I would like to see the ability to enable a debug logging mode around Host Access Control. So if we are seeing failed logins in a complicated environment we would be able to track down what Host Access group that is having the trouble.
It could even just be something simple in that it will return the group that is failing for the user in debug logs so that info is not logged by default to syslog and only when we enable debug mode. As well what groups were looked up and that the user was found to not be a member of.
This would allow for quicker and more accurate troubleshooting of login failures around host access as currently we are just notified that the user is not a member of the required groups.