Bug 1026799

Summary: Warnings in server.log upon LDAP-enabled login
Product: [JBoss] JBoss Operations Network Reporter: Lukas Krejci <lkrejci>
Component: Core Server, DocumentationAssignee: Jay Shaughnessy <jshaughn>
Status: CLOSED CURRENTRELEASE QA Contact: Sunil Kondkar <skondkar>
Severity: high Docs Contact:
Priority: unspecified    
Version: JON 3.2CC: hrupp, jbednari, jshaughn, loleary, mfoley, mmahoney, myarboro, skondkar
Target Milestone: ER04Keywords: Documentation
Target Release: JON 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-11 14:01:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1000963    
Bug Blocks:    

Description Lukas Krejci 2013-11-05 13:06:24 UTC
Description of problem:
When a LDAP-enabled user logs in the JON server, the following warnings are logged in the server.log:

09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: BindDN
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: Filter
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: java.naming.factory.initial
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: LoginProperty
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: BaseDN
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: GroupFilter
09:17:31,267 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: java.naming.provider.url


Version-Release number of selected component (if applicable):
JON 3.2.0.ER4

How reproducible:
always

Steps to Reproduce:
1. configure LDAP login in the JON server
2. log in as an LDAP user

Comment 1 Simeon Pinder 2014-03-25 19:15:35 UTC
*** Bug 1078482 has been marked as a duplicate of this bug. ***

Comment 2 Heiko W. Rupp 2014-03-25 20:47:39 UTC
This is an issue with underlying EAP and hopefully vanishes when rebasing onto EAP 6.3. This is not a bug in the JON / RHQ code base.

Comment 3 John Mazzitelli 2014-07-02 17:28:04 UTC
(In reply to Heiko W. Rupp from comment #2)
> This is an issue with underlying EAP and hopefully vanishes when rebasing
> onto EAP 6.3. This is not a bug in the JON / RHQ code base.

now that master is on EAP 6.3, I can test to see if it has gone away.

Comment 4 John Mazzitelli 2014-07-02 21:16:09 UTC
this still shows up in EAP 6.3.alpha1:

17:14:49,205 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: BindDN
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: Filter
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: java.naming.factory.initial
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: LoginProperty
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: java.naming.referral
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: BaseDN
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: GroupFilter
17:14:49,207 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: java.naming.provider.url
17:14:49,207 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: GroupMemberFilter
17:14:49,207 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: BindPW

Comment 5 John Mazzitelli 2014-07-02 21:19:23 UTC
not sure why this was closed: https://bugzilla.redhat.com/show_bug.cgi?id=901213

but the problem still appears to be there in EAP 6.3.alpha

Comment 6 Mike Foley 2014-08-26 12:49:10 UTC
*** Bug 1127365 has been marked as a duplicate of this bug. ***

Comment 7 Jay Shaughnessy 2014-09-04 20:38:14 UTC
This should be re-tested for JON, which is on 6.3 GA.

Comment 8 Lukas Krejci 2014-09-05 11:05:19 UTC
*** Bug 1127376 has been marked as a duplicate of this bug. ***

Comment 9 Sunil Kondkar 2014-09-09 11:31:32 UTC
Tested in Version : 3.3.0.ER02 Build Number :4fbb183:7da54e2

Following warnings are logged in the server.log after LDAP user login:

16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: BindDN
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: Filter
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: Filter
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.factory.initial
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: LoginProperty
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: LoginProperty
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.referral
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: BaseDN
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: GroupFilter
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.provider.url
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.security.protocol
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: GroupMemberFilter
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: BindPW

Comment 10 John Mazzitelli 2014-09-11 18:49:56 UTC
This is a bug in EAP. We'll have to do the workaround that this EAP BZ mentions:

Bug #901213 :

"Workaround Description: Set the logging category org.jboss.as.security.RealmUsersRolesLoginModule to ERROR level"

Comment 11 John Mazzitelli 2014-09-11 19:38:28 UTC
(In reply to John Mazzitelli from comment #10)
> This is a bug in EAP. We'll have to do the workaround that this EAP BZ
> mentions:
> 
> Bug #901213 :
> 
> "Workaround Description: Set the logging category
> org.jboss.as.security.RealmUsersRolesLoginModule to ERROR level"

That workaround is outdated. As you see in the current log message being emitted, the category is the general "org.jboss.security". So in order for this to be worked around, we'll need to set that category to ERROR. The installer will have to do something like via CLI API:

/subsystem=logging/logger=org.jboss.security/:add(level=ERROR,category=org.jboss.security)

Comment 12 Lukas Krejci 2014-09-11 19:56:31 UTC
So to get rid of a couple of annoying invalid warnings we swallow ALL security related warnings. I'm not sure it's a wise thing to do.

Comment 13 John Mazzitelli 2014-09-11 20:13:03 UTC
(In reply to Lukas Krejci from comment #12)
> So to get rid of a couple of annoying invalid warnings we swallow ALL
> security related warnings. I'm not sure it's a wise thing to do.

Agree. I only do what I'm told. I am a robot :)

Seriously, we will have to discuss whether or not to workaround this EAP bug or not. To do so is a very easy one-line change to ServerInstallUtil:

 
         client.setLoggerLevel("org.jboss.as.config", "INFO"); // BZ 1004730
 
+        client.setLoggerLevel("org.jboss.security", "ERROR"); // BZ 1026799
+
         // BZ 1026786
         StringBuilder sb = new StringBuilder("not(any(");

Comment 14 John Mazzitelli 2014-09-12 16:48:04 UTC
I think we should leave the code as-is, rather than hide all security warnings just so we can hide these.

We need to document this in the release notes, though.

Comment 15 Heiko W. Rupp 2014-09-15 12:06:44 UTC
I agree with Mazz and Lukas, that we should not hide those but document them as harmless (and get EAP to finally fix this)

Comment 17 Jay Shaughnessy 2014-09-24 14:24:19 UTC
*** Bug 1133978 has been marked as a duplicate of this bug. ***

Comment 18 Jay Shaughnessy 2014-09-24 14:25:40 UTC
I'm taking this, I recently added supoprt for log filtering and 'll add a filter for this specific message.

Comment 19 Jay Shaughnessy 2014-09-24 18:54:18 UTC
master commit 2c44cde5c5001edf5cf8b1ebcbc1fa98d59cbd91
Author: Jay Shaughnessy <jshaughn>
Date:   Wed Sep 24 13:43:32 2014 -0400

    Add EAP-level log filters for messages we can't avoid and don't want to see.


release/jon3.3.x commit 1b241d7a28f65737762e98250cf8b18f18c1377c
Author: Jay Shaughnessy <jshaughn>
Date:   Wed Sep 24 13:43:32 2014 -0400

    (cherry picked from commit 2c44cde5c5001edf5cf8b1ebcbc1fa98d59cbd91)
    Signed-off-by: Jay Shaughnessy <jshaughn>

Comment 20 Simeon Pinder 2014-10-01 21:33:19 UTC
Moving to ON_QA as available for test with build:
https://brewweb.devel.redhat.com/buildinfo?buildID=388959

Comment 21 Sunil Kondkar 2014-10-07 10:05:00 UTC
Verified on JON 3.3 ER04

Warnings are now not seen in the server log after LDAP user login.