Bug 1227462

Summary: openshift plugin does not obfuscate LDAP password on httpd config files
Product: Red Hat Enterprise Linux 6 Reporter: Josep 'Pep' Turro Mauri <pep>
Component: sosAssignee: Shane Bradley <sbradley>
Status: CLOSED ERRATA QA Contact: Petr Šplíchal <psplicha>
Severity: medium Docs Contact: Jiri Herrmann <jherrman>
Priority: medium    
Version: 6.6CC: agk, bmr, dkutalek, gavin, jherrman, ohudlick, plambri, pmoravec, psplicha, sbradley
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sos-3.2-38.el6 Doc Type: Release Note
Doc Text:
LDAP bind passwords are properly obfuscated In some cases, it was previously possible for the *sosreport* utility to capture LDAP bind credentials in plain text. This problem has been fixed, and LDAP bind passwords are now obfuscated in *sosreport* as expected.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 21:06:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Josep 'Pep' Turro Mauri 2015-06-02 17:35:26 UTC
Description of problem:
If the openshift broker or console httpd configuration uses LDAP authentication that requires binding, the collected config file would contain an AuthLDAPBindPassword that is not obfuscated by the plugin.

Version-Release number of selected component (if applicable):
sos-2.2-68.el6.noarch

How reproducible:
Always

Steps to Reproduce:
1. Configure an OpenShift broker to use LDAP authentication and uses a binddn with a password 
2. collect sosreport


Actual results:
/var/www/openshift/{broker,console}/httpd/conf.d/openshift-origin-auth-remote-user-ldap.conf are copied as is including the password

Expected results:
AuthLDAPBindPassword is obfuscated

Additional info:
See LDAP Authentication in the deployment guide and AuthLDAPBindDN / AuthLDAPBindPassword of mod_ldap

Comment 1 Josep 'Pep' Turro Mauri 2015-06-02 17:51:22 UTC
sos-2.2-68.el6.noarch is what's available right now in EL6 but this applies to any version including upstream AFAIK.

A sample openshift-origin-auth-remote-user-ldap.conf showing the problem looks like this:

...
<Location /broker>
  AuthName "OpenShift broker API"
  AuthType Basic
  AuthBasicProvider ldap
  AuthLDAPBindDN "cn=user,ou=Users,dc=example,dc=com"
  AuthLDAPURL "ldaps:///ldap.example.com/ou=Users,dc=example,dc=com?SamAccountName?sub?"
  require valid-user
  AuthLDAPBindPassword "IShouldNotBeHere"
...

Comment 10 errata-xmlrpc 2016-05-10 21:06:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0819.html