Bug 974324 - EAP 6 Domain Mode Logging for Management is nonexistent
Summary: EAP 6 Domain Mode Logging for Management is nonexistent
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: DR6
: EAP 6.3.0
Assignee: Darran Lofthouse
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-14 01:13 UTC by James Livingston
Modified: 2018-12-02 15:29 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6 TRACE and DEBUG logging had not been added to the LDAP interactions within the security realms. This made diagnosing authentication issues where LDAP is in use extremely difficult as no debug logging was available. DEBUG logging has now been added to the security realms where LDAP is used. Customers can now use these logs to diagnose LDAP related issues with security realms.
Clone Of:
Environment:
Last Closed: 2014-06-28 15:26:20 UTC
Type: Bug
cdewolf: needinfo-


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-2408 Major Closed Add TRACE logging for connection properties used to connect to LDAP from realm. 2019-01-24 13:55:44 UTC
JBoss Issue Tracker WFLY-352 Critical Closed Add sufficient TRACE / DEBUG logging to debug security realm configurations. 2019-01-24 13:55:44 UTC

Description James Livingston 2013-06-14 01:13:58 UTC
There is basically no logging done inside the management authentication components, which means that debugging problems such as with LDAP is difficult. There should be more information logged, particularly exceptions.

Comment 1 James Livingston 2013-06-14 01:15:13 UTC
The change at https://github.com/wildfly/wildfly/commit/ac3525d4860c66df7fd882532a647b4707140337#L14R25  for LDAP is a start.

Comment 2 Darran Lofthouse 2013-06-14 08:50:45 UTC
Lets get the ACK process started, in reality with everything else happening for EAP at the moment this change will be going in.

Comment 8 JBoss JIRA Server 2013-08-20 13:05:32 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-352 to Coding In Progress

Comment 9 JBoss JIRA Server 2013-08-29 15:12:03 UTC
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira WFLY-352 to Resolved

Comment 10 James Livingston 2013-08-30 03:50:02 UTC
Upstream changes are at https://github.com/wildfly/wildfly/commit/3948c15fa6d9a4054aab3b16496be1219f4e1bbc

Comment 11 James Livingston 2013-08-30 04:25:40 UTC
PR for backport to 6.x: https://github.com/jbossas/jboss-eap/pull/326

Comment 12 Darran Lofthouse 2013-09-18 07:46:53 UTC
This probably actually made it into ER1

Comment 16 Josef Cacek 2013-11-28 20:59:40 UTC
Darran, is the fix ready for testing? If everything is merged, set the status to ON_QA, please.

Comment 17 Paul Gier 2013-12-04 16:59:48 UTC
Moving back to assigned because Darran said there is still some work required before the fix is complete.

Comment 18 Darran Lofthouse 2014-02-11 12:36:00 UTC
Adding a devel_ack so I can double check this in the current EAP codebase - the logging may have already been backported - if not there is plenty of logging upstream so will be trivial to backport.

Comment 20 Darran Lofthouse 2014-03-18 12:00:15 UTC
Pull request sent to add TRACE logging to the following class: -
  org.jboss.as.domain.management.connections.ldap.LdapConnectionManagerService

Inspecting the existing EAP code base the following classes already have TRACE logging backported from upstream so no further work was required: -
  org.jboss.as.domain.management.security.UserLdapCallbackHandler
  org.jboss.as.domain.management.security.LdapUserSearcherService
  org.jboss.as.domain.management.security.LdapSubjectSupplementalService.LdapSubjectSupplemental

I would suggest at this point that if GSS identify any additional logging required in this area to support active support cases that they submit pull requests for the additional logging.

Comment 22 Ondrej Lukas 2014-03-28 13:21:34 UTC
Unfortunately verification on EAP 6.3.0.DR6 failed. It works fine on standalone mode but there are still no related logs on domain mode.

Comment 23 Darran Lofthouse 2014-04-01 09:35:23 UTC
Can you please confirm how you are testing this in domain mode, the same code is used in both places.

Comment 24 Ondrej Lukas 2014-04-01 10:37:56 UTC
Hi Darran,
I added logger category for "org.jboss.as.domain.management" on level TRACE:
<logger category="org.jboss.as.domain.management">
    <level name="TRACE"/>
</logger>

and set authentication in security realm for ManagementRealm via LDAP:
<authentication>
    <ldap connection="ldapConnection" base-dn="dc=jboss,dc=org" recursive="true">
        <username-filter attribute="uid"/>
    </ldap>
</authentication>
...
<outbound-connections>
    <ldap name="ldapConnection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>

Then I tried successful and unsuccessful authentication to CLI. These works fine on standalone mode (logs appear in log file) but there are no related log in any of log file when I try this configuration run on domain mode (also server-group on same profile as logging is set need to be added). According to the name of this BZ I think that domain mode logging is main part of this issue.

Comment 25 Darran Lofthouse 2014-04-01 11:28:39 UTC
If you are using XML based configuration for logging that sounds to me like you are adding that to the domain.xml

In domain mode the authentication you are testing is happening within the host controller process which is not influenced by domain configuration, instead I believe you are going to need to edit the logging.properties file to define the TRACE logging for that process.

Comment 26 Ondrej Lukas 2014-04-01 11:51:48 UTC
Thank you Darran for advice. It was my fault, I try it through logging.properties now it works fine in domain mode too.

Verified on EAP 6.3.0.DR6.

Comment 27 Scott Mumford 2014-04-23 05:46:26 UTC
Reformatted doc text and marked for inclusion in 6.3.0 Release Notes


Note You need to log in before you can comment on or make changes to this bug.