Bug 974324
| Summary: | EAP 6 Domain Mode Logging for Management is nonexistent | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | James Livingston <jlivings> |
| Component: | Security | Assignee: | Darran Lofthouse <darran.lofthouse> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Josef Cacek <jcacek> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1.0 | CC: | cdewolf, darran.lofthouse, jcacek, jlivings, joallen, kkhan, myarboro, olukas, smumford |
| Target Milestone: | DR6 | Flags: | cdewolf:
needinfo-
|
| Target Release: | EAP 6.3.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
In previous versions of JBoss EAP 6 TRACE and DEBUG logging had not been added to the LDAP interactions within the security realms. This made diagnosing authentication issues where LDAP is in use extremely difficult as no debug logging was available. DEBUG logging has now been added to the security realms where LDAP is used. Customers can now use these logs to diagnose LDAP related issues with security realms.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-28 15:26:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
James Livingston
2013-06-14 01:13:58 UTC
The change at https://github.com/wildfly/wildfly/commit/ac3525d4860c66df7fd882532a647b4707140337#L14R25 for LDAP is a start. Lets get the ACK process started, in reality with everything else happening for EAP at the moment this change will be going in. Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-352 to Coding In Progress Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-352 to Resolved Upstream changes are at https://github.com/wildfly/wildfly/commit/3948c15fa6d9a4054aab3b16496be1219f4e1bbc PR for backport to 6.x: https://github.com/jbossas/jboss-eap/pull/326 This probably actually made it into ER1 Darran, is the fix ready for testing? If everything is merged, set the status to ON_QA, please. Moving back to assigned because Darran said there is still some work required before the fix is complete. Adding a devel_ack so I can double check this in the current EAP codebase - the logging may have already been backported - if not there is plenty of logging upstream so will be trivial to backport. Pull request sent to add TRACE logging to the following class: - org.jboss.as.domain.management.connections.ldap.LdapConnectionManagerService Inspecting the existing EAP code base the following classes already have TRACE logging backported from upstream so no further work was required: - org.jboss.as.domain.management.security.UserLdapCallbackHandler org.jboss.as.domain.management.security.LdapUserSearcherService org.jboss.as.domain.management.security.LdapSubjectSupplementalService.LdapSubjectSupplemental I would suggest at this point that if GSS identify any additional logging required in this area to support active support cases that they submit pull requests for the additional logging. Unfortunately verification on EAP 6.3.0.DR6 failed. It works fine on standalone mode but there are still no related logs on domain mode. Can you please confirm how you are testing this in domain mode, the same code is used in both places. Hi Darran,
I added logger category for "org.jboss.as.domain.management" on level TRACE:
<logger category="org.jboss.as.domain.management">
<level name="TRACE"/>
</logger>
and set authentication in security realm for ManagementRealm via LDAP:
<authentication>
<ldap connection="ldapConnection" base-dn="dc=jboss,dc=org" recursive="true">
<username-filter attribute="uid"/>
</ldap>
</authentication>
...
<outbound-connections>
<ldap name="ldapConnection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>
Then I tried successful and unsuccessful authentication to CLI. These works fine on standalone mode (logs appear in log file) but there are no related log in any of log file when I try this configuration run on domain mode (also server-group on same profile as logging is set need to be added). According to the name of this BZ I think that domain mode logging is main part of this issue.
If you are using XML based configuration for logging that sounds to me like you are adding that to the domain.xml In domain mode the authentication you are testing is happening within the host controller process which is not influenced by domain configuration, instead I believe you are going to need to edit the logging.properties file to define the TRACE logging for that process. Thank you Darran for advice. It was my fault, I try it through logging.properties now it works fine in domain mode too. Verified on EAP 6.3.0.DR6. Reformatted doc text and marked for inclusion in 6.3.0 Release Notes |