I beat myself up for two days as I built a Ruby on Rails application that manages users in LDAP. While fine-tuning the inclusion and formatting of various attributes, I would frequently have ldap.add()
fail with little feedback other than possibly an exception raised. I usually knew it was a data validation error, such as a missing required attribute or poorly formatted attribute values -- but I could not find anything on the server (Apache DS) or client end that would indicate which field failed, or why it was failing.
So...how do you see the reason why an LDAP add (or replace, delete, open...) failed?
Then I stumbled across ldap.get_operation_result
, I had a real facepalm moment. I've intentionally recreated several of the issues I painfully solved through careful inspection with get_operation_result
in my arsenal, and each time it described exactly what the problem was.
This function is useful in the case of rescuing an exception, or if add(), modify(), delete(), etc. simply returns false.
ldap.add(dn: dn, attributes: attributes)
Rails.logger.info("ldap.add: #{ldap.get_operation_result}")
The snippet above saved my sanity, not to mention hours of tedious hunt-and-peck testing.
For example, here is just one part of an error message it revealed that I did not provide the required sn
attribute:
ERR_279 Required attributes [sn(2.5.4.4)] not found within entry uid=david,o=users,dc=example,dc=com"
It will also show messages related to bad server connection credentials, etc.
HTH