In debug mode, rlm_ldap prints out all the passwords it uses for bind.
I think it's reasonable enough to disallow it or at least make it
configurable. Here's a quick-patch, relying on log_auth_goodpass.
Index: rlm_ldap.c
===================================================================
RCS file: /source/radiusd/src/modules/rlm_ldap/rlm_ldap.c,v
retrieving revision 1.108
diff -u -p -r1.108 rlm_ldap.c
--- rlm_ldap.c 7 Jul 2003 19:07:08 -0000 1.108
+++ rlm_ldap.c 14 Jul 2003 10:59:57 -0000
@@ -1468,10 +1468,16 @@ ldap_connect(void *instance, const char
#endif /* HAVE_LDAP_START_TLS */
if (inst->is_url){
- DEBUG("rlm_ldap: bind as %s/%s to %s", dn, password, inst->server);
+ DEBUG("rlm_ldap: bind as %s/%s to %s",
+ dn,
+ mainconfig.log_auth_goodpass ? password : "*",
+ inst->server);
}
else{
- DEBUG("rlm_ldap: bind as %s/%s to %s:%d", dn, password, inst->server,
inst->port);
+ DEBUG("rlm_ldap: bind as %s/%s to %s:%d",
+ dn,
+ mainconfig.log_auth_goodpass ? password : "*",
+ inst->server, inst->port);
}
msgid = ldap_bind(ld, dn, password,LDAP_AUTH_SIMPLE);
if (msgid == -1) {
It's probably a better idea to make own rlm_ldap's config variable to
control this behavour...
The second place from where user passwords shine is Access-Request
packet dump. It's much harder to fix it, since it's done from libradius.
Can somebody point me in a right direction to make it, please?
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
