ad connect password viewable in --debug mode

[dionrowney]

We have noticed that the password can be seen when running

puppet agent -t --debug

Debug: /Stage[main]/Adcli::Join/Exec[adcli_join]: '/bin/echo -n 'passwordinplaintext' | /usr/sbin/adcli join   --login-user='adjoin' --domain='example.local' --domain-ou='OU=Linux,OU=Servers,OU=AdminOU,DC=example,DC=local' --stdin-password --verbose    ' won't be executed because of failed check 'unless'

It was expected that the password would be obscured with xxxxxxx possibly by using the Sensative() fucntions

We are calling it using heira vars but also called it this way

class {'::adcli':
ad_join_password => lookup('adcli::ad_join_password')
}

also tried
class {'::adcli':
ad_join_password => Sensitive(lookup('adcli::ad_join_password'))
}

and this errors out as you are using plain text strings I believe

Is there any way to mask the password?

[dionrowney]

I would like to submit a fix. I changed the code to this:

exec {'adcli_join':
  environment => ["PASSWORD=${ad_join_password}"],
  command   => "/bin/echo -n \"\$PASSWORD\" | /usr/sbin/adcli join ${ad_join_domain_controller_command} \

${ad_join_computer_name_command} --login-user='${ad_join_username}' --domain='${ad_domain}' --domain-ou='${ad_join_ou}'
--stdin-password --verbose ${ad_join_os_command} ${ad_join_os_version_command} ${ad_join_os_service_pack_command}
${ad_join_service_names_command}",
logoutput => true,
unless => "/usr/sbin/adcli testjoin -D ${ad_domain}",
}

this hides the password by storing it in the environment variable. this hides the password. thoughts?