Enabling Verbose LDAP Logging 2.x-3.0.x

Warning: Do not enable this logging in production. It logs passwords in plain text.

In some cases, the log that results from executing the steps in Turning on Security Logging 2.x-3.0.x does not provide enough information. In those cases, execute the steps outlined below--after executing the steps in the aforementioned page. In other words, this page depends on Turning on Security Logging 2.x-3.0.x.

Warning: The instructions in this document assume that you have already executed the instructions in Turning on Security Logging 2.x-3.0.x.

The steps below turn on more logging for LDAP, and do not apply to other backends.

1. Open applicationContext-acegi-security-ldap.xml. Change the reference in the first constructor-arg of daoAuthenticationProvider to ldapAuthenticatorProxy. After these edits, the file should look like this (some beans omitted):
   applicationContext-acegi-security-ldap.xml

   <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
     <constructor-arg>
       <ref bean="ldapAuthenticatorProxy" />
     </constructor-arg>
     <constructor-arg>
       <ref local="populator" />
     </constructor-arg>
   </bean>
   

2. Create a file named applicationContext-logging.xml with the contents below. Things to note:
   1. The target property is the authenticator bean above.
   2. The proxyInterfaces property contains a single value: the LdapAuthenticator interface. (BindAuthenticator from above implements this interface.)
      applicationContext-logging.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
      
      <beans>
      
        <bean id="ldapAuthenticatorProxy" class="org.springframework.aop.framework.ProxyFactoryBean">
          <property name="proxyInterfaces">
            <value>org.acegisecurity.providers.ldap.LdapAuthenticator</value>
          </property>
          <property name="target">
            <ref bean="authenticator" />
          </property>
          <property name="interceptorNames">
            <list>
              <value>loggingAdvisor</value>
            </list>
          </property>
        </bean>
      
        <bean id="loggingAdvisor" class="org.springframework.aop.support.RegexpMethodPointcutAdvisor">
          <property name="advice">
            <ref local="loggingInterceptor" />
          </property>
          <property name="pattern">
            <value>.*</value>
          </property>
        </bean>
      
        <bean id="loggingInterceptor" class="org.pentaho.platform.engine.security.LoggingInterceptor" />
      
      </beans>
      

3. Edit pentaho-spring-beans.xml.
   In pentaho-spring-beans.xml, add applicationContext-logging.xml to the list of imported files that appear.
4. Restart the Pentaho web application.

   Warning: Do not enable this logging in production. It logs passwords in plain text.

What to Look For

Look for log output similar to:
DEBUG [DirMgrBindAuthenticator] (LoggingInterceptor) Return value: LdapUserInfo: org.acegisecurity.providers.ldap.LdapUserInfo@1f31c64[dn=uid=suzy,ou=users,ou=system,attributes={mail=mail: suzy.pentaho@pentaho.org, uid=uid: suzy, userpassword=userpassword: [B@e17c9c, businesscategory=businesscategory: cn=cto,ou=roles,ou=system, cn=is,ou=roles,ou=system, objectclass=objectClass: organizationalPerson, person, groupOfUniqueNames, inetOrgPerson, top, uniquemember=uniquemember: cn=cto, ou=roles, cn = is , ou = roles, sn=sn: Pentaho, cn=cn: suzy}]