In Client.bind() password gets logged at trace level

[pmoleri]

If I set the logger to trace level, the password gets logged. I don't know if this is expected, but I think the password should be excluded from the logger at any level.

var ldap = require('ldapjs');
var Logger = require('bunyan');

log = new Logger({ name: 'ldap', component: 'client', stream: process.stderr, serializers: Logger.stdSerializers, level: 10 });
var client = ldap.createClient({ url: 'ldap://ldapserver', log: log });
client.bind('some_user', 'SeCrEt', (err) => {})

outputs:

{"name":"ldap","component":"client","hostname":"<thishost>","pid":15748,"clazz":"Client","ldap_id":"2__ldap://<ldapserver>","level":10,"msg":"sending request {\"messageID\":2,\"protocolOp\":\"BindRequest\",\"version\":3,\"name\":\"some_user\",\"authenticationType\":\"Simple\",\"credentials\":\"SeCrEt\",\"controls\":[]}","time":"2018-02-19T14:47:35.573Z","v":0}

ldapjs: v1.0.1

[saostad]

Hi, is there any progress on this one?

[UziTech]

looks like this had a PR (#491) but it has since been abandoned. @saostad if you want to create another PR that would be much appreciated. 😁👍

[jsumners]

@saostad if you are willing to pick up the PR, please include the original work by following these instructions -- https://gist.github.com/jsumners/461ef7a64545108635cc437fde112721

[jsumners]

👋

On February 22, 2023, we released version 3 of this library. As a result, we are closing this issue/pull request.

Please see issue #839 for more information, including how to proceed if you feel this closure is in error.