[PR #981] [MERGED] server: Clarify logging of login attempts and failures #1051

New issue

Closed

opened 2026-02-27 09:10:44 +03:00 by kerem · 0 comments

kerem commented 2026-02-27 09:10:44 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/lldap/lldap/pull/981
Author: @nitnelave
Created: 9/26/2024
Status: ✅ Merged
Merged: 9/26/2024
Merged by: @nitnelave

Base: main ← Head: logging

---

📝 Commits (1)

• 010a62e server: Clarify logging of login attempts and failures

📊 Changes

3 files changed (+43 additions, -60 deletions)

View changed files

📝 server/src/domain/error.rs (+1 -1)
📝 server/src/domain/sql_opaque_handler.rs (+7 -5)
📝 server/src/infra/auth_service.rs (+35 -54)

📄 Description

That way, it becomes doable to automate log monitoring for too many failed login attempts.
Note that OPAQUE logins don't keep the associated username, so they cannot log which user successfully logged in or not; in addition, the client knows between the 2 queries whether the password was correct without having to tell the server.

Sample logs:

• Login through LDAP (failure then success):

2024-09-26T18:21:40.971371306+00:00  INFO     LDAP session [ 647ms | 0.06% / 100.00% ]
2024-09-26T18:21:40.971628975+00:00  INFO     ┝━ LDAP request [ 646ms | 99.94% ]
2024-09-26T18:21:40.972371031+00:00  INFO     │  ┝━ ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74
2024-09-26T18:21:41.617956933+00:00  ERROR    │  ┝━ 🚨 [error]:  | error: Authentication protocol error for `Protocol error: `This error results from an error during password verification``
2024-09-26T18:21:41.617998898+00:00  ERROR    │  ┕━ 🚨 [error]:  | error: Authentication error for user "admin"
2024-09-26T18:21:41.618429390+00:00  INFO     ┕━ LDAP request [ 9.67µs | 0.00% ]
2024-09-26T18:21:43.970682921+00:00  INFO     LDAP session [ 642ms | 0.08% / 100.00% ]
2024-09-26T18:21:43.970851846+00:00  INFO     ┝━ LDAP request [ 640ms | 99.65% ]
2024-09-26T18:21:43.971465247+00:00  INFO     │  ┕━ ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74

• Login through the simple auth HTTP endpoint (failure then success):

2024-09-26T18:21:51.168102497+00:00  INFO     ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74
2024-09-26T18:21:51.803150431+00:00  ERROR    🚨 [error]:  | error: Authentication protocol error for `Protocol error: `This error results from an error during password verification``
2024-09-26T18:21:51.803222676+00:00  ERROR    🚨 [error]:  | error: Authentication error for user "admin"
2024-09-26T18:21:56.405670062+00:00  INFO     ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74

• Login through the web UI (silent failure, then success):

2024-09-26T18:22:17.512461334+00:00  INFO     ｉ [info]: OPAQUE login attempt for "admin"
2024-09-26T18:22:20.499285134+00:00  INFO     ｉ [info]: OPAQUE login attempt for "admin"
2024-09-26T18:22:20.596530015+00:00  INFO     ｉ [info]: OPAQUE login successful

