Bug 850748 - Engine log is not informative enough in case authentication exception occurs during ldap search
Engine log is not informative enough in case authentication exception occurs ...
Status: CLOSED UPSTREAM
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Martin Perina
infra
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-22 06:22 EDT by Yair Zaslavsky
Modified: 2016-02-10 14:42 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-12 07:47:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Yair Zaslavsky 2012-08-22 06:22:44 EDT
Description of problem:

In case javax.naming.AuthenticationException is thrown - engine code does log the reason this exception was thrown.
For this exception, the following log appears -
"Ldap authentication failed. Please check that the login name , password and path are correct".
A more detailed reason should appear in order to help troubleshooting of login problems.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 3 Martin Perina 2013-12-12 07:47:48 EST
The above mention code is not used in upstream anymore. Here are test results for specific cases:

1) Non existing user

2013-12-12 13:30:48,782 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Kerberos error: Client not found in Kerberos database (6)
2013-12-12 13:30:48,783 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Authentication Failed. Client not found in kerberos database.
2013-12-12 13:30:48,785 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server ldap://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user mperina3@AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM due to Authentication Failed. Client not found in kerberos database.. We should not try the next server
2013-12-12 13:30:48,787 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: mperina3 to domain ad2.rhev.lab.eng.brq.redhat.com. Ldap Query Type is getUserByName
2013-12-12 13:30:48,788 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Authentication Failed. Client not found in kerberos database.
2013-12-12 13:30:48,789 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : mperina3
2013-12-12 13:30:48,791 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD


2) Wrong password

2013-12-12 13:45:44,231 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Kerberos error: Pre-authentication information was invalid (24)
2013-12-12 13:45:44,232 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Authentication Failed. Please verify the username and password.
2013-12-12 13:45:44,234 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server ldap://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user mperina2@AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM due to Authentication Failed. Please verify the username and password.. We should not try the next server
2013-12-12 13:45:44,235 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: mperina2 to domain ad2.rhev.lab.eng.brq.redhat.com. Ldap Query Type is getUserByName
2013-12-12 13:45:44,237 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Authentication Failed. Please verify the username and password.
2013-12-12 13:45:44,238 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD : mperina2
2013-12-12 13:45:44,238 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD


3) Account expired

2013-12-12 13:40:11,723 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Kerberos error: Clients credentials have been revoked (18)
2013-12-12 13:40:11,724 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (http--0.0.0.0-8080-1) Authentication failed. The user is either locked or disabled
2013-12-12 13:40:11,726 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (http--0.0.0.0-8080-1) Failed ldap search server ldap://dc-02.ad2.rhev.lab.eng.brq.redhat.com:389 using user mperina2@AD2.RHEV.LAB.ENG.BRQ.REDHAT.COM due to Authentication failed. The user is either locked or disabled. We should not try the next server
2013-12-12 13:40:11,728 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Failed authenticating user: mperina2 to domain ad2.rhev.lab.eng.brq.redhat.com. Ldap Query Type is getUserByName
2013-12-12 13:40:11,729 ERROR [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand] (http--0.0.0.0-8080-1) Authentication failed. The user is either locked or disabled
2013-12-12 13:40:11,729 ERROR [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED : mperina2
2013-12-12 13:40:11,730 WARN  [org.ovirt.engine.core.bll.LoginAdminUserCommand] (http--0.0.0.0-8080-1) CanDoAction of action LoginAdminUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_ACCOUNT_IS_LOCKED_OR_DISABLED

Note You need to log in before you can comment on or make changes to this bug.