Unless --redactClientLogData is globally enabled (that's here: https://www.mongodb.com/docs/manual/reference/parameters/#mongodb-parameter-param.redactClientLogData ), any parameter passed to mongod will be logged to mongod.log in plain-text.  The only sensitive data vulnerable is the LDAP query password.

• redactClientLogData is the intended general solution for keeping sensitive values out of logs
• isRedact() is supposed to be used to mark parameters like passwords as sensitive... but is never consulted for the newValue logging path, even though it logically should be?
• When LDAP query password is set at runtime via setParameter, the password will appear in plain text in the log unless redactClientLogData is on in every version from 3.4.19 through 8.2.6