Details
Description
Method org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin() catches any exception and raises a new LoginException
} catch (Exception e) { throw new LoginException("Can't connect to the LDAP server: " + e.getMessage()); } finally { ... }
However in case something is wrong with the LDAP configuration (e.g. wrong SSL certificates) the root cause will be lost as e.getMessage() only returns a fairly generic message, like
Can't connect to the LDAP server: simple bind failed: localhost:10636
whereas the root cause really is
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
We should somehow ensure this root cause is getting logged as well.
Unfortunately the call stack to calling LDAPLoginModule.doLogin() includes the javax.security.auth.login.LoginContext which completely swallows the original LoginException raised in doLogin(). It only re-raises a very generic LoginException with the message:
javax.security.auth.login.FailedLoginException: User doesn't exist
The original exception message is lost.
So there is no point in wrapping the root cause exception message in the LoginException to be thrown by LDAPLoginModule.doLogin().
Instead I suggest to log the root cause in doLogin() as a warning as in the attached patch.
Attachments
Attachments
Issue Links
- is related to
-
KARAF-3860 fix [KARAF-3373] Log lower level root cause exception in LDAPLoginModule.doLogin()
-
- Closed
-