Enabling Verbose LDAP Logging
Warning: Do not enable this logging in production. It logs passwords in plain text.
In some cases, the log that results from executing the steps in Turning on Security Logging does not provide enough information. In those cases, execute the steps outlined below--after executing the steps in the aforementioned page. In other words, this page depends on Turning on Security Logging.
Warning: The instructions in this document assume that you have already executed the instructions in Turning on Security Logging.
The steps below turn on more logging for LDAP, and do not apply to other backends.
- Open
applicationContext-spring-security-ldap.xml
. Change the reference in the firstconstructor-arg
ofdaoAuthenticationProvider
toldapAuthenticatorProxy
. After these edits, the file should look like this (some beans omitted):applicationContext-spring-security-ldap.xml<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <ref bean="ldapAuthenticatorProxy" /> </constructor-arg> <constructor-arg> <ref local="populator" /> </constructor-arg> </bean>
- Create a file named
applicationContext-logging.xml
with the contents below. Things to note:- The
target
property is theauthenticator
bean above. - The
proxyInterfaces
property contains a single value: theLdapAuthenticator
interface. (BindAuthenticator
from above implements this interface.)applicationContext-logging.xml<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> <beans> <bean id="ldapAuthenticatorProxy" class="org.springframework.aop.framework.ProxyFactoryBean"> <property name="proxyInterfaces"> <value>org.springframework.security.providers.ldap.LdapAuthenticator</value> </property> <property name="target"> <ref bean="authenticator" /> </property> <property name="interceptorNames"> <list> <value>loggingAdvisor</value> </list> </property> </bean> <bean id="loggingAdvisor" class="org.springframework.aop.support.RegexpMethodPointcutAdvisor"> <property name="advice"> <ref local="loggingInterceptor" /> </property> <property name="pattern"> <value>.*</value> </property> </bean> <bean id="loggingInterceptor" class="org.pentaho.platform.engine.security.LoggingInterceptor" /> </beans>
- The
- Edit
pentaho-spring-beans.xml
.
Inpentaho-spring-beans.xml
, addapplicationContext-logging.xml
to the list of imported files that appear. - Restart the Pentaho web application.
Warning: Do not enable this logging in production. It logs passwords in plain text.
What to Look For
Look for log output similar to:
DEBUG [DirMgrBindAuthenticator] (LoggingInterceptor) Return value: LdapUserInfo: org.springframework.security.providers.ldap.LdapUserInfo@1f31c64[dn=uid=suzy,ou=users,ou=system,attributes={mail=mail: suzy.pentaho@pentaho.org, uid=uid: suzy, userpassword=userpassword: [B@e17c9c, businesscategory=businesscategory: cn=cto,ou=roles,ou=system, cn=is,ou=roles,ou=system, objectclass=objectClass: organizationalPerson, person, groupOfUniqueNames, inetOrgPerson, top, uniquemember=uniquemember: cn=cto, ou=roles, cn = is , ou = roles, sn=sn: Pentaho, cn=cn: suzy}]