Same for the search:
~~~
          2016-04-02 00:17:59 INFO    ========================================================================
          2016-04-02 00:17:59 INFO    ============================== Execution ===============================
          2016-04-02 00:17:59 INFO    ========================================================================
          2016-04-02 00:17:59 INFO    --- Begin QueryFilterRecord ---
          2016-04-02 00:17:59 INFO    AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
          2016-04-02 00:17:59 INFO    AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
          2016-04-02 00:17:59 INFO      --- Begin QueryFilterRecord ---
          2016-04-02 00:17:59 INFO      AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
          2016-04-02 00:17:59 INFO      AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
          2016-04-02 00:17:59 INFO      AAA_AUTHZ_PRINCIPAL_NAME: admin
          2016-04-02 00:17:59 INFO      --- End QueryFilterRecord ---
          2016-04-02 00:17:59 INFO    --- End QueryFilterRecord ---
          2016-04-02 00:17:59 INFO    API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=rhev-ipa,dc=usersys,dc=redhat,dc=com'
          2016-04-02 00:17:59 INFO    API: <--Authz.InvokeCommands.QUERY_OPEN
          2016-04-02 00:17:59 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
          2016-04-02 00:17:59 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1
          2016-04-02 00:17:59 INFO    --- Begin PrincipalRecord ---
          2016-04-02 00:17:59 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: admin
          2016-04-02 00:17:59 INFO    AAA_AUTHZ_PRINCIPAL_LAST_NAME: Administrator
          2016-04-02 00:17:59 INFO    AAA_LDAP_UNBOUNDID_DN: uid=admin,cn=users,cn=accounts,dc=rhev-ipa,dc=usersys,dc=redhat,dc=com
          2016-04-02 00:17:59 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=rhev-ipa,dc=usersys,dc=redhat,dc=com
          2016-04-02 00:17:59 INFO    AAA_AUTHZ_PRINCIPAL_ID: e9193bfe-848a-11e4-9aa0-001a4a0ab071
          2016-04-02 00:17:59 INFO    AAA_AUTHZ_PRINCIPAL_NAME: admin
          2016-04-02 00:17:59 INFO    --- End   PrincipalRecord ---
          2016-04-02 00:17:59 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
          2016-04-02 00:17:59 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END
          2016-04-02 00:17:59 INFO    API: -->Authz.InvokeCommands.QUERY_CLOSE
          2016-04-02 00:17:59 INFO    API: <--Authz.InvokeCommands.QUERY_CLOSE
          Please make sure that entity details are correct, and depending type of query that group membership meets expectations.
          Search for PrincipalRecord and GroupRecord titles
          Abort if output is incorrect
          Select test sequence to execute (Done, Abort, Login, Search) [Abort]: 
~~~

It is too late now. I am sorry.
I can see now, that it maybe possible to see from the output that it succeeded.
Still, make the message more clear, could make it more beneficial to the end user. Something like:
"Login/Search for user XXX succeeded.
Please check the output. Abort, if incorrect."

Hi,

so here are existing outputs:

1. If you make a mistake during LDAP configuration phase, error is shown to user immediately, error line starts with [ERROR] string, for example:

    [ ERROR ] Cannot authenticate using 'cn=xxx': {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}

2. If you try to test your configuration using Login sequence and some error is raised, following error line is displayed at the end of the output:

    [ ERROR ] Sequence failed

   and user can find out more details about the error at the output, for example:

              2016-04-05 17:36:09 SEVERE  Unexpected comma or semicolon found at the end of the DN string.

2. If you try to test your configuration using Login sequence and everything is OK, following lines are displayed at the end of the output:

    Please make sure that user details are correct, and group membership meets expectations.
    Search for PrincipalRecord and GroupRecord titles
    Abort if output is incorrect

   So important lines that user needs to investigate are:

          2016-04-05 17:48:05 INFO    --- Begin PrincipalRecord ---
          2016-04-05 17:48:05 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: jdoe.lab.eng.brq.redhat.com
          2016-04-05 17:48:05 INFO    AAA_AUTHZ_PRINCIPAL_LAST_NAME: Doe
          2016-04-05 17:48:05 INFO    AAA_LDAP_UNBOUNDID_DN: CN=jdoe,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
          2016-04-05 17:48:05 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
          2016-04-05 17:48:05 INFO    AAA_AUTHZ_PRINCIPAL_ID: U6bgs8k2PUOIeElc3YEJqw==
          2016-04-05 17:48:05 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: John Doe
          2016-04-05 17:48:05 INFO    AAA_AUTHZ_PRINCIPAL_NAME: jdoe
          2016-04-05 17:48:05 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: John
          2016-04-05 17:48:05 INFO      --- Begin GroupRecord ---
          2016-04-05 17:48:05 INFO      AAA_AUTHZ_GROUP_ID: ATzN0KJU7kmcIKiuqfpR6g==
          2016-04-05 17:48:05 INFO      AAA_AUTHZ_GROUP_NAMESPACE: DC=ad-w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
          2016-04-05 17:48:05 INFO      AAA_LDAP_UNBOUNDID_DN: CN=jdoe-group-2,CN=Users,DC=ad-w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
          2016-04-05 17:48:05 INFO      AAA_AUTHZ_GROUP_NAME: jdoe-group-2
          2016-04-05 17:48:05 INFO      --- End   GroupRecord ---
          2016-04-05 17:48:05 INFO      --- Begin GroupRecord ---
          2016-04-05 17:48:05 INFO      AAA_AUTHZ_GROUP_ID: g5rAkbKXtE6JQ2g9TL5ZcA==
          2016-04-05 17:48:05 INFO      AAA_AUTHZ_GROUP_NAMESPACE: DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
          2016-04-05 17:48:05 INFO      AAA_LDAP_UNBOUNDID_DN: CN=jdoe-group-1,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
          2016-04-05 17:48:05 INFO      AAA_AUTHZ_GROUP_NAME: jdoe-group-1
          2016-04-05 17:48:05 INFO      --- End   GroupRecord ---
          2016-04-05 17:48:05 INFO    --- End   PrincipalRecord ---

   But even if no error was raised during Login phase you need to manually check the output as they may be some logical error (for example that groups that user is member of are not returned)

3. If you try to test you configuration using Search sequence and some error is raised, following error line is displayed at the end of the output:

    [ ERROR ] Sequence failed

   and user can find out more details about the error at the output.

