On Wednesday, 9 September 2015 12:13:08 UTC+2, Jason Haar wrote: > > On 09/09/15 20:41, Kay Roepke wrote: > > Could you please turn the log level > > of org.graylog2.security.ldap.LdapConnector to TRACE? > > The easiest way to do so is via the System/Logging section in the API > > browser (port 12900 of your graylog server). > > > Err - humor me - this is all new to me. I can't see a System/Logging > section - I can see a System/Loggers section - but I can't see how that > relates to LDAP settings - nothing shouts out as being related > That is not in the regular UI, but in the API browser of that node. You can get a link via the System/Nodes in the web interface (there's a button API Browser next to the node) Alternatively:
curl -XPUT http://127.0.0.1:12900/system/loggers/org.graylog2.security.ldap.LdapConnector/level/TRACE > Anyway, I simply cranked all graylog-server logging up to TRACE via the > "Logging" page on graylog-web and I assume that does the same thing (in > a noisier manner!) > Yup it does. > I don't see any new errors (but they wouldn't be in TRACE?), but I see > vast amounts of LDAP data being recorded - so that looks fine (" egrep > -i 'UserServiceImpl|ldap' "). There's a lot of binary data in there - > I'd guess the login event pulls all fields? (BTW really shouldn't - that > slows things down - especially if there's a WAN involved). So you get > ones like "msexchrecordedname" - which is a 4K binary blob - and one > I'm looking at right now isn't even mine. I'm the only user on the > system, I would have thought graylog would only pull back details from > my account? > It does request all attributes at this time, yes, but it has done so before as well, at least for the users. For loading the user record it uses the filter you specify in the UI, that should, if using sAMAccountName result in a single record, as it should be unique across the domain AFAIK. > How does this new LDAP group-role mapping work? Is graylog trying to > suck out all groups from LDAP to populate the mapping page? The Global > Catalog of our AD forest is over 300MB in size if you were to try to > scrape the lot... I know I can put a filter in there - but as it's not > working with "(objectClass=group)" I don't think there's much point in > making it less likely to work ;-) > It does that, yes, mainly because generic LDAP servers do not necessarily have the member: query. For AD it is an option to use that, but we do not have extensive Global Catalogs available for development. You mentioned userPrincipalName={0} filter in an earlier post, do you have the server type set to ActiveDirectory in the Graylog LDAP settings, because that changes some bind behavior necessary for AD. The current implementation does iterate over all groups, as that is the fundamental operation guaranteed to work with all LDAP servers. I can try to see if we can optimize this for ActiveDirectory, but testing will be tricky. Would you be willing to give a snapshot build a try once I have it up? > Anyway, these TRACE logs might mean something...? > Not really, the interesting ones come from LdapConnector. > 015-09-09T05:46:52.776-04:00 TRACE [DelegatingSubject] attempting to get > session; create = false; session is null = true; session has id = false > 2015-09-09T05:46:52.776-04:00 TRACE [DefaultSubjectDAO] Session storage > of subject state for Subject > [org.apache.shiro.subject.support.DelegatingSubject@7685d279] has been > disabled: identity and authentication state are expected to be > initialized on every request or invocation. > 2015-09-09T05:46:52.776-04:00 TRACE [DefaultSecurityManager] This > org.apache.shiro.mgt.DefaultSecurityManager instance does not have a > [org.apache.shiro.mgt.RememberMeManager] instance configured. > RememberMe services will not be performed for account > [jason.nz.our.domain]. > 2015-09-09T05:46:52.776-04:00 TRACE [DelegatingSubject] attempting to > get session; create = false; session is null = true; session has id = > false > > > > > -- > Cheers > > Jason Haar > Corporate Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6f40edfd-e77b-4fce-9ffb-cc7804c4ae64%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
