In previous versions of JBoss EAP 6 TRACE and DEBUG logging had not been added to the LDAP interactions within the security realms. This made diagnosing authentication issues where LDAP is in use extremely difficult as no debug logging was available. DEBUG logging has now been added to the security realms where LDAP is used. Customers can now use these logs to diagnose LDAP related issues with security realms.
There is basically no logging done inside the management authentication components, which means that debugging problems such as with LDAP is difficult. There should be more information logged, particularly exceptions.
The change at https://github.com/wildfly/wildfly/commit/ac3525d4860c66df7fd882532a647b4707140337#L14R25 for LDAP is a start.
Lets get the ACK process started, in reality with everything else happening for EAP at the moment this change will be going in.
Darran Lofthouse <email@example.com> updated the status of jira WFLY-352 to Coding In Progress
Darran Lofthouse <firstname.lastname@example.org> updated the status of jira WFLY-352 to Resolved
Upstream changes are at https://github.com/wildfly/wildfly/commit/3948c15fa6d9a4054aab3b16496be1219f4e1bbc
PR for backport to 6.x: https://github.com/jbossas/jboss-eap/pull/326
This probably actually made it into ER1
Darran, is the fix ready for testing? If everything is merged, set the status to ON_QA, please.
Moving back to assigned because Darran said there is still some work required before the fix is complete.
Adding a devel_ack so I can double check this in the current EAP codebase - the logging may have already been backported - if not there is plenty of logging upstream so will be trivial to backport.
Pull request sent to add TRACE logging to the following class: -
Inspecting the existing EAP code base the following classes already have TRACE logging backported from upstream so no further work was required: -
I would suggest at this point that if GSS identify any additional logging required in this area to support active support cases that they submit pull requests for the additional logging.
Unfortunately verification on EAP 6.3.0.DR6 failed. It works fine on standalone mode but there are still no related logs on domain mode.
Can you please confirm how you are testing this in domain mode, the same code is used in both places.
I added logger category for "org.jboss.as.domain.management" on level TRACE:
and set authentication in security realm for ManagementRealm via LDAP:
<ldap connection="ldapConnection" base-dn="dc=jboss,dc=org" recursive="true">
<ldap name="ldapConnection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
Then I tried successful and unsuccessful authentication to CLI. These works fine on standalone mode (logs appear in log file) but there are no related log in any of log file when I try this configuration run on domain mode (also server-group on same profile as logging is set need to be added). According to the name of this BZ I think that domain mode logging is main part of this issue.
If you are using XML based configuration for logging that sounds to me like you are adding that to the domain.xml
In domain mode the authentication you are testing is happening within the host controller process which is not influenced by domain configuration, instead I believe you are going to need to edit the logging.properties file to define the TRACE logging for that process.
Thank you Darran for advice. It was my fault, I try it through logging.properties now it works fine in domain mode too.
Verified on EAP 6.3.0.DR6.
Reformatted doc text and marked for inclusion in 6.3.0 Release Notes