Home > mailing lists

Re: BUG #10680: LDAP bind password leaks to log on failed authentication - Mailing list pgsql-bugs

From	Stephen Frost
Subject	Re: BUG #10680: LDAP bind password leaks to log on failed authentication
Date	June 19, 2014 15:44:40
Msg-id	20140619124432.GP16098@tamriel.snowman.net Whole thread Raw
In response to	BUG #10680: LDAP bind password leaks to log on failed authentication (smsiebe@gmail.com)
Responses	Re: BUG #10680: LDAP bind password leaks to log on failed authentication (Steven Siebert <smsiebe@gmail.com>)
List	pgsql-bugs

Tree view

Greetings,

* smsiebe@gmail.com (smsiebe@gmail.com) wrote:
> When a user fails to login when the LDAP method is used, the ldapbindpasswd
> (in plain text) is leaked to the log, even when the log level is set to
> warning.

If you don't want the server to see the user's password, don't use LDAP
authentication.  A much better approach is Kerberos or client-side SSL
certificates.

There may be something which is done to improve the specific case
mentioned here (or perhaps not..), but if LDAP is used then the PG
server will see the user's password because that's how that
authentication system works.

    Thanks,

        Stephen

pgsql-bugs by date:

From: Tom Lane
Date: 19 June 2014, 08:32:34
Subject: Re: LISTEN fails to "access status of transaction"

From: Steven Siebert
Date: 19 June 2014, 16:48:15
Subject: Re: BUG #10680: LDAP bind password leaks to log on failed authentication

Re: BUG #10680: LDAP bind password leaks to log on failed authentication - Mailing list pgsql-bugs

Previous

Next