Add more informative information when connection fails

lukebakken · lukebakken · commit 4d1f03f4fe8a · 2025-09-22T10:05:39.000-07:00
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl
@@ -79,7 +79,9 @@ accept_content(ReqData0, Context) ->
                     eldap:close(LDAP),
                     Result;
                 {error, E} ->
-                    Reason = unicode_format(E),
+                    Reason = unicode_format("LDAP connection failed: ~tp "
+                                            "(servers: ~tp, user_dn: ~tp, password: ~s)",
+                                            [E, Servers, UserDN, format_password_for_logging(Password)]),
                     rabbit_mgmt_util:bad_request(Reason, ReqData1, Context)
             end
         catch throw:{bad_request, ErrMsg} ->
@@ -93,6 +95,14 @@ accept_content(ReqData0, Context) ->
 unicode_format(Arg) ->
     rabbit_data_coercion:to_utf8_binary(io_lib:format("~tp", [Arg])).
 
+unicode_format(Format, Args) ->
+    rabbit_data_coercion:to_utf8_binary(io_lib:format(Format, Args)).
+
+format_password_for_logging(<<>>) ->
+    "[empty]";
+format_password_for_logging(Password) ->
+    io_lib:format("[~p bytes]", [byte_size(Password)]).
+
 maybe_starttls(_LDAP, false, _BodyMap) ->
     ok;
 maybe_starttls(LDAP, true, BodyMap) ->
diff --git a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl
@@ -352,6 +352,40 @@ validate_ldap_configuration_via_api(Config) ->
     %% Should NOT contain GET or HEAD
     ?assertEqual(0, string:str(string:to_upper(AllowHeader), "GET")),
     ?assertEqual(0, string:str(string:to_upper(AllowHeader), "HEAD")),
+
+    %% Missing required fields tests
+    %% Empty servers array - connection failure (400)
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'servers' => [],
+            'port' => LdapPort
+        }, ?BAD_REQUEST),
+
+    %% Missing servers field entirely - defaults to [], same as above (400)
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'password' => Password,
+            'port' => LdapPort
+        }, ?BAD_REQUEST),
+
+    %% Missing user_dn field entirely - empty DN fails credential validation (422)
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'password' => Password,
+            'servers' => ["localhost"],
+            'port' => LdapPort
+        }, ?UNPROCESSABLE_ENTITY),
+
+    %% Missing password field entirely - empty password fails credential validation (422)
+    http_put(Config, "/ldap/validate/simple-bind",
+        #{
+            'user_dn' => AliceUserDN,
+            'servers' => ["localhost"],
+            'port' => LdapPort
+        }, ?UNPROCESSABLE_ENTITY),
     http_put(Config, "/ldap/validate/simple-bind",
         #{
             'user_dn' => AliceUserDN,
