diff options
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/sudobind.ldif | 9 | ||||
-rw-r--r-- | ipalib/plugins/sudorule.py | 15 | ||||
-rw-r--r-- | ipaserver/install/dsinstance.py | 8 | ||||
-rw-r--r-- | ipaserver/install/service.py | 6 |
5 files changed, 36 insertions, 3 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 4527a922..c6361099 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -48,6 +48,7 @@ app_DATA = \ modrdn-krbprinc.ldif \ entryusn.ldif \ root-autobind.ldif \ + sudobind.ldif \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/sudobind.ldif b/install/share/sudobind.ldif new file mode 100644 index 00000000..77a2aad9 --- /dev/null +++ b/install/share/sudobind.ldif @@ -0,0 +1,9 @@ +#SUDO bind user +dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX +changetype: add +objectclass: account +objectclass: simplesecurityobject +uid: sudo +userPassword: $RANDOM_PASSWORD +passwordExpirationTime: 20380119031407Z +nsIdleTimeout: 0 diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index a4eacd1d..2565cd81 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -17,7 +17,20 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. """ -Sudo Rule +Sudo (su "do") allows a system administrator to delegate authority to +give certain users (or groups of users) the ability to run some (or all) +commands as root or another user while providing an audit trail of the +commands and their arguments. + +FreeIPA provides a designated binddn to use with SUDO located at: +uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +To enable the binddn run the following command to set the password: +LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \ +-h ipa.example.com -ZZ -D "cn=Directory Manager" \ +uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +For more information, see the FreeIPA Documentation to Sudo. """ from ipalib import api, errors diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 2544e167..bf631a67 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -249,6 +249,7 @@ class DsInstance(service.Service): self.step("adding replication acis", self.__add_replication_acis) self.step("configuring user private groups", self.__user_private_groups) self.step("configuring netgroups from hostgroups", self.__host_nis_groups) + self.step("creating default SUDO bind user", self.__add_sudo_binduser) if hbac_allow: self.step("creating default HBAC rule allow_all", self.add_hbac) @@ -311,6 +312,7 @@ class DsInstance(service.Service): server_root = find_server_root() self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid, PASSWORD=self.dm_password, + RANDOM_PASSWORD=self.generate_random(), SUFFIX=self.suffix.lower(), REALM=self.realm_name, USER=DS_USER, SERVER_ROOT=server_root, DOMAIN=self.domain, @@ -475,6 +477,9 @@ class DsInstance(service.Service): def __add_enrollment_module(self): self._ldap_mod("enrollment-conf.ldif", self.sub_dict) + def generate_random(self): + return ipautil.ipa_generate_password() + def __enable_ssl(self): dirname = config_dirname(self.serverid) dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base) @@ -735,6 +740,9 @@ class DsInstance(service.Service): def __root_autobind(self): self._ldap_mod("root-autobind.ldif") + def __add_sudo_binduser(self): + self._ldap_mod("sudobind.ldif", self.sub_dict) + def replica_populate(self): self.ldap_connect() diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 1235eaff..41b22141 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -127,7 +127,7 @@ class Service: fd = None path = ipautil.SHARE_DIR + ldif hostname = installutils.get_fqdn() - nologlist=() + nologlist=[] if sub_dict is not None: txt = ipautil.template_file(path, sub_dict) @@ -136,7 +136,9 @@ class Service: # do not log passwords if sub_dict.has_key('PASSWORD'): - nologlist = sub_dict['PASSWORD'], + nologlist.append(sub_dict['PASSWORD']) + if sub_dict.has_key('RANDOM_PASSWORD'): + nologlist.append(sub_dict['RANDOM_PASSWORD']) if self.dm_password: [pw_fd, pw_name] = tempfile.mkstemp() |