Enabling Verbose LDAP Logging

Warning: Do not enable this logging in production. It logs passwords in plain text.

In some cases, the log that results from executing the steps in Turning on Security Logging does not provide enough information. In those cases, execute the steps outlined below--after executing the steps in the aforementioned page. In other words, this page depends on Turning on Security Logging.

Warning: The instructions in this document assume that you have already executed the instructions in Turning on Security Logging.

The steps below turn on more logging for LDAP, and do not apply to other backends.

  1. Open applicationContext-spring-security-ldap.xml. Change the reference in the first constructor-arg of daoAuthenticationProvider to ldapAuthenticatorProxy. After these edits, the file should look like this (some beans omitted):
    applicationContext-spring-security-ldap.xml
    <bean id="daoAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
      <constructor-arg>
        <ref bean="ldapAuthenticatorProxy" />
      </constructor-arg>
      <constructor-arg>
        <ref local="populator" />
      </constructor-arg>
    </bean>
    
  2. Create a file named applicationContext-logging.xml with the contents below. Things to note:
    1. The target property is the authenticator bean above.
    2. The proxyInterfaces property contains a single value: the LdapAuthenticator interface. (BindAuthenticator from above implements this interface.)
      applicationContext-logging.xml
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
      
      <beans>
      
        <bean id="ldapAuthenticatorProxy" class="org.springframework.aop.framework.ProxyFactoryBean">
          <property name="proxyInterfaces">
            <value>org.springframework.security.providers.ldap.LdapAuthenticator</value>
          </property>
          <property name="target">
            <ref bean="authenticator" />
          </property>
          <property name="interceptorNames">
            <list>
              <value>loggingAdvisor</value>
            </list>
          </property>
        </bean>
      
        <bean id="loggingAdvisor" class="org.springframework.aop.support.RegexpMethodPointcutAdvisor">
          <property name="advice">
            <ref local="loggingInterceptor" />
          </property>
          <property name="pattern">
            <value>.*</value>
          </property>
        </bean>
      
        <bean id="loggingInterceptor" class="org.pentaho.platform.engine.security.LoggingInterceptor" />
      
      </beans>
      
  3. Edit pentaho-spring-beans.xml.
    In pentaho-spring-beans.xml, add applicationContext-logging.xml to the list of imported files that appear.
  4. Restart the Pentaho web application.

    Warning: Do not enable this logging in production. It logs passwords in plain text.

What to Look For

Look for log output similar to:
DEBUG [DirMgrBindAuthenticator] (LoggingInterceptor) Return value: LdapUserInfo: org.springframework.security.providers.ldap.LdapUserInfo@1f31c64[dn=uid=suzy,ou=users,ou=system,attributes={mail=mail: suzy.pentaho@pentaho.org, uid=uid: suzy, userpassword=userpassword: [B@e17c9c, businesscategory=businesscategory: cn=cto,ou=roles,ou=system, cn=is,ou=roles,ou=system, objectclass=objectClass: organizationalPerson, person, groupOfUniqueNames, inetOrgPerson, top, uniquemember=uniquemember: cn=cto, ou=roles, cn = is , ou = roles, sn=sn: Pentaho, cn=cn: suzy}]