Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syncrepl password exposed in output/logs, using Sensitive() obscures but breaks ldif #436

Open
heapdavid opened this issue Oct 18, 2024 · 0 comments
Open

Syncrepl password exposed in output/logs, using Sensitive() obscures but breaks ldif #436

heapdavid opened this issue Oct 18, 2024 · 0 comments

Comments

@heapdavid
Copy link

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.23
  • Ruby: 3.1
  • Distribution: Debian 12 (bookworm)
  • Module version: 8.0.0

How to reproduce (e.g Puppet code you use)

openldap::server::database { $basedn:
  ensure   => present,
  syncrepl => [
    {
      rid         => 0,
      provider    => $primary_server,
      searchbase  => $basedn,
      binddn      => "cn=replicator,${basedn}",
      bindmethod  => 'simple',
      credentials => Sensitive($sync_password),
      type        => 'refreshAndPersist',
      retry       => '60 +',
    }
  ]
}

What are you seeing

We noticed that any application or update of syncrepl outputs the credentials at Notice level in the logs. We tried to obscure it using Sensitive($password) as above but it looks like the value is not unwrapped in the ldif that the module then uses to apply the change.

What behaviour did you expect instead

Documentation at https://forge.puppet.com/modules/puppet/openldap/reference#openldapsyncrepl suggests that using Sensitive() should work in this situation - Optional[credentials] => Variant[String[1], Sensitive[String[1]]],

Output log

  • This is the notice from our first attempt at using Sensitive(), which shows the previous credentials. Without Sensitive() the credentials can be seen in both the before and after sections of the notice.

Notice: /Stage[main]/Profile::Ldap_rework/Openldap::Server::Database[dc=example,dc=com]/Openldap_database[dc=example,dc=com]/syncrepl: syncrepl changed ['rid=0 provider="ldaps://primary.server.example.com" searchbase="dc=example,dc=com" binddn="cn=replicator,dc=example,dc=com" bindmethod="simple" credentials="Compromised-password-being-replaced1" type="refreshAndPersist" retry="60 +"'] to ['rid=0 provider="ldaps://primary.server.example.com" searchbase="dc=example,dc=com" binddn="cn=replicator,dc=example,dc=com" bindmethod="simple" credentials=#<Sensitive [value redacted]> type="refreshAndPersist" retry="60 +"'] (corrective)

  • The error from the attempted application implies that the raw string #<Sensitive [value redacted]> is in ldif itself
Error: /Stage[main]/Profile::Ldap_rework/Openldap::Server::Database[dc=example,dc=com]/Openldap_database[dc=example,dc=com]: Could not evaluate: LDIF content:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl: rid=0 provider="ldaps://primary.server.example.com" searchbase="dc=example,dc=com" binddn="cn=replicator,dc=example,dc=com" bindmethod="simple" credentials=#<Sensitive [value redacted]> type="refreshAndPersist" retry="60 +"
-
Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_database20241018-389709-6vv9eb' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
        additional info: Error: parse_syncrepl_line: unable to parse "[value"
modifying entry "olcDatabase={1}mdb,cn=config"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@heapdavid