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/lldap/lldap/pull/981 **Author:** [@nitnelave](https://github.com/nitnelave) **Created:** 9/26/2024 **Status:** ✅ Merged **Merged:** 9/26/2024 **Merged by:** [@nitnelave](https://github.com/nitnelave) **Base:** `main` ← **Head:** `logging` --- ### 📝 Commits (1) - [`010a62e`](https://github.com/lldap/lldap/commit/010a62e48e302913ad9295f4ff6030d4468abc89) server: Clarify logging of login attempts and failures ### 📊 Changes **3 files changed** (+43 additions, -60 deletions) <details> <summary>View changed files</summary> 📝 `server/src/domain/error.rs` (+1 -1) 📝 `server/src/domain/sql_opaque_handler.rs` (+7 -5) 📝 `server/src/infra/auth_service.rs` (+35 -54) </details> ### 📄 Description That way, it becomes doable to automate log monitoring for too many failed login attempts. Note that OPAQUE logins don't keep the associated username, so they cannot log which user successfully logged in or not; in addition, the client knows between the 2 queries whether the password was correct without having to tell the server. Sample logs: - Login through LDAP (failure then success): ``` 2024-09-26T18:21:40.971371306+00:00 INFO LDAP session [ 647ms | 0.06% / 100.00% ] 2024-09-26T18:21:40.971628975+00:00 INFO ┝━ LDAP request [ 646ms | 99.94% ] 2024-09-26T18:21:40.972371031+00:00 INFO │ ┝━ ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74 2024-09-26T18:21:41.617956933+00:00 ERROR │ ┝━ 🚨 [error]: | error: Authentication protocol error for `Protocol error: `This error results from an error during password verification`` 2024-09-26T18:21:41.617998898+00:00 ERROR │ ┕━ 🚨 [error]: | error: Authentication error for user "admin" 2024-09-26T18:21:41.618429390+00:00 INFO ┕━ LDAP request [ 9.67µs | 0.00% ] 2024-09-26T18:21:43.970682921+00:00 INFO LDAP session [ 642ms | 0.08% / 100.00% ] 2024-09-26T18:21:43.970851846+00:00 INFO ┝━ LDAP request [ 640ms | 99.65% ] 2024-09-26T18:21:43.971465247+00:00 INFO │ ┕━ ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74 ``` - Login through the simple auth HTTP endpoint (failure then success): ``` 2024-09-26T18:21:51.168102497+00:00 INFO ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74 2024-09-26T18:21:51.803150431+00:00 ERROR 🚨 [error]: | error: Authentication protocol error for `Protocol error: `This error results from an error during password verification`` 2024-09-26T18:21:51.803222676+00:00 ERROR 🚨 [error]: | error: Authentication error for user "admin" 2024-09-26T18:21:56.405670062+00:00 INFO ｉ [info]: Login attempt for "admin" | log.target: "lldap::domain::sql_opaque_handler" | log.module_path: "lldap::domain::sql_opaque_handler" | log.file: "server/src/domain/sql_opaque_handler.rs" | log.line: 74 ``` - Login through the web UI (silent failure, then success): ``` 2024-09-26T18:22:17.512461334+00:00 INFO ｉ [info]: OPAQUE login attempt for "admin" 2024-09-26T18:22:20.499285134+00:00 INFO ｉ [info]: OPAQUE login attempt for "admin" 2024-09-26T18:22:20.596530015+00:00 INFO ｉ [info]: OPAQUE login successful ``` --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-02-27 09:10:44 +03:00

• closed this issue
• added the
  pull-request
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/github_actions/codecov/codecov-action-6

copilot/fix-equality-filters-list-attributes

dependabot/github_actions/docker/build-push-action-7

dependabot/github_actions/docker/metadata-action-6

dependabot/github_actions/docker/setup-buildx-action-4

dependabot/github_actions/docker/login-action-4

copilot/update-download-artifact-action

copilot/fix-opensuse-warnings

copilot/fix-1268

copilot/fix-727

copilot/fix-898

copilot/fix-1256

copilot/fix-1251

copilot/fix-1249

copilot/fix-1206

user-attribute-form

user-ui

group-ui

server-user-attribute-schema

crates

haveibeenpwned

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.0

v0.2.0

v0.0.1

Labels

Clear labels   

backend

  

blocked

  

bug

  

cleanup

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

frontend

  

github_actions

  

good first issue

  

help wanted

  

help wanted

  

integration

  

invalid

  

ldap

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

rust

  

rust

  

tests

  

wontfix

No labels

backend

blocked

bug

cleanup

dependencies

docker

documentation

duplicate

enhancement

enhancement

frontend

github_actions

good first issue

help wanted

help wanted

integration

invalid

ldap

pull-request

question

rust

rust

tests

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/lldap-lldap#1051

No description provided.