I haven't tried it myself, but you ought to be able to put cas.log.level back to "warn" and then add something like
<AsyncLogger name="org.apereo.cas.authentication" level="debug" includeLocation="true"/> in the <Loggers> section (down around line 61). See the comment right there in the file for a little more info. --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Mon, Feb 26, 2018 at 3:23 PM, Kevin Liu <annihil8...@gmail.com> wrote: > I'm messing with the logger. Is it possible to have just LDAP debug codes > output? If so, how? Cause I can't seem to be able to shut off the others > without shutting off debug all together. > > On Monday, February 26, 2018 at 11:53:16 AM UTC-6, David Curry wrote: >> >> Well, you can start with log4j2.xml, and change >> >> <Property name="cas.log.level" >warn</Property> >> >> >> to >> >> <Property name="cas.log.level" >debug</Property> >> >> >> which will give you a lot of detail (all in cas.log) about what's going >> on. If that doesn't give you want you want, you can also (or instead) change >> >> <AsyncLogger name="org.ldaptive" level="warn" /> >> >> >> to >> >> <AsyncLogger name="org.ldaptive" level="debug" /> >> >> >> to get debugging from the LDAP code itself. >> >> As for your second question... you've exceeded my level of knowledge of >> AD/LDAP. I think the answer might be that you can't use the "AD" type of >> LDAP setup and will have to switch to the "AUTHENTICATED" type, but I'm not >> very sure of that answer. >> >> Perhaps someone else on the list can jump in. >> >> --Dave >> >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >> +1 212 229-5300 x4728 • david.cu...@newschool.edu >> >> [image: The New School] >> >> On Mon, Feb 26, 2018 at 12:43 PM, Kevin Liu <annih...@gmail.com> wrote: >> >>> Thank you Dave for providing additonal insight! >>> >>> Just to add, my MSDN I was refering above is actually an Microsoft >>> Active Directory Server which I'm using the LDAP protocol to talk to (at >>> least that is my understanding). >>> >>> I've got a few more questions. Is it possible to see what the LDAP is >>> returning to CAS? Maybe via logs? Getting insight to what is being returned >>> will help me get a better grasp on the LDAP CAS connections and >>> communications. >>> >>> Also, in addition to multiple OUs, it turns out that the DN that is >>> being used doesn't utilize a user's username but rather a user's full name >>> as part of the DN. For example, my DN is CN=Kevin Liu, OU=Alpha, DC=beta, >>> DC=gamma instead of CN=kliu. Do you have any ideas on how I might get >>> around that? >>> >>> On Friday, February 23, 2018 at 2:24:37 PM UTC-6, David Curry wrote: >>>> >>>> >>>> There are smarter (way smarter) LDAP people than me, but yeah, that's >>>> kind of it. Some LDAPs (like AD) will let you bind as the user him/herself >>>> to authenticate, others require you to use a special account to make the >>>> bind, and then authenticate the user. Although come to think of it, I think >>>> AD might only permit that over an LDAPS connection, which might be why you >>>> were having trouble. >>>> >>>> Likewise, some LDAPs will let you retrieve attributes at the same time >>>> that you authenticate, and others require you to make a separate request >>>> for that. In our particular case, our LDAP contains a superset of the users >>>> in AD (AD has "active" people, LDAP has "active" and "alumni"). But the two >>>> directories have different (overlapping) sets of attributes, and we always >>>> want to get all of them and merge them together, so in my CAS config, I do >>>> the authentication and attribute retrieval separately. >>>> >>>> I'm not sure how you get a dnFormat that handles multiple OUs, or if >>>> you even can. In my case, we have almost everyone in a single OU, except >>>> for some administrator accounts, which are in a separate OU. Rather than >>>> try and handle them all together, I just punted and defined two different >>>> AD configs for them, one for each OU. If you look at my documentation, >>>> you'll note that ldap[0] and ldap[2] are actually the SAME AD server, they >>>> just have different baseDN and dnFormat settings. >>>> >>>> --Dave >>>> >>>> >>>> >>>> -- >>>> >>>> DAVID A. CURRY, CISSP >>>> *DIRECTOR OF INFORMATION SECURITY* >>>> INFORMATION TECHNOLOGY >>>> >>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>>> >>>> [image: The New School] >>>> >>>> On Fri, Feb 23, 2018 at 3:12 PM, Kevin Liu <annih...