more auth logging

internal/auth/ldap.go

@@ -35,6 +35,8 @@ type LDAPIdentity struct {
 	Username string
 	UserDN   string
 	Groups   []string
+	// Diagnostics contains non-sensitive LDAP processing notes useful for debugging auth decisions.
+	Diagnostics []string
 }
 
 type LDAPAuthenticator struct {
@@ -93,7 +95,7 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
 
 	if err := conn.Bind(username, password); err != nil {
 		if ldap.IsErrorWithCode(err, ldap.LDAPResultInvalidCredentials) {
-			return LDAPIdentity{}, ErrLDAPInvalidCredentials
+			return LDAPIdentity{}, fmt.Errorf("%w: ldap bind rejected credentials", ErrLDAPInvalidCredentials)
 		}
 		return LDAPIdentity{}, fmt.Errorf("%w: bind failed: %v", ErrLDAPOperationFailed, err)
 	}
@@ -111,6 +113,7 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
 		return LDAPIdentity{}, err
 	}
 	if entry != nil {
+		identity.Diagnostics = append(identity.Diagnostics, "user_entry_found")
 		if strings.TrimSpace(entry.DN) != "" {
 			identity.UserDN = entry.DN
 		}
@@ -122,6 +125,8 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
 		); v != "" {
 			identity.Username = v
 		}
+	} else {
+		identity.Diagnostics = append(identity.Diagnostics, "user_entry_not_found")
 	}
 
 	groupSet := make(map[string]struct{})
@@ -156,9 +161,15 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
 				groupSet[dn] = struct{}{}
 			}
 		}
+		if len(groupEntries.Entries) == 0 {
+			identity.Diagnostics = append(identity.Diagnostics, "group_search_returned_no_entries")
+		}
+	} else {
+		identity.Diagnostics = append(identity.Diagnostics, fmt.Sprintf("group_search_failed:%v", err))
 	}
 
 	identity.Groups = mapKeysSorted(groupSet)
+	identity.Diagnostics = compactTrimmedStrings(identity.Diagnostics)
 	return identity, nil
 }