The following bug has been logged on the website:
Bug reference: 18379
Logged by: Vinícius Coelho
Email address: coelho.viniciusdf@gmail.com
PostgreSQL version: 15.3
Operating system: Ubuntu 22.04
Description:
Dear PostgreSQL Support Team,
I am writing to seek your assistance regarding a security concern we have
encountered with our PostgreSQL database setup. We are currently utilizing
LDAP authentication as specified in our pg_hba.conf file. However, upon
reviewing the PostgreSQL logs, we have observed an issue that is causing us
significant concern.
Whenever a login attempt is made using LDAP authentication, the entire
configuration line from the pg_hba.conf file is being logged in the
PostgreSQL log files. This includes the LDAP bind password (ldapbindpasswd),
which is being recorded in plaintext. This practice poses a serious security
risk, as it exposes sensitive credentials in log files that might be
accessed by unauthorized individuals.
We are seeking guidance on how to address this issue. Specifically, we would
like to know:
If there is a configuration option available that prevents the logging of
sensitive information, particularly the LDAP bind password, in the
PostgreSQL logs.
Any recommended best practices for securing our LDAP authentication setup
with PostgreSQL, to avoid similar issues in the future.
If this behavior is known and if there are any patches or updates available
that we should apply to our PostgreSQL installation to resolve this
concern.
We prioritize the security of our database and the protection of sensitive
information. Therefore, we are eager to resolve this issue as promptly as
possible. Any assistance or insights you could provide on this matter would
be greatly appreciated.
Thank you in advance for your time and support. We look forward to your
prompt response and any recommendations you may have.
Best regards,
Vinícius Coelho