From ddd6b469f2a2b73e8b10e8e566e39f644833845e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Neumann?= <necoro@necoro.eu>
Date: Tue, 26 May 2026 00:05:07 +0200
Subject: [PATCH] bootstrap: Reintroduce LLDAP_USER_PASSWORD

Ensure no passwords are leaked via cmdline.
---
 scripts/bootstrap.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh
index 41e3d5a..ed75490 100755
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@@ -712,9 +712,9 @@ main() {
     redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')"
 
     if [[ "$password_file" != 'null' ]] && [[ "$password_file" != '""' ]]; then
-      "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$(cat $password_file)"
+      LLDAP_USER_PASSWORD="$(< "$password_file")" "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id"
     elif [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then
-      "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$password"
+      LLDAP_USER_PASSWORD="$password" "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id"
     fi
 
     # Process custom attributes