Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-9277

ldap Check Authentication IOException bind failures may not be logged a default log levels

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.11.4
    • Fix Version/s: None
    • Component/s: LDAP, Logging
    • Labels:
    • Story Points:
      2
    • Notability:
      4

      Description

      Configure an LDAP server in Nexus OSS using valid bind credentials and an ldaps connection. Make sure Nexus does not trust the ldaps certificate provided by the remote.

      Use the Check Authentication button in Nexus OSS LDAP configuration to try and verify the connection works. When the SSL certificate of the remote is not trusted ( PKIX path building fails ), then the only message in the UI states "bind failed" with no mention of an SSL certificate issue.

      At INFO level logging, the nexus.log does not contain anything about the bind failure for the check, let alone anything to do with PKIX path building problems.

      Only when the ROOT logger is set to DEBUG, do we see the real cause of the problem, at the bottom of a large stack trace.

      Expected: End user should get informative message from the UI, or at least in the Nexus log at INFO level, referencing an SSL certificate trust issue so they know the real cause of the error instead of guessing it is a credential issue. The user is checking authentication - they are explicitly trying to verify and debug if the connection is working. If they get no actionable help about why it isn't working, what is the point? If the message references a bind issue, their first reaction is there is a problem with the credentials.

      A similar problem may be present with logging when an LDAP bind fails due to Caused by: java.net.NoRouteToHostException: No route to host.

      Should not have to enable DEBUG logging for such common IOException root cause problems.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Rich Seddon Rich Seddon
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title