@gmail.com> wrote: >>>> >>>>> Just to make sure I understand the LDAP and CAS connection properly, >>>>> CAS is sending over a set of credentials to first access the LDAP correct? >>>>> Is that the bindDN and bindCredential? Does it then search through the >>>>> result query for userFilter for a match? >>>>> >>>>> Also, I'm a little confused about the dNFormat. I inputed directly >>>>> what is the DN for user 1. However, for other users, since they belong to >>>>> different OU, how do I change the code such that it becomes more >>>>> versatile? >>>>> >>>>> My eventual goal is for cas to authenticate users from a single OU. >>>>> >>>>> Thank you all for bearing with me so far and all my questions. >>>>> >>>>> On Friday, February 23, 2018 at 11:44:35 AM UTC-6, Kevin Liu wrote: >>>>>> >>>>>> I finally got it to talk to my LDAP! I've realized I should also put >>>>>> that my LDAP is really a MSDN. It is in a very limited capacity though. >>>>>> Here is my cas.properties and I hope someone can help me figure out how >>>>>> to >>>>>> expand the scope of authentication. My apologies about the obfuscation. >>>>>> >>>>>> #AD Configurations >>>>>> cas.authn.ldap[0].type=AD >>>>>> cas.authn.ldap[0].ldapUrl=ldap://ladpserver:389 >>>>>> cas.authn.ldap[0].useSsl=false >>>>>> cas.authn.ldap[0].useStartTls=false >>>>>> cas.authn.ldap[0].connectTimeout=5000 >>>>>> cas.authn.ldap[0].subtreeSearch=true >>>>>> cas.authn.ldap[0].baseDn=dc=beta,dc=gamma >>>>>> cas.authn.ldap[0].userFilter=cn={user} >>>>>> cas.authn.ldap[0].bindDn=user1@beta.gamma >>>>>> cas.authn.ldap[0].bindCredential=user1Password >>>>>> cas.authn.ldap[0].dnFormat=CN=User 1,OU=Test,OU=alpha,DC=beta,DC= >>>>>> gamma >>>>>> >>>>>> This configuration only works for 1 user, user1. How do I expand it >>>>>> such that any user can input their credentials for validation? >>>>>> Also interesting, for user1, they can input either user1 or >>>>>> user1@beta.gamma and be able to login with the correct password. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Friday, February 23, 2018 at 9:17:02 AM UTC-6, David Curry wrote: >>>>>>> >>>>>>> Yes, that looks like your DN. >>>>>>> >>>>>>> But if CAS is not starting, it's something else. Are you using >>>>>>> 5.2.2? Can you post your pom.xml and cas.log files as attachments? >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> DAVID A. CURRY, CISSP >>>>>>> *DIRECTOR OF INFORMATION SECURITY* >>>>>>> INFORMATION TECHNOLOGY >>>>>>> >>>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>>>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >>>>>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>>>>>> >>>>>>> [image: The New School] >>>>>>> >>>>>>> On Fri, Feb 23, 2018 at 9:56 AM, Kevin Liu <annih...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> For my own account, when I execute the LDAP query in my first post, >>>>>>>> I can't see my own DN but I can see what I'm a member of. Is the listed >>>>>>>> member field my DN? >>>>>>>> >>>>>>>> member: CN=Kevin Liu,OU=Delta,OU=Alpha,DC=Beta,DC=Gamma >>>>>>>> >>>>>>>> Would this be my DN? >>>>>>>> >>>>>>>> On Friday, February 23, 2018 at 6:17:22 AM UTC-6, alberto wrote: >>>>>>>>> >>>>>>>>> On Thu, 22 Feb 2018 13:43:05 -0800 (PST) >>>>>>>>> Kevin Liu <annih...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> > Correct me if I'm wrong but looking at the directory, not >>>>>>>>> everyone >>>>>>>>> > has a DN. Some users are only members of a group it looks like. >>>>>>>>> >>>>>>>>> I don't think so. DN is the ultimate identifier in LDAP/AD. As >>>>>>>>> stated >>>>>>>>> in MSDN: «The LDAP API references an LDAP object by its >>>>>>>>> distinguished >>>>>>>>> name (DN)». Even a group have a DN so you can perform operations >>>>>>>>> on it. >>>>>>>>> >>>>>>>>> ( Source: https://msdn.microsoft.com/en- >>>>>>>>> us/library/aa366101(v=vs.85).aspx ) >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Alberto Cabello Sánchez >>>>>>>>> Servicio de Informática >>>>>>>>> Universidad de Extremadura >>>>>>>>> >>>>>>>> -- >>>>>>>> - Website: https://apereo.github.io/cas >>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "CAS Community" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to cas-user+u...@apereo.org. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c96 >>>>>>>> 0c01-c31d-4c3b-8386-c9dadafaf812%40apereo.org >>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/4c960c01-c31d-4c3b-8386-c9dadafaf812%40apereo.org?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> >>>>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to cas-user+u...@apereo.org. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/197f >>>>> fc37-0e97-4a1b-b997-30c462259b65%40apereo.org >>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/197ffc37-0e97-4a1b-b997-30c462259b65%40apereo.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> To view this discussion on the web visit https://groups.google.com/a/ap >>> ereo.org/d/msgid/cas-user/73cfed99-5049-4eff-a0f9-880e8edf37 >>> df%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/73cfed99-5049-4eff-a0f9-880e8edf37df%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/f8568e68-b156-44fc-b2fd- > 5d42841b47a9%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f8568e68-b156-44fc-b2fd-5d42841b47a9%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOnU_1W4zPffDu7fFiF71DFzFcp8AhA14RUwGZ4x0r%2BTg%40mail.gmail.com.
