LDAP plugin - apache2/error.log - password in plaintext
-
Hello,
I set up the LDAP plugin.
During some tests I discovered that failed logins are logged in /var/log/apache2/error.log with the password in plaintext, this does not feel as a secure setup.Cheers,
Antonio -
@Fernando-Gietz FYI
-
Hi @antonionardella ,
I tried to reproduce the problem but I can’t (log with bad credentials). My log files don’t show the password or the username.
Can you paste the error to try find where launch the exception or the error?
-
@Fernando-Gietz Hello, I am terribly sorry I could not replicate the error and apache already rotated the logs.
Let’s close this issue, I will open it again if I am able to replicate it.Cheers,
Antonio -
@Fernando-Gietz found it!
-
@antonionardella You are right this is not good that it prints the full credentials in the logs. But the error you have is caused by the php-ldap module not being installed I guess. That shouldn’t happen at all if you don’t mess with the FOG setup. I am not sure we can prevent if from showing this in the logs…
