Create default disabled sudo bind user

Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.

https://fedorahosted.org/freeipa/ticket/998

2 files changed, 12 insertions, 2 deletions

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2544e167b..bf631a67f 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -249,6 +249,7 @@ class DsInstance(service.Service):
         self.step("adding replication acis", self.__add_replication_acis)
         self.step("configuring user private groups", self.__user_private_groups)
         self.step("configuring netgroups from hostgroups", self.__host_nis_groups)
+        self.step("creating default SUDO bind user", self.__add_sudo_binduser)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
 
@@ -311,6 +312,7 @@ class DsInstance(service.Service):
         server_root = find_server_root()
         self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
                              PASSWORD=self.dm_password,
+                             RANDOM_PASSWORD=self.generate_random(),
                              SUFFIX=self.suffix.lower(),
                              REALM=self.realm_name, USER=DS_USER,
                              SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -475,6 +477,9 @@ class DsInstance(service.Service):
     def __add_enrollment_module(self):
         self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
 
+    def generate_random(self):
+        return ipautil.ipa_generate_password()
+
     def __enable_ssl(self):
         dirname = config_dirname(self.serverid)
         dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
@@ -735,6 +740,9 @@ class DsInstance(service.Service):
     def __root_autobind(self):
         self._ldap_mod("root-autobind.ldif")
 
+    def __add_sudo_binduser(self):
+        self._ldap_mod("sudobind.ldif", self.sub_dict)
+
     def replica_populate(self):
         self.ldap_connect()
 
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1235eaffd..41b221419 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -127,7 +127,7 @@ class Service:
         fd = None
         path = ipautil.SHARE_DIR + ldif
         hostname = installutils.get_fqdn()
-        nologlist=()
+        nologlist=[]
 
         if sub_dict is not None:
             txt = ipautil.template_file(path, sub_dict)
@@ -136,7 +136,9 @@ class Service:
 
             # do not log passwords
             if sub_dict.has_key('PASSWORD'):
-                nologlist = sub_dict['PASSWORD'],
+                nologlist.append(sub_dict['PASSWORD'])
+            if sub_dict.has_key('RANDOM_PASSWORD'):
+                nologlist.append(sub_dict['RANDOM_PASSWORD'])
 
         if self.dm_password:
             [pw_fd, pw_name] = tempfile.mkstemp()