User# 00020 LDAP_DIAG: updatectreeusergroups: added c-tree group [DEV]

- User# 00020 LDAP_DIAG: updatectreeusergroups: added c-tree group [QALONGERTHANOURSUPPORTEDMAXIMUM]

- User# 00020 LDAP_DIAG: updatectreeusergroups: added c-tree group [SUPPORT]

TOCIndex