Debug logging configuration for TIBCO Streaming LDAP authentication
Article ID: KB0076051
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.3 and later |
Description
Authenticating a user on a StreamBase or LiveView server through LDAP fails with very little information. What can we configure to troubleshoot the problem?
Issue/Introduction
Use the sample_lv_sample_auth for troubleshooting configuration examples for both StreamBase and LiveView.
Resolution
Since this is a security configuration, by default there is very little information returned except "authorization failed" in order to not provide clues to people who are trying to break in.
Please see the sample:
"Authentication - shows how to use LiveView basic authentication"
which may be loaded into StreamBase Studio using menu:
File > Import Samples and Community Content
The sample's authentication configuration files are suitable for both StreamBase and LiveView projects. Although the sample places all the configuration in the fragment project for convenience, for use in production the HOCON configuration would be moved into the application project.
To debug an authentication configuration which is not working, use the sample's "src/main/resources/slf4j-realm-debug.xml" file as a reference for what classes to monitor with DEBUG log level to get useful messages into the console log. In the sample, this file overrides the default "logback.xml" file using HOCON LDMEngine configuration setting:
principalSearchFilter = "CN={0}"
and this maps to an email address instead within the LDAP system.
The second most common error is that the LDAPAuthenticationRealm filters and roots are not correct for your companies LDAP system. All LDAP directories are structured slightly differently. Make sure you can browse your company's LDAP directory using an external browser application to look up how users are identified and memberships are defined.
Once configuration problems are solved, remove the debug logback configuration so security credentials are not logged into the server console log.
Please see the sample:
"Authentication - shows how to use LiveView basic authentication"
which may be loaded into StreamBase Studio using menu:
File > Import Samples and Community Content
The sample's authentication configuration files are suitable for both StreamBase and LiveView projects. Although the sample places all the configuration in the fragment project for convenience, for use in production the HOCON configuration would be moved into the application project.
To debug an authentication configuration which is not working, use the sample's "src/main/resources/slf4j-realm-debug.xml" file as a reference for what classes to monitor with DEBUG log level to get useful messages into the console log. In the sample, this file overrides the default "logback.xml" file using HOCON LDMEngine configuration setting:
systemProperties = {
"logback.configurationFile" = "slf4j-realm-debug.xml"
}
Common Errors
The most common error is "no such principal "{name}", authentication failed" where the "{name}" is a simple name when:principalSearchFilter = "CN={0}"
and this maps to an email address instead within the LDAP system.
The second most common error is that the LDAPAuthenticationRealm filters and roots are not correct for your companies LDAP system. All LDAP directories are structured slightly differently. Make sure you can browse your company's LDAP directory using an external browser application to look up how users are identified and memberships are defined.
Once configuration problems are solved, remove the debug logback configuration so security credentials are not logged into the server console log.
TIBCO StreamBase 10.3 NOTE
The classes to log at DEBUG level in version 10.4 and 10.5 changed from version 10.3. In 10.3 the classes to monitor are:<logger name="com.tibco.ep.dtm.configuration.security"> <level value="debug"/> <appender-ref ref="RootConsoleAppender"/> </logger> <logger name="com.tibco.ep.dtm.security.runtime.realm.ldap"> <level value="debug"/> <appender-ref ref="RootConsoleAppender"/>> </logger>
Feedback
Yes
No
Powered by
