|Summary:||EAP 6 Domain Mode Logging for Management is nonexistent|
|Product:||[JBoss] JBoss Enterprise Application Platform 6||Reporter:||James Livingston <jlivings>|
|Component:||Security||Assignee:||Darran Lofthouse <darran.lofthouse>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Josef Cacek <jcacek>|
|Version:||6.1.0||CC:||cdewolf, darran.lofthouse, jcacek, jlivings, joallen, kkhan, myarboro, olukas, smumford|
|Target Release:||EAP 6.3.0|
|Fixed In Version:||Doc Type:||Bug Fix|
In previous versions of JBoss EAP 6 TRACE and DEBUG logging had not been added to the LDAP interactions within the security realms. This made diagnosing authentication issues where LDAP is in use extremely difficult as no debug logging was available. DEBUG logging has now been added to the security realms where LDAP is used. Customers can now use these logs to diagnose LDAP related issues with security realms.
|Last Closed:||2014-06-28 15:26:20 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description James Livingston 2013-06-14 01:13:58 UTC
There is basically no logging done inside the management authentication components, which means that debugging problems such as with LDAP is difficult. There should be more information logged, particularly exceptions.
Comment 1 James Livingston 2013-06-14 01:15:13 UTC
The change at https://github.com/wildfly/wildfly/commit/ac3525d4860c66df7fd882532a647b4707140337#L14R25 for LDAP is a start.
Comment 2 Darran Lofthouse 2013-06-14 08:50:45 UTC
Lets get the ACK process started, in reality with everything else happening for EAP at the moment this change will be going in.
Comment 8 JBoss JIRA Server 2013-08-20 13:05:32 UTC
Darran Lofthouse <firstname.lastname@example.org> updated the status of jira WFLY-352 to Coding In Progress
Comment 9 JBoss JIRA Server 2013-08-29 15:12:03 UTC
Darran Lofthouse <email@example.com> updated the status of jira WFLY-352 to Resolved
Comment 10 James Livingston 2013-08-30 03:50:02 UTC
Upstream changes are at https://github.com/wildfly/wildfly/commit/3948c15fa6d9a4054aab3b16496be1219f4e1bbc
Comment 11 James Livingston 2013-08-30 04:25:40 UTC
PR for backport to 6.x: https://github.com/jbossas/jboss-eap/pull/326
Comment 12 Darran Lofthouse 2013-09-18 07:46:53 UTC
This probably actually made it into ER1
Comment 16 Josef Cacek 2013-11-28 20:59:40 UTC
Darran, is the fix ready for testing? If everything is merged, set the status to ON_QA, please.
Comment 17 Paul Gier 2013-12-04 16:59:48 UTC
Moving back to assigned because Darran said there is still some work required before the fix is complete.
Comment 18 Darran Lofthouse 2014-02-11 12:36:00 UTC
Adding a devel_ack so I can double check this in the current EAP codebase - the logging may have already been backported - if not there is plenty of logging upstream so will be trivial to backport.
Comment 20 Darran Lofthouse 2014-03-18 12:00:15 UTC
Pull request sent to add TRACE logging to the following class: - org.jboss.as.domain.management.connections.ldap.LdapConnectionManagerService Inspecting the existing EAP code base the following classes already have TRACE logging backported from upstream so no further work was required: - org.jboss.as.domain.management.security.UserLdapCallbackHandler org.jboss.as.domain.management.security.LdapUserSearcherService org.jboss.as.domain.management.security.LdapSubjectSupplementalService.LdapSubjectSupplemental I would suggest at this point that if GSS identify any additional logging required in this area to support active support cases that they submit pull requests for the additional logging.
Comment 22 Ondrej Lukas 2014-03-28 13:21:34 UTC
Unfortunately verification on EAP 6.3.0.DR6 failed. It works fine on standalone mode but there are still no related logs on domain mode.
Comment 23 Darran Lofthouse 2014-04-01 09:35:23 UTC
Can you please confirm how you are testing this in domain mode, the same code is used in both places.
Comment 24 Ondrej Lukas 2014-04-01 10:37:56 UTC
Hi Darran, I added logger category for "org.jboss.as.domain.management" on level TRACE: <logger category="org.jboss.as.domain.management"> <level name="TRACE"/> </logger> and set authentication in security realm for ManagementRealm via LDAP: <authentication> <ldap connection="ldapConnection" base-dn="dc=jboss,dc=org" recursive="true"> <username-filter attribute="uid"/> </ldap> </authentication> ... <outbound-connections> <ldap name="ldapConnection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/> </outbound-connections> Then I tried successful and unsuccessful authentication to CLI. These works fine on standalone mode (logs appear in log file) but there are no related log in any of log file when I try this configuration run on domain mode (also server-group on same profile as logging is set need to be added). According to the name of this BZ I think that domain mode logging is main part of this issue.
Comment 25 Darran Lofthouse 2014-04-01 11:28:39 UTC
If you are using XML based configuration for logging that sounds to me like you are adding that to the domain.xml In domain mode the authentication you are testing is happening within the host controller process which is not influenced by domain configuration, instead I believe you are going to need to edit the logging.properties file to define the TRACE logging for that process.
Comment 26 Ondrej Lukas 2014-04-01 11:51:48 UTC
Thank you Darran for advice. It was my fault, I try it through logging.properties now it works fine in domain mode too. Verified on EAP 6.3.0.DR6.
Comment 27 Scott Mumford 2014-04-23 05:46:26 UTC
Reformatted doc text and marked for inclusion in 6.3.0 Release Notes