lib/ldb: Avoid printing secret attributes in ldb trace logs

These are printed when Samba has debug level 10, which is often used for debugging.

Instead, print a note to say that this attribute has been skipped.

Andrew Bartlett

1 files changed, 14 insertions, 1 deletions

diff --git a/lib/ldb/common/ldb_modules.c b/lib/ldb/common/ldb_modules.c
index 8904d5a94a..440365688b 100644
--- a/lib/ldb/common/ldb_modules.c
+++ b/lib/ldb/common/ldb_modules.c
@@ -709,8 +709,21 @@ int ldb_module_send_entry(struct ldb_request *req,
 	if ((req->handle->ldb->flags & LDB_FLG_ENABLE_TRACING) &&
 	    req->handle->nesting == 0) {
 		char *s;
+		struct ldb_ldif ldif;
+		
+		ldif.changetype = LDB_CHANGETYPE_NONE;
+		ldif.msg = discard_const_p(struct ldb_message, msg);
+
 		ldb_debug_add(req->handle->ldb, "ldb_trace_response: ENTRY\n");
-		s = ldb_ldif_message_string(req->handle->ldb, msg, LDB_CHANGETYPE_NONE, msg);
+
+		/* 
+		 * The choice to call
+		 * ldb_ldif_write_redacted_trace_string() is CRITICAL
+		 * for security.  It ensures that we do not output
+		 * passwords into debug logs 
+		 */
+
+		s = ldb_ldif_write_redacted_trace_string(req->handle->ldb, msg, &ldif);
 		ldb_debug_add(req->handle->ldb, "%s\n", s);
 		talloc_free(s);
 		ldb_debug_end(req->handle->ldb, LDB_DEBUG_TRACE);