Bug 974324 - EAP 6 Domain Mode Logging for Management is nonexistent
EAP 6 Domain Mode Logging for Management is nonexistent
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity medium
: DR6
: EAP 6.3.0
Assigned To: Darran Lofthouse
Josef Cacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-13 21:13 EDT by James Livingston
Modified: 2016-02-21 19:56 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6 TRACE and DEBUG logging had not been added to the LDAP interactions within the security realms. This made diagnosing authentication issues where LDAP is in use extremely difficult as no debug logging was available. DEBUG logging has now been added to the security realms where LDAP is used. Customers can now use these logs to diagnose LDAP related issues with security realms.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-28 11:26:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
cdewolf: needinfo-


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2408 Major Resolved Add TRACE logging for connection properties used to connect to LDAP from realm. 2016-01-27 06:23 EST
JBoss Issue Tracker WFLY-352 Critical Resolved Add sufficient TRACE / DEBUG logging to debug security realm configurations. 2016-01-27 06:23 EST

  None (edit)
Description James Livingston 2013-06-13 21:13:58 EDT
There is basically no logging done inside the management authentication components, which means that debugging problems such as with LDAP is difficult. There should be more information logged, particularly exceptions.
Comment 1 James Livingston 2013-06-13 21:15:13 EDT
The change at https://github.com/wildfly/wildfly/commit/ac3525d4860c66df7fd882532a647b4707140337#L14R25  for LDAP is a start.
Comment 2 Darran Lofthouse 2013-06-14 04:50:45 EDT
Lets get the ACK process started, in reality with everything else happening for EAP at the moment this change will be going in.
Comment 8 JBoss JIRA Server 2013-08-20 09:05:32 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-352 to Coding In Progress
Comment 9 JBoss JIRA Server 2013-08-29 11:12:03 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-352 to Resolved
Comment 10 James Livingston 2013-08-29 23:50:02 EDT
Upstream changes are at https://github.com/wildfly/wildfly/commit/3948c15fa6d9a4054aab3b16496be1219f4e1bbc
Comment 11 James Livingston 2013-08-30 00:25:40 EDT
PR for backport to 6.x: https://github.com/jbossas/jboss-eap/pull/326
Comment 12 Darran Lofthouse 2013-09-18 03:46:53 EDT
This probably actually made it into ER1
Comment 16 Josef Cacek 2013-11-28 15:59:40 EST
Darran, is the fix ready for testing? If everything is merged, set the status to ON_QA, please.
Comment 17 Paul Gier 2013-12-04 11:59:48 EST
Moving back to assigned because Darran said there is still some work required before the fix is complete.
Comment 18 Darran Lofthouse 2014-02-11 07:36:00 EST
Adding a devel_ack so I can double check this in the current EAP codebase - the logging may have already been backported - if not there is plenty of logging upstream so will be trivial to backport.
Comment 20 Darran Lofthouse 2014-03-18 08:00:15 EDT
Pull request sent to add TRACE logging to the following class: -
  org.jboss.as.domain.management.connections.ldap.LdapConnectionManagerService

Inspecting the existing EAP code base the following classes already have TRACE logging backported from upstream so no further work was required: -
  org.jboss.as.domain.management.security.UserLdapCallbackHandler
  org.jboss.as.domain.management.security.LdapUserSearcherService
  org.jboss.as.domain.management.security.LdapSubjectSupplementalService.LdapSubjectSupplemental

I would suggest at this point that if GSS identify any additional logging required in this area to support active support cases that they submit pull requests for the additional logging.
Comment 22 Ondrej Lukas 2014-03-28 09:21:34 EDT
Unfortunately verification on EAP 6.3.0.DR6 failed. It works fine on standalone mode but there are still no related logs on domain mode.
Comment 23 Darran Lofthouse 2014-04-01 05:35:23 EDT
Can you please confirm how you are testing this in domain mode, the same code is used in both places.
Comment 24 Ondrej Lukas 2014-04-01 06:37:56 EDT
Hi Darran,
I added logger category for "org.jboss.as.domain.management" on level TRACE:
<logger category="org.jboss.as.domain.management">
    <level name="TRACE"/>
</logger>

and set authentication in security realm for ManagementRealm via LDAP:
<authentication>
    <ldap connection="ldapConnection" base-dn="dc=jboss,dc=org" recursive="true">
        <username-filter attribute="uid"/>
    </ldap>
</authentication>
...
<outbound-connections>
    <ldap name="ldapConnection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>

Then I tried successful and unsuccessful authentication to CLI. These works fine on standalone mode (logs appear in log file) but there are no related log in any of log file when I try this configuration run on domain mode (also server-group on same profile as logging is set need to be added). According to the name of this BZ I think that domain mode logging is main part of this issue.
Comment 25 Darran Lofthouse 2014-04-01 07:28:39 EDT
If you are using XML based configuration for logging that sounds to me like you are adding that to the domain.xml

In domain mode the authentication you are testing is happening within the host controller process which is not influenced by domain configuration, instead I believe you are going to need to edit the logging.properties file to define the TRACE logging for that process.
Comment 26 Ondrej Lukas 2014-04-01 07:51:48 EDT
Thank you Darran for advice. It was my fault, I try it through logging.properties now it works fine in domain mode too.

Verified on EAP 6.3.0.DR6.
Comment 27 Scott Mumford 2014-04-23 01:46:26 EDT
Reformatted doc text and marked for inclusion in 6.3.0 Release Notes

Note You need to log in before you can comment on or make changes to this bug.