Red Hat Bugzilla – Bug 1302062
LDAP bind username and password being logged in plain text
Last modified: 2016-04-13 14:41:57 EDT
New commit detected on cfme/5.5.z: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=e4e2fab0f0b72d076cc9e37f243d651b4617aba5 commit e4e2fab0f0b72d076cc9e37f243d651b4617aba5 Merge: 35f88d4 c4d55fc Author: Dan Clarizio <dclarizi@redhat.com> AuthorDate: Tue Jan 26 18:45:56 2016 -0500 Commit: Dan Clarizio <dclarizi@redhat.com> CommitDate: Tue Jan 26 18:45:56 2016 -0500 Merge branch 'bz_1302062' into '5.5.z' When logging, mask LDAP credentials in nested hashes https://bugzilla.redhat.com/show_bug.cgi?id=1302062 (cherry picked from commit ee20bc1) Cherry picked from https://github.com/ManageIQ/manageiq/pull/6307 The cherry pick of the spec file was not clean and needed to be done manually. The only conflict was the addition of the new tests, which I resolved manually by adding all of the new lines. I then confirmed the spec by running it. See merge request !752 lib/vmdb/config.rb | 22 +++++++++------- spec/lib/vmdb/config_spec.rb | 61 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 9 deletions(-)
New commit detected on cfme/5.5.z: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=6dc402f5645b4317e0b790334a1237c7b18d3526 commit 6dc402f5645b4317e0b790334a1237c7b18d3526 Author: Joe VLcek <jvlcek@redhat.com> AuthorDate: Fri Feb 5 15:21:49 2016 -0500 Commit: Joe VLcek <jvlcek@redhat.com> CommitDate: Thu Feb 11 10:11:15 2016 -0500 Encrypt ldap bind password when queuing to MiqQueue https://bugzilla.redhat.com/show_bug.cgi?id=1302062 PR: https://github.com/ManageIQ/manageiq/pull/6539 Cherry Pick was not clean. Conflicts showed up in spec/models/authenticator/ldap_spec.rb due to earlier updates to the spec that are not cherry picked app/models/authenticator.rb | 10 ++++++++++ spec/models/authenticator/amazon_spec.rb | 1 + spec/models/authenticator/httpd_spec.rb | 1 + spec/models/authenticator/ldap_spec.rb | 26 +++++++++++++++++++++++++- 4 files changed, 37 insertions(+), 1 deletion(-)
New commit detected on cfme/5.5.z: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=c2694eb2edd6804ad9154ce47b67884028c070ee commit c2694eb2edd6804ad9154ce47b67884028c070ee Merge: 8f39f21 6dc402f Author: Joe Rafaniello <jrafanie@redhat.com> AuthorDate: Thu Feb 11 14:34:11 2016 -0500 Commit: Joe Rafaniello <jrafanie@redhat.com> CommitDate: Thu Feb 11 14:34:11 2016 -0500 Merge branch 'bz_1302062_2' into '5.5.z' Encrypt ldap bind password when queuing to MiqQueue https://bugzilla.redhat.com/show_bug.cgi?id=1302062 PR: https://github.com/ManageIQ/manageiq/pull/6539 Cherry Pick was not clean. Conflicts showed up in spec/models/authenticator/ldap_spec.rb due to earlier updates to the spec that are not cherry picked See merge request !781 app/models/authenticator.rb | 10 ++++++++++ spec/models/authenticator/amazon_spec.rb | 1 + spec/models/authenticator/httpd_spec.rb | 1 + spec/models/authenticator/ldap_spec.rb | 26 +++++++++++++++++++++++++- 4 files changed, 37 insertions(+), 1 deletion(-)
Checked in 5.5.3.2. I have set up an LDAP login and logged in with an LDAP user, then I grepped all the logfiles of CFME and there is no mention of the bind password.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:0616