Bug 850748 - Engine log is not informative enough in case authentication exception occurs during ldap search
Summary: Engine log is not informative enough in case authentication exception occurs ...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Martin Perina
QA Contact:
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-22 10:22 UTC by Yair Zaslavsky
Modified: 2016-02-10 19:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-12 12:47:48 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Yair Zaslavsky 2012-08-22 10:22:44 UTC 
Description of problem:

In case javax.naming.AuthenticationException is thrown - engine code does log the reason this exception was thrown.
For this exception, the following log appears -
"Ldap authentication failed. Please check that the login name , password and path are correct".
A more detailed reason should appear in order to help troubleshooting of login problems.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 Martin Perina 2013-12-12 12:47:48 UTC 
The above mention code is not used in upstream anymore. Here are test results for specific cases:

1) Non existing user

2013-12-12 13:30:48,782 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Kerberos error: Client not found in Kerberos database (6)
2013-12-12 13:30:48,783 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Authentication Failed. Client not found in kerberos database.
2013-12-12 13:30:48,785 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server ldap://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user mperina3.LAB.ENG.BRQ.REDHAT.COM due to Authentication Failed. Client not found in kerberos database.. We should not try the next server
2013-12-12 13:30:48,787 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: mperina3 to domain ad2.rhev.lab.eng.brq.redhat.com. Ldap Query Type is getUserByName
2013-12-12 13:30:48,788 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Authentication Failed. Client not found in kerberos database.
2013-12-12 13:30:48,789 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : mperina3
2013-12-12 13:30:48,791 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD


2) Wrong password

2013-12-12 13:45:44,231 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Kerberos error: Pre-authentication information was invalid (24)
2013-12-12 13:45:44,232 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Authentication Failed. Please verify the username and password.
2013-12-12 13:45:44,234 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server ldap://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user mperina2.LAB.ENG.BRQ.REDHAT.COM due to Authentication Failed. Please verify the username and password.. We should not try the next server
2013-12-12 13:45:44,235 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: mperina2 to domain ad2.rhev.lab.eng.brq.redhat.com. Ldap Query Type is getUserByName
2013-12-12 13:45:44,237 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Authentication Failed. Please verify the username and password.
2013-12-12 13:45:44,238 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : mperina2
2013-12-12 13:45:44,238 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD


3) Account expired

2013-12-12 13:40:11,723 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Kerberos error: Clients credentials have been revoked (18)
2013-12-12 13:40:11,724 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Authentication failed. The user is either locked or disabled
2013-12-12 13:40:11,726 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server ldap://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user mperina2.LAB.ENG.BRQ.REDHAT.COM due to Authentication failed. The user is either locked or disabled. We should not try the next server
2013-12-12 13:40:11,728 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: mperina2 to domain ad2.rhev.lab.eng.brq.redhat.com. Ldap Query Type is getUserByName
2013-12-12 13:40:11,729 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Authentication failed. The user is either locked or disabled
2013-12-12 13:40:11,729 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED : mperina2
2013-12-12 13:40:11,730 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED
Note You need to log in before you can comment on or make changes to this bug.