Re: BUG #10680: LDAP bind password leaks to log on failed authentication

Thanks for the reply.

>
> If you don't want the server to see the user's password, don't use LDAP
> authentication.  A much better approach is Kerberos or client-side SSL
> certificates.

Sadly, all other authentication options will not work for us.

I'm not seeing the user password in the log, I'm seeing the bind
password (ldapbindpasswd) that in the pg_hba.conf file.  There is a
line in auth.c that, on every failed attempt, prints the full (raw)
configuration line to the log at all log levels.  So, this isn't just
a problem with LDAP (with ldapbindpasswd) but also the RADIUS method
(radiussecret).

I've submitted a patch and we're discussing the problem further on the
pgsql-hackers distro.  Really, I think it all comes down to finding
the right balance of security and convenience of the administrator.
I'm hopeful we'll come up with the right answer soon and I can submit
a new patch.

S