search

rwinch / spring-security-jira-to-gh

0 stars 0 forks source link

LDAP-181: LdapTemplate logs message at INFO level instead of DEBUG when checking searchControls #164

Closed rwinch closed 11 years ago

rwinch commented 15 years ago

Migrated from LDAP-181

Line 1262 of LdapTemplate logs what I believe should be a DEBUG message at INFO level. Can this be changed?

rwinch commented 15 years ago

Ulrik Sandberg said:

I disagree. The message points out a user error, which is then quite helpfully adjusted. I lean more towards making it a warning, rather than hiding it forever as a debug message.

The error message is "The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true".

rwinch commented 14 years ago

Farrukh Najmi said:

I believe there is a problem here as the org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator does not allow its searchControls member to be set externally (private access) nor does it allow setting of its ldapTemplate member (whose serachControls is settable).

So if I am using DefaultLdapAuthoritiesPopulator I have no way to set searchControls.returnObj member.

The result is that my servers log files get this log message written on every authenticated request filling it up quickly.

Please advice what is one supposed to do to not get this INFO message. The only alternative seems to be to clone the code of DefaultLdapAuthoritiesPopulator and add setter method setLdapTemplate() or setSearchControl().

Update...

I implemented my own copy of DefaultLdapAuthoritiesPopulator with setters added: setLdapTemplate(), setSearchControl() only to find that org.springframework.security.ldap.SpringSecurityLdapTemplate method searchForSingleAttributeValues() creates its own local SearchControls ctls instead of using its member searchControls so even my workaround cannot work :-(

    SearchControls ctls = new SearchControls();
    ctls.setSearchScope(searchControls.getSearchScope());
    ctls.setReturningAttributes(new String[] {attributeName});

    search(base, formattedFilter, ctls, roleMapper);

So now i do not see any other way than to have to clone and fix org.springframework.security.ldap.SpringSecurityLdapTemplate too. This seems to be quite a pervasie problem. Please let me know if I am missing something obvious or if there is a simpler workaround.

rwinch commented 13 years ago

Ulrik Sandberg said:

If your server logs fill up because of INFO logs, I suggest you raise the log level on the server to WARN or ERROR, or at least adjust the log level for LdapTemplate.

rwinch commented 13 years ago

Justin Gronfur said:

"I disagree. The message points out a user error, which is then quite helpfully adjusted." You're right, it does point out user error, an error in Spring's DefaultLdapAuthoritiesPopulator. Obviously it is not quite helpfully adjusted if after 2 years, you still haven't fixed it in your own code.

rwinch commented 12 years ago

Brett Ryan said:

Since this won't be fixed, how can we resolve this?

I have a simple configuration of the following and can not remove this warning:

<sec:ldap-server
  id="contextSource"
  url="ldap://example.com:389/dc=example,dc=com"
  manager-dn="CN=Account,OU=Service Accounts,DC=example,DC=com"
  manager-password="pass"
  root="dc=example,dc=com" />

<bean id="ldapAuthProvider"
      class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <constructor-arg>
    <bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <constructor-arg ref="contextSource" />
      <property name="userSearch">
        <bean id="userSearch"
              class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
          <constructor-arg value="ou=Office Users" />
          <constructor-arg value="(&amp;(sAMAccountName={0})(objectclass=user))" />
          <constructor-arg ref="contextSource" />
        </bean>
      </property>
    </bean>
  </constructor-arg>
  <constructor-arg>
    <bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <constructor-arg ref="contextSource" />
      <constructor-arg value="" />
      <property name="rolePrefix" value="" />
      <property name="searchSubtree" value="true" />
      <property name="convertToUpperCase" value="false" />
      <property name="ignorePartialResultException" value="true"/>
    </bean>
  </constructor-arg>
</bean>

<sec:authentication-manager alias="authenticationManager">
  <sec:authentication-provider ref="ldapAuthProvider"/>
</sec:authentication-manager>
rwinch commented 12 years ago

Ulrik Sandberg said:

Bending to the overwhelming user pressure.

rwinch commented 12 years ago

Ulrik Sandberg said:

Fix now in trunk.

rwinch commented 11 years ago

James Carman said:

Has this code never been released?

rwinch commented 11 years ago

Brett Ryan said:

What's going on with this? Without influence over spring-security-ldap this is quite annoying as we can't control the warnings in the log files.

ulsa did this ever make it to a release?

rwinch commented 11 years ago

Mattias Hellborg Arthursson said:

This is included in the 1.3.2.RELEASE version released last week.