Bug 1227462 - openshift plugin does not obfuscate LDAP password on httpd config files
Summary: openshift plugin does not obfuscate LDAP password on httpd config files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sos
Version: 6.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Shane Bradley
QA Contact: Petr Šplíchal
Jiri Herrmann
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-02 17:35 UTC by Josep 'Pep' Turro Mauri
Modified: 2016-06-01 01:48 UTC (History)
10 users (show)

Fixed In Version: sos-3.2-38.el6
Doc Type: Release Note
Doc Text:
LDAP bind passwords are properly obfuscated In some cases, it was previously possible for the *sosreport* utility to capture LDAP bind credentials in plain text. This problem has been fixed, and LDAP bind passwords are now obfuscated in *sosreport* as expected.
Clone Of:
Environment:
Last Closed: 2016-05-10 21:06:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0819 0 normal SHIPPED_LIVE sos bug fix and enhancement update 2016-05-10 22:39:56 UTC

Description Josep 'Pep' Turro Mauri 2015-06-02 17:35:26 UTC
Description of problem:
If the openshift broker or console httpd configuration uses LDAP authentication that requires binding, the collected config file would contain an AuthLDAPBindPassword that is not obfuscated by the plugin.

Version-Release number of selected component (if applicable):
sos-2.2-68.el6.noarch

How reproducible:
Always

Steps to Reproduce:
1. Configure an OpenShift broker to use LDAP authentication and uses a binddn with a password 
2. collect sosreport


Actual results:
/var/www/openshift/{broker,console}/httpd/conf.d/openshift-origin-auth-remote-user-ldap.conf are copied as is including the password

Expected results:
AuthLDAPBindPassword is obfuscated

Additional info:
See LDAP Authentication in the deployment guide and AuthLDAPBindDN / AuthLDAPBindPassword of mod_ldap

Comment 1 Josep 'Pep' Turro Mauri 2015-06-02 17:51:22 UTC
sos-2.2-68.el6.noarch is what's available right now in EL6 but this applies to any version including upstream AFAIK.

A sample openshift-origin-auth-remote-user-ldap.conf showing the problem looks like this:

...
<Location /broker>
  AuthName "OpenShift broker API"
  AuthType Basic
  AuthBasicProvider ldap
  AuthLDAPBindDN "cn=user,ou=Users,dc=example,dc=com"
  AuthLDAPURL "ldaps:///ldap.example.com/ou=Users,dc=example,dc=com?SamAccountName?sub?"
  require valid-user
  AuthLDAPBindPassword "IShouldNotBeHere"
...

Comment 10 errata-xmlrpc 2016-05-10 21:06:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0819.html


Note You need to log in before you can comment on or make changes to this bug.