Hide sensitive information


#1

is it possible to encrypt/hash/hide the sensitive information in “get system documentation” currently is shows the ldap username and password in plain text which is not good! This information should no be human readable. Thanks


#2

This is on purpose. A single administrator who already knew the password during configuration can use this to create a printable system documentation (restructured text -> pdf -> printer).

After all it is about access rights and planning the rights of your administrators. The policy scope admin has an action system_documentation that disallows an admin to see this.


#3

thanks for the info. although I don’t agree with the logic of having it printable/readable. ldap username/passwords are easy enough to reset/change if forgotten or undocumented. having ldap passwords in plain text and accessible from a gui could inadvertently cause those credentials to become compromised. They could then be used to gain access to the whole network. I know there are ways to mitigate this, but I’m willing to bet most people don’t take those extra steps.

I’ll look into using the system property you referenced! thanks again and keep up the good work! so far Privacyidea has been working out great in my PoC!


#4

I can also understand your point of view.
But this is often not what I see, administrators who work with tokens are often not domain administrators and need to ask for changing passwords of service accounts.
Nevertheless, you are welcome to open an issue and add some ideas at github how to make this configurable.