[ejabberd] ejabberd 2.0.1 ldap auth issues (with active directory)

Badlop badlop at gmail.com
Thu May 22 23:15:45 MSD 2008


On Thu, May 22, 2008 at 7:00 PM, Mitch Lewandowski <mitch at lewandowski.us> wrote:
> Anyone else authing users against AD, that upgraded to 2.0.1, having
> issues?  Two questions:
>
> WHY in 2.0.1 with debug turned on are user's passwords printed to the log?
> (this didn't happen in 2.0.0)

I got ejabberd from SVN trunk, compiled, installed, configured to use LDAP auth.
Logged in with a test account, and the password is not logged in file:

=INFO REPORT==== 22-May-2008::21:05:06 ===
I(<0.263.0>:ejabberd_listener:112) : (#Port<0.426>) Accepted
connection {{127,0,0,1},35063} -> {{127,0,0,1},5222}

=INFO REPORT==== 22-May-2008::21:05:06 ===
I(<0.344.0>:ejabberd_c2s:438) :
({socket_state,gen_tcp,#Port<0.426>,<0.343.0>}) Accepted legacy
authentication for tester at localhost/Tka


To see the password, i need to change the configuration in ejabberd.cfg:

%% loglevel: Verbosity of log files generated by ejabberd.
%% 0: No ejabberd log at all (not recommended)
%% 1: Critical
%% 2: Error
%% 3: Warning
%% 4: Info
%% 5: Debug
{loglevel, 5}.

In this case, when I login with the test account, I get a massively
large amount of stuff in the log file. Finally, I found the user
password:

=INFO REPORT==== 22-May-2008::20:55:51 ===
D(<0.276.0>:eldap:648) : {searchResEntry,
                             {'SearchResultEntry',
                                 "uid=tester,ou=People,dc=poke",
                                 [{'PartialAttributeList_SEQOF',
                                      "objectClass",
                                      ["top","account","posixAccount"]},
                                  {'PartialAttributeList_SEQOF',"uid",
                                      ["tester"]},
                                  {'PartialAttributeList_SEQOF',"cn",
                                      ["Test User"]},
                                  {'PartialAttributeList_SEQOF',"gecos",
                                      ["Test User"]},
                                  {'PartialAttributeList_SEQOF',"uidNumber",
                                      ["2000"]},
                                  {'PartialAttributeList_SEQOF',"gidNumber",
                                      ["2000"]},
                                  {'PartialAttributeList_SEQOF',
                                      "homeDirectory",
                                      ["/home/tester"]},
                                  {'PartialAttributeList_SEQOF',"loginShell",
                                      ["/bin/bash"]},
                                  {'PartialAttributeList_SEQOF',
                                      "userPassword",
                                      ["testpass"]}]}}

This debug print was introduced in SVN r1236:
https://forge.process-one.net/changelog/ejabberd?cs=1236

If you refer to this password print, you will notice that the password
is not printed on purpose: it is printed because it is a part of the
LDAP response.

> WHY in 2.0.1 with debug turned on are user's passwords printed to the log?
> (this didn't happen in 2.0.0)

I guess the answer is quite obvious: when the admin enables debug
option, the purpose is to debug. And in order to debug it is usually
required to see all the information that flows.

Are you really planning to put a server in production with debug
logging enabled?

---


More information about the ejabberd mailing list