Red Hat Bugzilla – Bug 1446137
pki_client_database_password is shown in ipaserver-install.log
Last modified: 2017-08-01 05:50:15 EDT
Description of problem: pki_client_database_password is shown in ipaserver-install.log Version-Release number of selected component (if applicable): ipa-server-4.5.0-8.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA-Server 2. Check ipaserver-install.log Actual results: pki_client_database_password is displayed in the install log 2017-04-27T10:12:50Z DEBUG Contents of pkispawn configuration file (/tmp/tmp1d8iQh): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp pki_client_database_dir = /var/lib/ipa/tmp-bilHhu pki_client_database_password = 7Nk~a?+bv,IM!$qWWmh3mlWT{SRq}.dQJ}o%uqkcE <=== pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = XXXXXXXX Expected results: We should not display the password in the install log Additional info:
Upstream ticket: https://pagure.io/freeipa/issue/6904
The issue was fixed in master branch but not backported to ipa-4-5. Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/1d911fc2186da1c6566648f94a6819c4e7a2a72b
Fix is seen. Verified on RHEL7.4 using ipa-server-4.5.0-9.el7.x86_64 389-ds-base-1.3.6.1-9.el7.x86_64 sssd-1.15.2-21.el7.x86_64 selinux-policy-3.13.1-145.el7.noarch pki-kra-10.4.1-2.el7.noarch pki-ca-10.4.1-2.el7.noarch selinux-policy-3.13.1-145.el7.noarch ipa-server-trust-ad-4.5.0-9.el7.x86_64 2017-05-03T09:23:06Z DEBUG Contents of pkispawn configuration file (/tmp/tmpemCM77): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp pki_client_database_dir = /var/lib/ipa/tmp-dLJfPI pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=TESTRELM.TEST pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304