Description of problem: If the openshift broker or console httpd configuration uses LDAP authentication that requires binding, the collected config file would contain an AuthLDAPBindPassword that is not obfuscated by the plugin. Version-Release number of selected component (if applicable): sos-2.2-68.el6.noarch How reproducible: Always Steps to Reproduce: 1. Configure an OpenShift broker to use LDAP authentication and uses a binddn with a password 2. collect sosreport Actual results: /var/www/openshift/{broker,console}/httpd/conf.d/openshift-origin-auth-remote-user-ldap.conf are copied as is including the password Expected results: AuthLDAPBindPassword is obfuscated Additional info: See LDAP Authentication in the deployment guide and AuthLDAPBindDN / AuthLDAPBindPassword of mod_ldap
sos-2.2-68.el6.noarch is what's available right now in EL6 but this applies to any version including upstream AFAIK. A sample openshift-origin-auth-remote-user-ldap.conf showing the problem looks like this: ... <Location /broker> AuthName "OpenShift broker API" AuthType Basic AuthBasicProvider ldap AuthLDAPBindDN "cn=user,ou=Users,dc=example,dc=com" AuthLDAPURL "ldaps:///ldap.example.com/ou=Users,dc=example,dc=com?SamAccountName?sub?" require valid-user AuthLDAPBindPassword "IShouldNotBeHere" ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0819.html