Elytron LDAP Squashes Authentication Exception ---------------------------------------------- Key: ELY-1940 URL: https://issues.redhat.com/browse/ELY-1940 Project: WildFly Elytron Issue Type: Bug Components: Authentication Mechanisms Reporter: Lin Gao Assignee: Lin Gao Priority: Major Labels: downstream_dependency, elytron, ldap, logging Fix For: 1.6.6.Final, 1.12.0.CR1 Trace logging shows: {code} 2020-03-10 13:51:38,549 DEBUG [org.wildfly.security] (management task-1) Found entry [uid=dguthrie,ou=users,dc=example,dc=com]. 2020-03-10 13:51:38,550 DEBUG [org.wildfly.security] (management task-1) Identity for principal [dguthrie] found at [uid=dguthrie,ou=users,dc=example,dc=com]. 2020-03-10 13:51:38,581 DEBUG [org.wildfly.security] (management task-1) Credential direct evidence verification failed. DN: [uid=dguthrie,ou=users,dc=example,dc=com] 2020-03-10 13:51:38,581 DEBUG [org.wildfly.security] (management task-1) Context [javax.naming.ldap.InitialLdapContext@25061db2] was closed. Connection closed or just returned to the pool. 2020-03-10 13:51:38,581 TRACE [org.wildfly.security] (management task-1) Handling AuthenticationCompleteCallback: fail 2020-03-10 13:51:38,582 TRACE [org.jboss.remoting.remote.server] (management task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05013: Authentication mechanism password not verified {code} Where "Credential direct evidence verification failed. DN [uid=dguthrie,ou=users,dc=example,dc=com]" is missing the exception or even a reason. In DirectEvidenceVerifier.java around line 102 in the Exception handler it has {code} log.debugf("Credential direct evidence verification failed. DN: [%s]", distinguishedName,e); {code} In this case, the "e" is the exception, but that parameter position is for the string formatting for which there is no token in the formatter. I believe what they meant to write was: {code} log.debugf(e, "Credential direct evidence verification failed. DN: [%s]", distinguishedName); {code} See [GitHub|https://github.com/jbossas/wildfly-elytron/blob/96c2273dc0503a23d1...] where the first parameter is the exception. A customer is migrating from legacy to elytron, and they have been using the LDAP error codes in the log for their internal IT to help figure out why people failed login. It's also invaluable for support.