From 1770750b8adad6d9f2d98c0c9debc54d61f341cf Mon Sep 17 00:00:00 2001
From: Jr Aquino <jr.aquino@citrix.com>
Date: Wed, 23 Feb 2011 11:37:07 -0800
Subject: Create default disabled sudo bind user

Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.

https://fedorahosted.org/freeipa/ticket/998
---
 ipalib/plugins/sudorule.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'ipalib/plugins/sudorule.py')

diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index a4eacd1d5..2565cd818 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -17,7 +17,20 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
-Sudo Rule
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a designated binddn to use with SUDO located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
+-h ipa.example.com -ZZ -D "cn=Directory Manager" \
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+For more information, see the FreeIPA Documentation to Sudo.
 """
 
 from ipalib import api, errors
-- 
cgit