Syncrepl password exposed in output/logs, using Sensitive() obscures but breaks ldif #436
Description
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 7.23
- Ruby: 3.1
- Distribution: Debian 12 (bookworm)
- Module version: 8.0.0
How to reproduce (e.g Puppet code you use)
openldap::server::database { $basedn:
ensure => present,
syncrepl => [
{
rid => 0,
provider => $primary_server,
searchbase => $basedn,
binddn => "cn=replicator,${basedn}",
bindmethod => 'simple',
credentials => Sensitive($sync_password),
type => 'refreshAndPersist',
retry => '60 +',
}
]
}
What are you seeing
We noticed that any application or update of syncrepl outputs the credentials at Notice level in the logs. We tried to obscure it using Sensitive($password) as above but it looks like the value is not unwrapped in the ldif that the module then uses to apply the change.
What behaviour did you expect instead
Documentation at https://forge.puppet.com/modules/puppet/openldap/reference#openldapsyncrepl suggests that using Sensitive() should work in this situation - Optional[credentials] => Variant[String[1], Sensitive[String[1]]],
Output log
- This is the notice from our first attempt at using Sensitive(), which shows the previous credentials. Without Sensitive() the credentials can be seen in both the before and after sections of the notice.
Notice: /Stage[main]/Profile::Ldap_rework/Openldap::Server::Database[dc=example,dc=com]/Openldap_database[dc=example,dc=com]/syncrepl: syncrepl changed ['rid=0 provider="ldaps://primary.server.example.com" searchbase="dc=example,dc=com" binddn="cn=replicator,dc=example,dc=com" bindmethod="simple" credentials="Compromised-password-being-replaced1" type="refreshAndPersist" retry="60 +"'] to ['rid=0 provider="ldaps://primary.server.example.com" searchbase="dc=example,dc=com" binddn="cn=replicator,dc=example,dc=com" bindmethod="simple" credentials=#<Sensitive [value redacted]> type="refreshAndPersist" retry="60 +"'] (corrective)
- The error from the attempted application implies that the raw string
#<Sensitive [value redacted]>is in ldif itself
Error: /Stage[main]/Profile::Ldap_rework/Openldap::Server::Database[dc=example,dc=com]/Openldap_database[dc=example,dc=com]: Could not evaluate: LDIF content:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl: rid=0 provider="ldaps://primary.server.example.com" searchbase="dc=example,dc=com" binddn="cn=replicator,dc=example,dc=com" bindmethod="simple" credentials=#<Sensitive [value redacted]> type="refreshAndPersist" retry="60 +"
-
Error message: Execution of '/usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/openldap_database20241018-389709-6vv9eb' returned 80: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: Error: parse_syncrepl_line: unable to parse "[value"
modifying entry "olcDatabase={1}mdb,cn=config"