summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJr Aquino <jr.aquino@citrix.com>2011-02-23 11:37:07 -0800
committerRob Crittenden <rcritten@redhat.com>2011-02-23 15:32:24 -0500
commit1770750b8adad6d9f2d98c0c9debc54d61f341cf (patch)
tree1643d76b32080976114f495b486928c84afae63b
parent523eaa9749a37f8a5b6f62136567629193adade7 (diff)
downloadfreeipa-1770750b8adad6d9f2d98c0c9debc54d61f341cf.zip
freeipa-1770750b8adad6d9f2d98c0c9debc54d61f341cf.tar.gz
freeipa-1770750b8adad6d9f2d98c0c9debc54d61f341cf.tar.xz
Create default disabled sudo bind user
Read access is denied to the sudo container for unauthenticated users. This shared user can be used to provide authenticated access to the sudo information. https://fedorahosted.org/freeipa/ticket/998
-rw-r--r--install/share/Makefile.am1
-rw-r--r--install/share/sudobind.ldif9
-rw-r--r--ipalib/plugins/sudorule.py15
-rw-r--r--ipaserver/install/dsinstance.py8
-rw-r--r--ipaserver/install/service.py6
5 files changed, 36 insertions, 3 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 4527a92..c636109 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -48,6 +48,7 @@ app_DATA = \
modrdn-krbprinc.ldif \
entryusn.ldif \
root-autobind.ldif \
+ sudobind.ldif \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/sudobind.ldif b/install/share/sudobind.ldif
new file mode 100644
index 0000000..77a2aad
--- /dev/null
+++ b/install/share/sudobind.ldif
@@ -0,0 +1,9 @@
+#SUDO bind user
+dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: sudo
+userPassword: $RANDOM_PASSWORD
+passwordExpirationTime: 20380119031407Z
+nsIdleTimeout: 0
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index a4eacd1..2565cd8 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -17,7 +17,20 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
-Sudo Rule
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a designated binddn to use with SUDO located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
+-h ipa.example.com -ZZ -D "cn=Directory Manager" \
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+For more information, see the FreeIPA Documentation to Sudo.
"""
from ipalib import api, errors
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2544e16..bf631a6 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -249,6 +249,7 @@ class DsInstance(service.Service):
self.step("adding replication acis", self.__add_replication_acis)
self.step("configuring user private groups", self.__user_private_groups)
self.step("configuring netgroups from hostgroups", self.__host_nis_groups)
+ self.step("creating default SUDO bind user", self.__add_sudo_binduser)
if hbac_allow:
self.step("creating default HBAC rule allow_all", self.add_hbac)
@@ -311,6 +312,7 @@ class DsInstance(service.Service):
server_root = find_server_root()
self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
PASSWORD=self.dm_password,
+ RANDOM_PASSWORD=self.generate_random(),
SUFFIX=self.suffix.lower(),
REALM=self.realm_name, USER=DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -475,6 +477,9 @@ class DsInstance(service.Service):
def __add_enrollment_module(self):
self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
+ def generate_random(self):
+ return ipautil.ipa_generate_password()
+
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
@@ -735,6 +740,9 @@ class DsInstance(service.Service):
def __root_autobind(self):
self._ldap_mod("root-autobind.ldif")
+ def __add_sudo_binduser(self):
+ self._ldap_mod("sudobind.ldif", self.sub_dict)
+
def replica_populate(self):
self.ldap_connect()
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1235eaf..41b2214 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -127,7 +127,7 @@ class Service:
fd = None
path = ipautil.SHARE_DIR + ldif
hostname = installutils.get_fqdn()
- nologlist=()
+ nologlist=[]
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
@@ -136,7 +136,9 @@ class Service:
# do not log passwords
if sub_dict.has_key('PASSWORD'):
- nologlist = sub_dict['PASSWORD'],
+ nologlist.append(sub_dict['PASSWORD'])
+ if sub_dict.has_key('RANDOM_PASSWORD'):
+ nologlist.append(sub_dict['RANDOM_PASSWORD'])
if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()