Comment 0 for bug 1767323

When OpenStack /Keystone is configured with ldap, it logs personal information in debug mode. The information logged is based completely on the parameters given as input while configuring ldap. But in a production environment, LDAP generally has information about real people (natural person) and with GDPR compliance around the corner, we should be very careful about what we log. Personal information about a natural person cannot be logged , stored or transferred without the consent of the person themselves. Having said that, the information logged below is very useful while debugging OpenStack/LDAP configuration issues.

https://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/common.py#L920

2018-04-20 09:49:10.548 19412 DEBUG keystone.identity.backends.ldap.common [req-7abe3850-9937-4867-a1a7-f92d7757ccb1 8ed02367de541e8741badb6ce097a975a9233b464e6d215dde7bac48a3f2f54a 6d6da87e2345480b93821568c958cc81 - 46f848196da64f9caaf8e5304bba870b 46f848196da64f9caaf8e5304bba870b] LDAP search: base=o=xxx_suffix scope=2 filterstr=(&(postaladdress=#56780,14thmain, ubcity, bangalore)(objectClass=posixaccount)) attrs=['cn', 'userPassword', 'enabled', 'mail', 'postaladdress', 'desc'] attrsonly=0 search_s /usr/lib/python2.7/site-packages/keystone/identity/backends/ldap/common.py:922

keystone.log:2018-04-19 04:26:04.680 72157 DEBUG keystone.identity.backends.ldap.common [req-3a092189-a85a-40da-8ffe-88bec3d430d8 d61bbf804a64cdc47df20632987500c868562fe0627fc9c49
7ca4494f96adcd8 9ea574babbca4cd5a5e336017aec1867 - fa87845eedd847708aa71d51ef84aea6 fa87845eedd847708aa71d51ef84aea6] LDAP search: base=cn=Users,dc=finktest,dc=org scope=2 filters
tr=(&(<email address hidden>)(objectClass=user)) attrs=['description', 'userPassword', 'enabled', 'userPrincipalName', 'mail', 'cn'] attrsonly=0 search_s /usr/lib/py
thon2.7/site-packages/keystone/identity/backends/ldap/common.py:922