dsdb: Also redact the clearTextPassword input-only attribute

We go to a great deal of effort to avoid administrators posting their
passwords in Samba logs, and one of the ways we do that is to remove
them from internal ldif dumps Samba produces while operating as an AD
DC.

clearTextPassword is not a real attribute, but it functions as one for
an input path.

Change-Id: Iaacf3354fc9bfff18d6774f49b17a9ba962347d5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Aug 16 01:05:07 CEST 2014 on sn-devel-104

diff --git a/source4/dsdb/common/util.h b/source4/dsdb/common/util.h
index 0f9b442130d4422c48add5f2277a766682f5a857..dcf3fc44b13c12ee8fc26653dd3f0dbd0e0c5145 100644 (file)
--- a/source4/dsdb/common/util.h
+++ b/source4/dsdb/common/util.h
@@ -58,7 +58,8 @@ bool is_attr_in_list(const char * const * attrs, const char *attr);
        "supplementalCredentials" sep \
        "trustAuthIncoming" sep \
        "trustAuthOutgoing" sep \
-       "unicodePwd"
+       "unicodePwd" sep \
+       "clearTextPassword"
 
 #define DSDB_SECRET_ATTRIBUTES_COMMA ,
 #define DSDB_SECRET_ATTRIBUTES DSDB_SECRET_ATTRIBUTES_EX(DSDB_SECRET_ATTRIBUTES_COMMA)