• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

LDAP plugin - apache2/error.log - password in plaintext

Scheduled Pinned Locked Moved
General
4
6
653
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    antonionardella
    last edited by Apr 16, 2019, 1:29 PM

    Hello,

    I set up the LDAP plugin.
    During some tests I discovered that failed logins are logged in /var/log/apache2/error.log with the password in plaintext, this does not feel as a secure setup.

    Cheers,
    Antonio

    1 Reply Last reply Reply Quote 0
    • G
      george1421 Moderator
      last edited by Apr 16, 2019, 5:58 PM

      @Fernando-Gietz FYI

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

      1 Reply Last reply Reply Quote 0
      • F
        Fernando Gietz Developer
        last edited by Apr 16, 2019, 6:10 PM

        Hi @antonionardella ,

        I tried to reproduce the problem but I can’t (log with bad credentials). My log files don’t show the password or the username.

        Can you paste the error to try find where launch the exception or the error?

        A 2 Replies Last reply May 6, 2019, 9:12 AM Reply Quote 1
        • A
          antonionardella @Fernando Gietz
          last edited by May 6, 2019, 9:12 AM

          @Fernando-Gietz Hello, I am terribly sorry I could not replicate the error and apache already rotated the logs.
          Let’s close this issue, I will open it again if I am able to replicate it.

          Cheers,
          Antonio

          1 Reply Last reply Reply Quote 0
          • A
            antonionardella @Fernando Gietz
            last edited by Jul 3, 2019, 3:35 PM

            @Fernando-Gietz found it!

            openldap.png

            1 Reply Last reply Reply Quote 0
            • S
              Sebastian Roth Moderator
              last edited by Jul 3, 2019, 9:27 PM

              @antonionardella You are right this is not good that it prints the full credentials in the logs. But the error you have is caused by the php-ldap module not being installed I guess. That shouldn’t happen at all if you don’t mess with the FOG setup. I am not sure we can prevent if from showing this in the logs…

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              1 Reply Last reply Reply Quote 0
              • 1 / 1
              • First post
                Last post

              164

              Online

              12.0k

              Users

              17.3k

              Topics

              155.2k

              Posts
              Copyright © 2012-2024 FOG Project