4. If you try to test your configuration using Search sequence and everything is OK, following lines are displayed at the end of the output:

    Please make sure that entity details are correct, and depending type of query that group membership meets expectations.
    Search for PrincipalRecord and GroupRecord titles
    Abort if output is incorrect

   Important lines that user needs to investigate are the same as in step 2.

   But even if no error was raised during Login phase you need to manually check the output as they may be some logical error (for example that groups that user is member of are not returned)


Unfortunately whole LDAP configuration can be so complex and can include so many differencies among customers setup, that IMO we cannot simplify it even more.

But feel free to suggest some improvements we can make to setup tool.

Hi Martin,

Thank you for the detailed explanation. It would be definitely beneficial for us in further troubleshooting. 
However, I think, you did not understand my point when opening this bug. 

I am saying, based on my experience working with multiple customers, the success message should be more obvious to identify a successful Login/Search command on behalf of the tool. I suggest the following message:

"Login/Search for user XXX succeeded.
Please confirm the output. Abort, if incorrect."

or:
"[SUCCESS] please confirm the output for additional details. Abort if incorrect."

However, I must tell you, most of the user would not go and check it unless something would go wrong. (that's why I also don't really like the fact that the logs are going to /tmp, but this is another story.)

(In reply to Marina from comment #4)
> Hi Martin,
> 
> Thank you for the detailed explanation. It would be definitely beneficial
> for us in further troubleshooting. 
> However, I think, you did not understand my point when opening this bug. 
> 
> I am saying, based on my experience working with multiple customers, the
> success message should be more obvious to identify a successful Login/Search
> command on behalf of the tool. I suggest the following message:
> 
> "Login/Search for user XXX succeeded.
> Please confirm the output. Abort, if incorrect."

OK, we will try to change result messages of both sequence to be more user friendly, but as I said before even if there's no error in sequence execution, user should investigate the results, because for example:

  1. For login sequence user could be authenticated successfully, but group resolution may not be correct (there's is no way how to detect this automatically)

  2. For search sequence we could find different user, group or not found anything at all (and we don't know if user made error during input or his LDAP setup is so different from defaults that he cannot use the tool, but he needs to manually customize profile properties files)



> 
> or:
> "[SUCCESS] please confirm the output for additional details. Abort if
> incorrect."
> 
> However, I must tell you, most of the user would not go and check it unless
> something would go wrong. (that's why I also don't really like the fact that
> the logs are going to /tmp, but this is another story.)

The reason why everything goes to /tmp is simple: until you specify Done, no configuration is saved to /etc/ovirt-engine, everything is in memory only.

On the other hand user can specify Done -> new ldap profile configuration is saved, but it's not loaded by engine until engine service restart. So he can continue testing generated configuration using ovirt-engine-extensions-tool (that's exactly what setup tool executes for Login/Search tests) and doing manual changes to the profile configuration until everything works as expected.

For now targeting to 4.0, once we agree to exact changed that needs to be done, we can retarget to 3.6.z

So here are my suggestions how to make output more understandable:

I. Login sequence

  a. If login sequence was executed without errors, following lines will be displayed at the end of tool output:

      [ INFO  ] Sequence executed successfully
                Please make sure that user details are correct and group membership meets
                expectations (search for PrincipalRecord and GroupRecord titles).
                Abort if output is incorrect.

                Select test sequence to execute (Done, Abort, Login, Search) [Abort]:



  b. If errors were raised during login sequence, following lines will be displayed at the end of tool output:

      [ ERROR ] Sequence failed
                Please investigate details of the failure (search for lines containing
                SEVERE log level).

                Select test sequence to execute (Done, Abort, Login, Search) [Abort]:



II. Search sequence

  a. If search sequence was executed without errors, following lines will be displayed at the end of tool output:

      [ INFO  ] Sequence executed successfully
                Please make sure that entity details are correct and, depending on the type
                of the query, that group membership meets expectations (search for
                PrincipalRecord and GroupRecord titles).
                Abort if output is incorrect.

                Select test sequence to execute (Done, Abort, Login, Search) [Abort]:



  b. If errors were raised during search sequence, following lines will be displayed at the end of tool output:

      [ ERROR ] Sequence failed
                Please investigate details of the failure (search for lines containing
                SEVERE log level).

                Select test sequence to execute (Done, Abort, Login, Search) [Abort]:


Marina, it this output understandable enough?

This is beautiful! Thank you.

Fix will be included in ovirt-engine-extension-aaa-ldap-1.2.0-0.2.el7ev

Verified with:
ovirt-engine-extension-aaa-ldap-setup-1.2.0-1.el7.noarch

ON SUCCESS:
[ INFO  ] Login sequence executed successfully
          Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles).
          Abort if output is incorrect.

ON FAILURE:
[ ERROR ] Login sequence failed
          Please investigate details of the failure (search for lines containing SEVERE log level).

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1749.html