On 09/09/15 20:41, Kay Roepke wrote:
> Could you please turn the log level
> of org.graylog2.security.ldap.LdapConnector to TRACE?
> The easiest way to do so is via the System/Logging section in the API
> browser (port 12900 of your graylog server).
>
Err - humor me - this is all new to me. I can't see a System/Logging
section - I can see a System/Loggers section - but I can't see how that
relates to LDAP settings - nothing shouts out as being related
Anyway, I simply cranked all graylog-server logging up to TRACE via the
"Logging" page on graylog-web and I assume that does the same thing (in
a noisier manner!)
I don't see any new errors (but they wouldn't be in TRACE?), but I see
vast amounts of LDAP data being recorded - so that looks fine (" egrep
-i 'UserServiceImpl|ldap' "). There's a lot of binary data in there -
I'd guess the login event pulls all fields? (BTW really shouldn't - that
slows things down - especially if there's a WAN involved). So you get
ones like "msexchrecordedname" - which is a 4K binary blob - and one
I'm looking at right now isn't even mine. I'm the only user on the
system, I would have thought graylog would only pull back details from
my account?
How does this new LDAP group-role mapping work? Is graylog trying to
suck out all groups from LDAP to populate the mapping page? The Global
Catalog of our AD forest is over 300MB in size if you were to try to
scrape the lot... I know I can put a filter in there - but as it's not
working with "(objectClass=group)" I don't think there's much point in
making it less likely to work ;-)
Anyway, these TRACE logs might mean something...?
015-09-09T05:46:52.776-04:00 TRACE [DelegatingSubject] attempting to get
session; create = false; session is null = true; session has id = false
2015-09-09T05:46:52.776-04:00 TRACE [DefaultSubjectDAO] Session storage
of subject state for Subject
[org.apache.shiro.subject.support.DelegatingSubject@7685d279] has been
disabled: identity and authentication state are expected to be
initialized on every request or invocation.
2015-09-09T05:46:52.776-04:00 TRACE [DefaultSecurityManager] This
org.apache.shiro.mgt.DefaultSecurityManager instance does not have a
[org.apache.shiro.mgt.RememberMeManager] instance configured.
RememberMe services will not be performed for account [ja...@nz.our.domain].
2015-09-09T05:46:52.776-04:00 TRACE [DelegatingSubject] attempting to
get session; create = false; session is null = true; session has id = false
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/55F0062D.3010303%40trimble.com.
For more options, visit https://groups.google.com/d/optout.
