Description of problem: When the console is running in Debug mode, it logs passwords in plain text when admin logs in console, creates a user with a password, etc. By default we should mask passwords. Version-Release number of selected component (if applicable): idm-console-framework-1.1.9-1.el7dsrv.noarch redhat-idm-console-10.0.0-1.el7dsrv.x86_64 How reproducible: Always Steps to Reproduce: 1. Run redhat-idm-console -D -f console.log 2. Log in console with your credentials. Open DS console, create a user with a password, change admin password. 3. Check console.log for passwords that were used in [2]. Actual results: Using console as admin user: DSAdmin.initialize(): _removed=false info=ConsoleInfo(rhel7ds.brq.redhat.com, 389, cn=Directory Manager, Secret123, o=NetscapeRoot) _info=null DSAdmin.select(): _removed=false viewInstance=com.netscape.management.client.topology.TopologyResourcePage[,1,22,1899x923,invalid,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=] _info=ConsoleInfo(rhel7ds.brq.redhat.com, 389, cn=Directory Manager, Secret123, o=NetscapeRoot) DSAdmin.run: begin for server ConsoleInfo(rhel7ds.brq.redhat.com, 389, cn=Directory Manager, Secret123, dc=example,dc=com) CGIReportTask.exec(): username=cn=Directory Manager password=Secret123 ReplicationTool.verifyDM: authDN = <cn=Directory Manager>, authPassword = <Secret123> Creating a user: attributes={userpassword=LDAPAttribute {type='userpassword', values='Secret12345'}, uid=LDAPAttribute {type='uid', values='tuser'}, givenname=LDAPAttribute {type='givenname', values='test'}, objectclass=LDAPAttribute {type='objectclass', values='top,person,organizationalPerson,inetorgperson'}, sn=LDAPAttribute {type='sn', values='user'}, cn=LDAPAttribute {type='cn', values='test user'}} Expected results: Passwords should be masked with (preferably) fixed number of symbols such as asterisks, so the length and content of the password would be unknown.
Upstream ticket: https://fedorahosted.org/389/ticket/48134
Build tested: idm-console-framework-1.1.12-1.el7dsrv.noarch $ grep Secret123 console.log DSAdmin.initialize(): _removed=false info=ConsoleInfo(rhel7ds.brq.redhat.com, 389, cn=Directory ***password***, Secret123, o=NetscapeRoot) _info=null DSAdmin.select(): _removed=false viewInstance=com.netscape.management.client.topology.TopologyResourcePage[,1,22,1899x923,invalid,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=] _info=ConsoleInfo(rhel7ds.brq.redhat.com, 389, cn=Directory ***password***, Secret123, o=NetscapeRoot) DSAdmin.run: begin for server ConsoleInfo(rhel7ds.brq.redhat.com, 389, cn=Directory ***password***, Secret123, dc=example,dc=com) For some reason "Manager" in "cn=Directory Manager" was masked, but not the password.
Thank you for finding this, Viktor. My bad... I usually login to Console as "admin", which one word. I stupidly assumed the login user (dn) has no space in it... :p
Build tested: idm-console-framework-1.1.13-1.el7dsrv $ grep -c Secret123 console.log 0 Thank you, Noriko, for fixing it so fast :) Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:1094