[ejabberd] ejabberd 2.0.1 ldap auth issues (with active directory)

Mitch Lewandowski mitch at lewandowski.us
Thu May 22 23:29:19 MSD 2008


Well, in the config I'm using, it prints it when its attempting to bind as
the user, not just while dumping the users' info.  And no I'm not planning
to put a server in prod with debug enabled, but it isn't obvious to me to
print the password when enabling debug -- call me extra paranoid :)  Again,
this may not be with all ldap schemes, I'm specifically authing, and asking
for input/results from other users who are authing against Active Directory.

On Thu, May 22, 2008 at 3:15 PM, Badlop <badlop at gmail.com> wrote:

> On Thu, May 22, 2008 at 7:00 PM, Mitch Lewandowski <mitch at lewandowski.us>
> wrote:
> > Anyone else authing users against AD, that upgraded to 2.0.1, having
> > issues?  Two questions:
> >
> > WHY in 2.0.1 with debug turned on are user's passwords printed to the
> log?
> > (this didn't happen in 2.0.0)
>
> I got ejabberd from SVN trunk, compiled, installed, configured to use LDAP
> auth.
> Logged in with a test account, and the password is not logged in file:
>
> =INFO REPORT==== 22-May-2008::21:05:06 ===
> I(<0.263.0>:ejabberd_listener:112) : (#Port<0.426>) Accepted
> connection {{127,0,0,1},35063} -> {{127,0,0,1},5222}
>
> =INFO REPORT==== 22-May-2008::21:05:06 ===
> I(<0.344.0>:ejabberd_c2s:438) :
> ({socket_state,gen_tcp,#Port<0.426>,<0.343.0>}) Accepted legacy
> authentication for tester at localhost/Tka
>
>
> To see the password, i need to change the configuration in ejabberd.cfg:
>
> %% loglevel: Verbosity of log files generated by ejabberd.
> %% 0: No ejabberd log at all (not recommended)
> %% 1: Critical
> %% 2: Error
> %% 3: Warning
> %% 4: Info
> %% 5: Debug
> {loglevel, 5}.
>
> In this case, when I login with the test account, I get a massively
> large amount of stuff in the log file. Finally, I found the user
> password:
>
> =INFO REPORT==== 22-May-2008::20:55:51 ===
> D(<0.276.0>:eldap:648) : {searchResEntry,
>                             {'SearchResultEntry',
>                                 "uid=tester,ou=People,dc=poke",
>                                 [{'PartialAttributeList_SEQOF',
>                                      "objectClass",
>                                      ["top","account","posixAccount"]},
>                                  {'PartialAttributeList_SEQOF',"uid",
>                                      ["tester"]},
>                                  {'PartialAttributeList_SEQOF',"cn",
>                                      ["Test User"]},
>                                  {'PartialAttributeList_SEQOF',"gecos",
>                                      ["Test User"]},
>                                  {'PartialAttributeList_SEQOF',"uidNumber",
>                                      ["2000"]},
>                                  {'PartialAttributeList_SEQOF',"gidNumber",
>                                      ["2000"]},
>                                  {'PartialAttributeList_SEQOF',
>                                      "homeDirectory",
>                                      ["/home/tester"]},
>
>  {'PartialAttributeList_SEQOF',"loginShell",
>                                      ["/bin/bash"]},
>                                  {'PartialAttributeList_SEQOF',
>                                      "userPassword",
>                                      ["testpass"]}]}}
>
> This debug print was introduced in SVN r1236:
> https://forge.process-one.net/changelog/ejabberd?cs=1236
>
> If you refer to this password print, you will notice that the password
> is not printed on purpose: it is printed because it is a part of the
> LDAP response.
>
> > WHY in 2.0.1 with debug turned on are user's passwords printed to the
> log?
> > (this didn't happen in 2.0.0)
>
> I guess the answer is quite obvious: when the admin enables debug
> option, the purpose is to debug. And in order to debug it is usually
> required to see all the information that flows.
>
> Are you really planning to put a server in production with debug
> logging enabled?
>
> ---
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jabber.ru/pipermail/ejabberd/attachments/20080522/e4df5150/attachment.htm 


More information about the ejabberd mailing list