Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 446865

Summary: ipa-server-install will log passwords to log files
Product: [Retired] freeIPA Reporter: Martin Nagy <mnagy>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.0CC: benl, hripps, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:16:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 429034    
Attachments:
Description Flags
Don't pass the DM password on the command-line, use a file none

Description Martin Nagy 2008-05-16 14:48:17 UTC 
Description of problem:
If ipa-server-install will for some reason fail, it may result
in passwords being logged to the installation log file.

Version-Release number of selected component (if applicable):
Latest git version: 6119f83799a70738170e19f3e2d833fdf4ecbc86

How reproducible:
use ipa-server install and make sure it will fail

Steps to Reproduce:
1.
2.
3.
  
Actual results:
2008-05-12 15:18:11,503 CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w aaaaaaaa -f
/tmp/tmpn3QE-F' returned non-zero exit status 32

Expected results:
2008-05-12 15:18:11,503 CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w hidden -f
/tmp/tmpn3QE-F' returned non-zero exit status 32

Additional info:
Comment 1 Rob Crittenden 2008-05-19 18:29:45 UTC 
Created attachment 305990 [details]
Don't pass the DM password on the command-line, use a file
Comment 2 Rob Crittenden 2008-05-19 21:08:56 UTC 
ipa-1-0: 649dcf6c445d99f13151eef4c518635e03d496a5
master: 6c87f831806af51539824244d684c2431b8e7af7
Comment 3 Yi Zhang 2008-05-22 22:33:33 UTC 
QA Verified on May 22, 2008 (Yi)

Build used: May 22, 2008 (x64)

test run:
1. yum install ipa-server
2. change the file: /usr/share/ipa/bootstrap-template.ldif to different file
3. ipa-server-install

--- result: the install failed, but there is no password logged, test passed
2008-05-22 15:20:27,956 INFO
2008-05-22 15:20:27,957 DEBUG   [12/16]: adding default layout
2008-05-22 15:20:27,962 DEBUG [Errno 2] No such file or directory:
'/usr/share/ipa/bootstrap-template.ldif'
  File "/usr/sbin/ipa-server-install", line 556, in ?
    main()

  File "/usr/sbin/ipa-server-install", line 482, in main
    ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)

  File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 182, in
create_instance
    self.start_creation("Configuring directory server:")

  File "/usr/lib/python2.4/site-packages/ipaserver/service.py", line 139, in
start_creation
    method()

  File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 359, in
__add_default_layout
    self.__ldap_mod("bootstrap-template.ldif", self.sub_dict)

  File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 279, in
__ldap_mod
    txt = ipautil.template_file(path, sub_dict)