Bug #100333 LDAP plugin error message confusing
Submitted: 27 Jul 2020 13:57 Modified: 14 Nov 2022 19:45
Reporter: Oli Sennhauser Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S3 (Non-critical)
Version:8.0.21 OS:Linux (n.a.)
Assigned to: CPU Architecture:x86 (n.a.)

[27 Jul 2020 13:57] Oli Sennhauser 
Description:
LDAP error: "Operations error" is bad error message. This is not an error on LDAP server but an authentication problem as the first part of the message states: "Search user group has failed" and "LDAP authentication failed or group retrieval failed".

[Note] [MY-013353] [Server] Plugin authentication_ldap_simple reported: 'Parsing mapping info, LDAP group: App1_DEV_Read MySQL proxy: App1_DEV_Read'
[Note] [MY-013351] [Server] Plugin authentication_ldap_simple reported: 'Getting next mapping information'
[ERROR] [MY-013354] [Server] Plugin authentication_ldap_simple reported: 'Mapping parsing error'
[Note] [MY-011799] [Server] Plugin authentication_ldap_simple reported: 'Search user group has failed:  LDAP error: Operations error'
[ERROR] [MY-011798] [Server] Plugin authentication_ldap_simple reported: 'LDAP authentication failed or group retrieval failed:  LDAP error: Operations error'
[Note] [MY-011783] [Server] Plugin authentication_ldap_simple reported: 'Ldap_connection_pool::put connection in pushed in the pool'
[Note] [MY-011779] [Server] Plugin authentication_ldap_simple reported: 'Ldap_authentication::de_initialize putting back connection in the pool'
[Note] [MY-010926] [Server] Access denied for user 'App2_Dev_Admin_User1'@'localhost' (using password: YES)

How to repeat:
Connect with a user without a group mapping.

Suggested fix:
Possibly switching both parts would help to reduce confusion:

Plugin authentication_ldap_simple reported: 'LDAP error: Operations error: Search user group has failed'
Plugin authentication_ldap_simple reported: 'LDAP error: Operations error: LDAP authentication failed or group retrieval failed'
[28 Jul 2020 14:01] MySQL Verification Team 
Hello Oli Sennhauser,

Thank you for report and feedback.
Verifying based on my discussion with Developer(Yashwant Sahu).

regards,
Umesh
[14 Nov 2022 19:45] Christine Cole 
Posted by developer:
 
Fixed as of the upcoming MySQL 8.0.32 release, and here's the proposed changelog entry from the documentation team:

The server could return LDAP_OPERATIONS_ERROR for LDAP authentication
failures, rather than only for actual LDAP server errors such as when an
AD domain is not accessible. Now, the server returns
LDAP_AUTHENTICATION_ERROR, a MySQL-specific error code, to indicate
authentication errors.

Thank you for the bug report.