Bug 1026799 - Warnings in server.log upon LDAP-enabled login
Warnings in server.log upon LDAP-enabled login
Status: CLOSED CURRENTRELEASE
Product: JBoss Operations Network
Classification: JBoss
Component: Core Server, Documentation (Show other bugs)
JON 3.2
Unspecified Unspecified
unspecified Severity high
: ER04
: JON 3.3.0
Assigned To: Jay Shaughnessy
Sunil Kondkar
: Documentation
: 1078482 1127365 1127376 1133978 (view as bug list)
Depends On: 1000963
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-05 08:06 EST by Lukas Krejci
Modified: 2014-12-11 09:01 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-11 09:01:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Krejci 2013-11-05 08:06:24 EST
Description of problem:
When a LDAP-enabled user logs in the JON server, the following warnings are logged in the server.log:

09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: BindDN
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: Filter
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: java.naming.factory.initial
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: LoginProperty
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: BaseDN
09:17:31,266 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: GroupFilter
09:17:31,267 WARN  [org.jboss.security] (http-/0.0.0.0:7080-5) PBOX000234: Invalid or misspelled module option: java.naming.provider.url


Version-Release number of selected component (if applicable):
JON 3.2.0.ER4

How reproducible:
always

Steps to Reproduce:
1. configure LDAP login in the JON server
2. log in as an LDAP user
Comment 1 Simeon Pinder 2014-03-25 15:15:35 EDT
*** Bug 1078482 has been marked as a duplicate of this bug. ***
Comment 2 Heiko W. Rupp 2014-03-25 16:47:39 EDT
This is an issue with underlying EAP and hopefully vanishes when rebasing onto EAP 6.3. This is not a bug in the JON / RHQ code base.
Comment 3 John Mazzitelli 2014-07-02 13:28:04 EDT
(In reply to Heiko W. Rupp from comment #2)
> This is an issue with underlying EAP and hopefully vanishes when rebasing
> onto EAP 6.3. This is not a bug in the JON / RHQ code base.

now that master is on EAP 6.3, I can test to see if it has gone away.
Comment 4 John Mazzitelli 2014-07-02 17:16:09 EDT
this still shows up in EAP 6.3.alpha1:

17:14:49,205 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: BindDN
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: Filter
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: java.naming.factory.initial
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: LoginProperty
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: java.naming.referral
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: BaseDN
17:14:49,206 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: GroupFilter
17:14:49,207 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: java.naming.provider.url
17:14:49,207 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: GroupMemberFilter
17:14:49,207 WARN  [org.jboss.security] (http-/0.0.0.0:7080-45) PBOX000234: Invalid or misspelled module option: BindPW
Comment 5 John Mazzitelli 2014-07-02 17:19:23 EDT
not sure why this was closed: https://bugzilla.redhat.com/show_bug.cgi?id=901213

but the problem still appears to be there in EAP 6.3.alpha
Comment 6 Mike Foley 2014-08-26 08:49:10 EDT
*** Bug 1127365 has been marked as a duplicate of this bug. ***
Comment 7 Jay Shaughnessy 2014-09-04 16:38:14 EDT
This should be re-tested for JON, which is on 6.3 GA.
Comment 8 Lukas Krejci 2014-09-05 07:05:19 EDT
*** Bug 1127376 has been marked as a duplicate of this bug. ***
Comment 9 Sunil Kondkar 2014-09-09 07:31:32 EDT
Tested in Version : 3.3.0.ER02 Build Number :4fbb183:7da54e2

Following warnings are logged in the server.log after LDAP user login:

16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: BindDN
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: Filter
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: Filter
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.factory.initial
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: LoginProperty
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: LoginProperty
16:51:21,423 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.referral
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: BaseDN
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: GroupFilter
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.provider.url
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: java.naming.security.protocol
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: GroupMemberFilter
16:51:21,424 WARN  [org.jboss.security] (http-/0.0.0.0:7080-11) PBOX000234: Invalid or misspelled module option: BindPW
Comment 10 John Mazzitelli 2014-09-11 14:49:56 EDT
This is a bug in EAP. We'll have to do the workaround that this EAP BZ mentions:

