[GH-ISSUE #922] [BUG] Verbose logging logs out the database password #332

New issue

Closed

opened 2026-02-27 08:16:42 +03:00 by kerem · 1 comment

kerem commented

2026-02-27 08:16:42 +03:00

Owner

Originally created by @ofersadan85 on GitHub (Jun 25, 2024).
Original GitHub issue: https://github.com/lldap/lldap/issues/922

Describe the bug
On application startup with LLDAP_VERBOSE=true set in the environment or in the config.toml we get a print out of several secrets that are well hidden, like

ldap_user_pass: SECRET

But the database URL which contains the password is printed without a problem

database_url: "postgres://lldap:passw@123.123.123.123/lldap",

To Reproduce

Activate verbose logging
Set a database URL that isn't the default sqlite one

Expected behavior
First of all, this is very insecure and should be hidden.
Another way of achieving this would be to allow constructing the database URL from several different variables, something like

LLDAP_DATABASE_USER=user
LLDAP_DATABASE_PASS=password
LLDAP_DATABASE_TYPE=postgres

... and so on, which would allow to hide at least some of the sensitive data, if you don't want to hide everything.

Originally created by @ofersadan85 on GitHub (Jun 25, 2024). Original GitHub issue: https://github.com/lldap/lldap/issues/922 **Describe the bug** On application startup with `LLDAP_VERBOSE=true` set in the environment or in the config.toml we get a print out of several secrets that are well hidden, like > ldap_user_pass: ***SECRET*** But the database URL which contains the password is printed without a problem > database_url: "postgres://lldap:passw@123.123.123.123/lldap", **To Reproduce** 1. Activate verbose logging 2. Set a database URL that isn't the default sqlite one **Expected behavior** First of all, this is very insecure and should be hidden. Another way of achieving this would be to allow constructing the database URL from several different variables, something like ```bash LLDAP_DATABASE_USER=user LLDAP_DATABASE_PASS=password LLDAP_DATABASE_TYPE=postgres ``` ... and so on, which would allow to hide at least some of the sensitive data, if you don't want to hide everything.

kerem

2026-02-27 08:16:42 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-27 08:16:43 +03:00

Author

Owner

@nitnelave commented on GitHub (Jun 25, 2024):

That should already be solved when using the latest tag (not stable).

@nitnelave commented on GitHub (Jun 25, 2024): That should already be solved when using the latest tag (not stable).