Improve log generated by lemonldap
Concerned version
Version: 2.0.2
Platform: Nginx
Summary
Improve log quality of lemonldap with info loglevel.
Bring better user tracability will be a real plus for lemonldap administrators & security team.
Logs
1/ Enrolment of 2FA is not logged (U2F, Yubikey):
It should be logged with associated user information.
Proposal :
LLNG[XXXX]: U2F key registration of <U2F_name> succeed for <$_user>
LLNG[XXXX]: Yubikey registration of <Yubikey_name> succeed for <$_user>
2/ Enrolment of 2FA is logged without associated user (TOTP):
LLNG[XXXX]: TOTP registration succeed
Proposal :
LLNG[XXXX]: TOTP registration of <TOTP_name> succeed for <$_user>
3/ 2FA un-enrolment is logged without associated user (TOTP, U2F, Yubikey):
LLNG[XXXX]: U2F key unregistration succeed
LLNG[XXXX]: Yubikey deletion succeed
LLNG[XXXX]: TOTP deletion succeed
Proposal :
LLNG[XXXX]: U2F key <U2F_name> unregistration succeed for <$_user>
LLNG[XXXX]: Yubikey <Yubikey_name> unregistration succeed for <$_user>
LLNG[XXXX]: TOTP <TOTP_name> unregistration succeed for <$_user>
4/ At the end of authentication process (simple or with 2FA) display clearly authentication success message with associated user authlevel.
Proposal:
LLNG[XXXX]: User <$_user> successfully authenticated at level <$authenticationlevel>
5/ Access rule KO for SAML:
LLNG[XXXX]: User <$_user>was not authorizated to access to <SAML_entity_ID>
A space is missing between <$_user> and "was"
"authorizated" is not good
Proposal:
LLNG[XXXX]: User <$_user> is not authorized to access to (<SP_entity_ID>)
6/ Access rule KO for OIDC:
LLNG[XXXX]: User userwas not authorized to access to
A space is missing between <$_user> and "was"
Proposal:
LLNG[XXXX]: User <$_user> is not authorized to access to (<RP_client_ID>)
7/ Log authorized access
OIDC access are not logged at all.
SAML access are logged like that : "LLNG[XXXX]: SAML authentication response sent to SAML SP for <$_user> with <nameid_type> NameID "
Proposal :
SAML : LLNG[XXXX]: User <$_user> is authorized to access to (<SP_entity_ID>)
OIDC : LLNG[XXXX]: User <$_user> is authorized to access to (<RP_client_ID>)