Create default disabled sudo bind user

Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.

https://fedorahosted.org/freeipa/ticket/998

5 files changed, 36 insertions, 3 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 4527a922c..c6361099b 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -48,6 +48,7 @@ app_DATA =				\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
 	root-autobind.ldif		\
+	sudobind.ldif			\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/sudobind.ldif b/install/share/sudobind.ldif
new file mode 100644
index 000000000..77a2aad99
--- /dev/null
+++ b/install/share/sudobind.ldif
@@ -0,0 +1,9 @@
+#SUDO bind user
+dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: sudo
+userPassword: $RANDOM_PASSWORD
+passwordExpirationTime: 20380119031407Z
+nsIdleTimeout: 0
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index a4eacd1d5..2565cd818 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -17,7 +17,20 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
-Sudo Rule
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a designated binddn to use with SUDO located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
+-h ipa.example.com -ZZ -D "cn=Directory Manager" \
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+For more information, see the FreeIPA Documentation to Sudo.
 """
 
 from ipalib import api, errors
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2544e167b..bf631a67f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -249,6 +249,7 @@ class DsInstance(service.Service):
         self.step("adding replication acis", self.__add_replication_acis)
         self.step("configuring user private groups", self.__user_private_groups)
         self.step("configuring netgroups from hostgroups", self.__host_nis_groups)
+        self.step("creating default SUDO bind user", self.__add_sudo_binduser)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
 
@@ -311,6 +312,7 @@ class DsInstance(service.Service):
         server_root = find_server_root()
         self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
                              PASSWORD=self.dm_password,
+                             RANDOM_PASSWORD=self.generate_random(),
                              SUFFIX=self.suffix.lower(),
                              REALM=self.realm_name, USER=DS_USER,
                              SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -475,6 +477,9 @@ class DsInstance(service.Service):
     def __add_enrollment_module(self):
         self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
 
+    def generate_random(self):
+        return ipautil.ipa_generate_password()
+
     def __enable_ssl(self):
         dirname = config_dirname(self.serverid)
         dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
@@ -735,6 +740,9 @@ class DsInstance(service.Service):
     def __root_autobind(self):
         self._ldap_mod("root-autobind.ldif")
 
+    def __add_sudo_binduser(self):
+        self._ldap_mod("sudobind.ldif", self.sub_dict)
+
     def replica_populate(self):
         self.ldap_connect()
 
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1235eaffd..41b221419 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -127,7 +127,7 @@ class Service:
         fd = None
         path = ipautil.SHARE_DIR + ldif
         hostname = installutils.get_fqdn()
-        nologlist=()
+        nologlist=[]
 
         if sub_dict is not None:
             txt = ipautil.template_file(path, sub_dict)
@@ -136,7 +136,9 @@ class Service:
 
             # do not log passwords
             if sub_dict.has_key('PASSWORD'):
-                nologlist = sub_dict['PASSWORD'],
+                nologlist.append(sub_dict['PASSWORD'])
+            if sub_dict.has_key('RANDOM_PASSWORD'):
+                nologlist.append(sub_dict['RANDOM_PASSWORD'])
 
         if self.dm_password:
             [pw_fd, pw_name] = tempfile.mkstemp()