0001275: Credentials of LDAP plugin are logged / leaked when error occurs

ID	Project	Category	View Status	Date Submitted	Last Update

0001275	bareos-core	General	public	2020-10-16 17:28	2023-09-12 16:35

Reporter	roos	Assigned To	bruno-at-bareos
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Linux	OS	CentOS	OS Version	7
Product Version	19.2.8

Summary	0001275: Credentials of LDAP plugin are logged / leaked when error occurs
Description	If an error occurs while trying to perform a LDAP backup, the complete credentials for the bind are logged to bconsole / webui. Example leakage log: 2020-10-16 17:23:53 backup.xx.yy-fd JobId 42531: Fatal error: Plugin Directory not defined. Cannot use plugin: "python:module_path=/usr/lib64/bareos/plugins:module_name=bareos-fd-ldap:uri=ldaps\://ldap.example.com:basedn=dc=example,dc=com:bind_dn=cn=admin,dc=example,dc=com:password=AdminExamplePassWordYouShouldNotSee!" Maybe read the credentials / binding setup from a separate config file, so it is not logged anymore.
Steps To Reproduce	I saw it on config errors.
Tags	No tags attached.

bruno-at-bareos 2023-08-02 19:12 manager ~0005312	The change to hide the password in the JobMessage look trivial to implement. Volunteer to make a community github PR ?

bruno-at-bareos 2023-09-12 16:35 manager ~0005422	no return, please test new python3 version of the plugin and reopen a new ticket if needed.

Date Modified	Username	Field	Change
2020-10-16 17:28	roos	New Issue
2023-08-02 19:12	bruno-at-bareos	Assigned To	=> bruno-at-bareos
2023-08-02 19:12	bruno-at-bareos	Status	new => feedback
2023-08-02 19:12	bruno-at-bareos	Note Added: 0005312
2023-09-12 16:35	bruno-at-bareos	Status	feedback => closed
2023-09-12 16:35	bruno-at-bareos	Resolution	open => fixed
2023-09-12 16:35	bruno-at-bareos	Note Added: 0005422