Description Dirk Ahrnke 2022-01-17 13:57:34 CET

It was noticed that password hashes are logged into directory-manager-rest.log.
In the scenario where we initially observed the behaviour the password is set through the Kelvin-API. Ít is reproducable in that way once the password was set the second time.

17.01.22 13:51:38        INFO      (     1218) : 200 GET /udm/users/user/uid=karlauer,cn=lehrer,cn=users,ou=SchuleA,dc=mydomain,dc=intranet (0.0.0.0) 11.19ms
17.01.22 13:51:38        INFO      (     1218) : 200 GET /udm/users/user/?filter=(%26(!(uid%3Dkarlauer))(mailPrimaryAddress%3Dkarlauer@mydomain.intranet))&position=dc%3Dmydomain,dc%3Dintranet&scope=sub&hidden=true (0.0.0.0) 115.27ms
17.01.22 13:51:38        INFO      (     1218) : 200 GET /udm/groups/group/cn=lehrer-schulea,cn=groups,ou=SchuleA,dc=mydomain,dc=intranet (0.0.0.0) 8.09ms
17.01.22 13:51:38.639  ADMIN       ( ERROR   ) : 
== [$6$CLaER3Q.QluXlaR7$mnVbxTWFbhMctowNO48sPoLRrq8mA2EJt/OudW5dyliS5mOkwDt2QOEEeU6oJsBO6a3F9HuewGCJaMFNUOnSS/]
== [$6$CLaER3Q.QluXlaR7$0qTXGesA6hV1PTu7YglvWAcZj6bvI970tMTJAtvDgZ0aOTi9VMvFMmgS3CtOA.McUgCmh8uD7.Mt4BBtTHzPc/]
17.01.22 13:51:38        INFO      (     1218) : 204 PATCH /udm/users/user/uid=karlauer,cn=lehrer,cn=users,ou=SchuleA,dc=mydomain,dc=intranet (0.0.0.0) 61.91ms

Note directory/manager/rest/debug/level was set "0" during the test

The problem most likely originates in 

modules/univention/admin/password.py:                           ud.debug(ud.ADMIN, ud.ERROR, '\n== [%s]\n== [%s]' % (password_hash, line))