Bug #901213 :

"Workaround Description: Set the logging category org.jboss.as.security.RealmUsersRolesLoginModule to ERROR level"
Comment 11 John Mazzitelli 2014-09-11 15:38:28 EDT
(In reply to John Mazzitelli from comment #10)
> This is a bug in EAP. We'll have to do the workaround that this EAP BZ
> mentions:
> 
> Bug #901213 :
> 
> "Workaround Description: Set the logging category
> org.jboss.as.security.RealmUsersRolesLoginModule to ERROR level"

That workaround is outdated. As you see in the current log message being emitted, the category is the general "org.jboss.security". So in order for this to be worked around, we'll need to set that category to ERROR. The installer will have to do something like via CLI API:

/subsystem=logging/logger=org.jboss.security/:add(level=ERROR,category=org.jboss.security)
Comment 12 Lukas Krejci 2014-09-11 15:56:31 EDT
So to get rid of a couple of annoying invalid warnings we swallow ALL security related warnings. I'm not sure it's a wise thing to do.
Comment 13 John Mazzitelli 2014-09-11 16:13:03 EDT
(In reply to Lukas Krejci from comment #12)
> So to get rid of a couple of annoying invalid warnings we swallow ALL
> security related warnings. I'm not sure it's a wise thing to do.

Agree. I only do what I'm told. I am a robot :)

Seriously, we will have to discuss whether or not to workaround this EAP bug or not. To do so is a very easy one-line change to ServerInstallUtil:

 
         client.setLoggerLevel("org.jboss.as.config", "INFO"); // BZ 1004730
 
+        client.setLoggerLevel("org.jboss.security", "ERROR"); // BZ 1026799
+
         // BZ 1026786
         StringBuilder sb = new StringBuilder("not(any(");
Comment 14 John Mazzitelli 2014-09-12 12:48:04 EDT
I think we should leave the code as-is, rather than hide all security warnings just so we can hide these.

We need to document this in the release notes, though.
Comment 15 Heiko W. Rupp 2014-09-15 08:06:44 EDT
I agree with Mazz and Lukas, that we should not hide those but document them as harmless (and get EAP to finally fix this)
Comment 17 Jay Shaughnessy 2014-09-24 10:24:19 EDT
*** Bug 1133978 has been marked as a duplicate of this bug. ***
Comment 18 Jay Shaughnessy 2014-09-24 10:25:40 EDT
I'm taking this, I recently added supoprt for log filtering and 'll add a filter for this specific message.
Comment 19 Jay Shaughnessy 2014-09-24 14:54:18 EDT
master commit 2c44cde5c5001edf5cf8b1ebcbc1fa98d59cbd91
Author: Jay Shaughnessy <jshaughn@redhat.com>
Date:   Wed Sep 24 13:43:32 2014 -0400

    Add EAP-level log filters for messages we can't avoid and don't want to see.


release/jon3.3.x commit 1b241d7a28f65737762e98250cf8b18f18c1377c
Author: Jay Shaughnessy <jshaughn@redhat.com>
Date:   Wed Sep 24 13:43:32 2014 -0400

    (cherry picked from commit 2c44cde5c5001edf5cf8b1ebcbc1fa98d59cbd91)
    Signed-off-by: Jay Shaughnessy <jshaughn@redhat.com>
Comment 20 Simeon Pinder 2014-10-01 17:33:19 EDT
Moving to ON_QA as available for test with build:
https://brewweb.devel.redhat.com/buildinfo?buildID=388959
Comment 21 Sunil Kondkar 2014-10-07 06:05:00 EDT
Verified on JON 3.3 ER04

Warnings are now not seen in the server log after LDAP user login.

Note You need to log in before you can comment on or make changes to this bug.