diff --git a/roles/ipa/client/tasks/hbac.yml b/roles/ipa/client/tasks/hbac.yml
index ad3aebef27..dce7610cd4 100644
--- a/roles/ipa/client/tasks/hbac.yml
+++ b/roles/ipa/client/tasks/hbac.yml
@@ -14,6 +14,7 @@
     state: present
     group:
       - sysadmin-main
+  no_log: true
   loop: "{{ ipa_server_admin_passwords | dict2items }}"
 
 - name: "Enable usergroup/sysadmin-main HBAC rule"
@@ -22,6 +23,7 @@
     name: "usergroup/sysadmin-main"
     ipaadmin_password: "{{ item.value }}"
     state: enabled
+  no_log: true
   loop: "{{ ipa_server_admin_passwords | dict2items }}"
 
 - name: "Disable allow_all HBAC rule"
@@ -30,6 +32,7 @@
     name: allow_all
     ipaadmin_password: "{{ item.value }}"
     state: disabled
+  no_log: true
   loop: "{{ ipa_server_admin_passwords | dict2items }}"
 
 - name: "Let everybody run sudo"
@@ -43,6 +46,7 @@
     usercategory: "all"
     hbacsvcgroup:
       - Sudo
+  no_log: true
   loop: "{{ ipa_server_admin_passwords | dict2items }}"
 
 - name: Add the sshd HBAC service in IPA
@@ -51,6 +55,7 @@
     name: sshd
     description: SSH daemon
     ipaadmin_password: "{{ item.value }}"
+  no_log: true
   loop: "{{ ipa_server_admin_passwords | dict2items }}"
 
 - name: Add the shell-access service group in IPA
@@ -61,6 +66,7 @@
     ipaadmin_password: "{{ item.value }}"
     hbacsvc:
       - sshd
+  no_log: true
   loop: "{{ ipa_server_admin_passwords | dict2items }}"
 
 ## Host group- & host-specific rules
diff --git a/roles/ipa/client/tasks/prepare-ipa-info.yml b/roles/ipa/client/tasks/prepare-ipa-info.yml
index dae907462c..780ab07837 100644
--- a/roles/ipa/client/tasks/prepare-ipa-info.yml
+++ b/roles/ipa/client/tasks/prepare-ipa-info.yml
@@ -29,7 +29,7 @@
 #     }, ...
 #   }
 #
-# ipa_server_passwords: ->
+# ipa_server_admin_passwords ->
 #   {
 #     "ipa_server_1": "ipa_password_1",
 #     "ipa_server_2": "ipa_password_2",
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
index c2ae4f6f17..fba95da61d 100644
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -14,6 +14,7 @@
     runasgroupcategory: "all"
     group:
       - sysadmin-main
+  no_log: true
   loop: "{{ ipa_server_admin_passwords | dict2items }}"
 
 - name: Give certain groups sudo access to anything per host group