Re: BUG #18379: LDAP bind password exposed

On Wed, 2024-03-06 at 13:51 +0000, PG Bug reporting form wrote:
> PostgreSQL version: 15.3
>
> I am writing to seek your assistance regarding a security concern we have
> encountered with our PostgreSQL database setup. We are currently utilizing
> LDAP authentication as specified in our pg_hba.conf file. However, upon
> reviewing the PostgreSQL logs, we have observed an issue that is causing us
> significant concern.
>
> Whenever a login attempt is made using LDAP authentication, the entire
> configuration line from the pg_hba.conf file is being logged in the
> PostgreSQL log files. This includes the LDAP bind password (ldapbindpasswd),
> which is being recorded in plaintext. This practice poses a serious security
> risk, as it exposes sensitive credentials in log files that might be
> accessed by unauthorized individuals.

There is no way to prevent that short of stopping to log errors.

But I am afraid that that won't be your only problem if you let unauthorized
individuals read your log files. Any statement that causes an error and
contains sensitive information will become a problem, and if you set
"log_statement = 'ddl'", anybody who changes their password without
encrypting it on the client side will find the password in the log.

Log files should be treated as sensitive data.

Yours,
Laurenz Albe