Re: [Geoserver-devel] LDAP Authentication and logging username

Thu, 13 Sep 2018 02:50:00 -0700 

 Hi Richard

I log the HTTP header Authorization in Tomcat/HAProxy/Apache and this will
give you the base64 username:password that you see in WireShark, etc.:

Tomcat/Apache:    "%{Authorization}i"

HAProxy:
    capture request  header Authorization len 50
    log-format "... %{+Q}hrl ..."

I'm not sure how to base64 decode automatically, so I just leave it
encoded, which is good enough for differentiating per username.

Regards

Peter

On Thu, 13 Sep 2018 at 09:55, Richard Duivenvoorde <rdmaili...@duif.net>
wrote:

> Hi List,
>
> We are experimenting here with the LDAP authentication provider against
> the Windows Active Directory. All works fine!!
>
> It is easy to ask for authorisation for a layer, and giving access via
> 'groups' instead of individual users is a nice thing.
>
> BUT we also want to see in either Tomcat or Geoserver log files WHO is
> asking for certain layers. So we want to log the username.
>
> It's only internal use, so it's not even over https, so I can see the
> base64 username:password headers going over the line.
>
> But whatever I try (custom Valves for Tomcat) different log formats for
> the (Apache) reverse proxy, I keep getting "- -" in logs instead of
> seeing the username.
>
> So Question: is it possible to let Geoserver/Tomcat/Apache log the
> username somewhere? I did a lot of googling, and found a lot of
> 'answers', but nothing works in my situation.
>
> Any hint/clue?
> Anybody is able to log usernames?
>
> Regards,
>
> Richard Duivenvoorde
>
> PS I'm pretty sure I asked something like this some years ago, and think
> that Andrea answered something along the lines "difficult", but I cannot
> find that Q/A anymore.
>
> PS2 I think for governmental organisations in EU it will be more and
> more important to be able to hand over clear logs in case of privacy
> breaches nowadays. Usernames are an important part in that case.
>
>
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel






















					Reply via email to