Remove password information in debug logs

[rodcloutier]

The password are present in clear text in the debug log (when starting the devpi-server with --debug).

Even if it is only for debugging, I think it should be removed and replaced with a clear way to enable printing the password if needed.

[fschulze]

Can you paste an example, without the actual password of course? I checked the source and don't see where the password would be logged in debug mode.

[rodcloutier]

Here you go. <password> are the actual two places where the password is in clear text.

2015-06-22 16:26:43,026 DEBUG NETWORK:socket wrapped with SSL using SSLContext for <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - closed - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - not listening - SyncStrategy>
2015-06-22 16:26:43,026 DEBUG NETWORK:connection open for <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,026 DEBUG BASIC:refreshing server info for <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,026 DEBUG BASIC:start BIND operation via <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,026 DEBUG PROTOCOL:performing simple BIND for <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,028 DEBUG PROTOCOL:simple BIND request <{'authentication': {'simple': '<password>', 'sasl': None}, 'version': 3, 'name': 'CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org'}> sent via <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,028 DEBUG PROTOCOL:new message id <3> generated
2015-06-22 16:26:43,028 DEBUG NETWORK:sending 1 ldap message for <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,029 DEBUG EXTENDED:ldap message sent via <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>:
>>LDAPMessage:
>> messageID=3
>> protocolOp=ProtocolOp:
>>  bindRequest=BindRequest:
>>   version=3
>>   name=CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org
>>   authentication=AuthenticationChoice:
>>    simple=<password>
2015-06-22 16:26:43,030 DEBUG NETWORK:sent 98 bytes via <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,058 DEBUG NETWORK:received 22 bytes via <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>
2015-06-22 16:26:43,058 DEBUG NETWORK:received 1 ldap messages via <ldaps://ldap-server - ssl - user: CN=Rodrigue Cloutier,OU=Users,OU=MTL,OU=NCSA,OU=my_company,DC=my_company,DC=org - unbound - open - <local: 127.0.0.1 - remote: 10.129.1.10:636> - tls not started - listening - SyncStrategy>

[fschulze]

Hmm, that looks like it's coming from the library we use. Could be kinda tricky to disable from the plugin, since the logging is set up by devpi-server and currently plugins don't have an API to adjust logging configuration. We recently merged a PR which adds logging configuration: https://bitbucket.org/hpk42/devpi/pull-request/225/make-logging-configurable-via-an-external/diff If that approach works, then we should document it.

[cannatag]

HI, I'm the author of the ldap3 library. The code in dev at https://github.com/cannatag/ldap3.git should fix this issue. Can you try to use it? Let me know if you can't get the code from dev and rely on pypi for ldap3 installation.

Bye, Giovanni

[fschulze]

@cannatag Thanks for the information!

@rodcloutier did you have a chance to see if that fixes the issue? If so and when there is a new ldap3 release, I would make a new release with updated requirements.

[cannatag]

ldap3 0.9.8.6 has been released. It hides sensitive data in logging by default. Can you check it?

Thanks, Giovanni

[rodcloutier]

With ldap3 0.9.8.6 nothing related to ldap is outputted. I guess the password is not visible anymore!

[fschulze]

So your earlier comment was a false alarm? If so, I will update setup.py and make a release.

[rodcloutier]

Yep, false alarm. I had some issues with my virtualenv. All seems good.

Sorry about that.

On 2015-07-09, at 11:42, Florian Schulze notifications@github.com wrote:

So your earlier comment was a false alarm? If so, I will update setup.py and make a release.

— Reply to this email directly or view it on GitHub.

[fschulze]

Released 1.1.1 which requires the correct minimum ldap3 version.