Tracing
For monitoring needs that go beyond logging, tracing can be enabled. Tracing makes it possible to track key events that relate to access requests.
The tracing functionality in the LDAP Attribute Connector is based on OpenTelemetry (OT)Opens in a new tab, relying on the OpenTelemetry Java agent to orchestrate the feature, but any agent that conforms to or implements the OpenTelemetry API version 1.3 could be used.
The tracing implementation is supported only in conjunction with Access Decision Service (ADS). The spans for the LDAP Server requests will be created only if OpenTelemetry is enabled for ADS itself, and will be within the context of the spans of ADS.
For more information about tracing in ADS, refer to the ADS DocumentationOpens in a new tab.
For visualization and monitoring assistance, the tracing information produced by the LDAP Attribute Connector can be published to observability backends, for example, Jaeger or Prometheus.
Spans and traces
A span is a unit of work within a trace, and a trace is a tree of spans. For the LDAP Attribute Connector, this means that for each request, the following spans are defined in the trace:
- A span per call to the LDAP Server. The span is initialized when a request is sent to the LDAP Server, and concludes once the server returns a response. Τhe spans contain a set of attributes as an identifier that can correlate to each LDAP Server request. Each span associated with an LDAP Server request contains both the query and the returned values.
Controlling visibility of attribute values
By default, the attribute values in the requests and responses are sanitized, or anonymized, when the span details are displayed. This is to preserve confidentiality of data.
The visibility status of the attribute values is configured via a Java system property or an environment variable.
Configuration via a Java system property
The setting is configured primarily via a Java system property.
| Property | Description | Default value |
|---|---|---|
com.axiomatics.ldap.sanitizer.span.values.visible | The property controls the visibility of the attribute values in the span details. The default value is 'false' (attribute values in the request and response are sanitized). When the property has the value 'true', the attribute values in the spans are visible. | false |
Configuration via an environment variable
An alternative way to configure this feature is via an operating system environment variable called
COM_AXIOMATICS_LDAP_SANITIZER_SPAN_VALUES_VISIBLE. It takes the values true and false, with false being the default value.
Note that a Java system property has higher precedence than an OS environment variable.