Comment 1 for bug 1767323

Revision history for this message
Lance Bragstad (lbragstad) wrote :

We usually don't recommend using DEBUG logging in production systems for this reason.

But, one possible approach is to provide a configuration option for ldap that let's deployers set a list of ldap attributes to *not* log. Deployers will need to know which attributes are considered sensitive according to laws and restrictions in order to configure keystone properly and before debug logging is enabled. This approach was discussed in IRC [0].

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-05-09.log.html#t2018-05-09T14:47:14