Thanks for the reply.
>
> If you don't want the server to see the user's password, don't use LDAP
> authentication. A much better approach is Kerberos or client-side SSL
> certificates.
Sadly, all other authentication options will not work for us.
I'm not seeing the user password in the log, I'm seeing the bind
password (ldapbindpasswd) that in the pg_hba.conf file. There is a
line in auth.c that, on every failed attempt, prints the full (raw)
configuration line to the log at all log levels. So, this isn't just
a problem with LDAP (with ldapbindpasswd) but also the RADIUS method
(radiussecret).
I've submitted a patch and we're discussing the problem further on the
pgsql-hackers distro. Really, I think it all comes down to finding
the right balance of security and convenience of the administrator.
I'm hopeful we'll come up with the right answer soon and I can submit
a new patch.
S