summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--install/share/Makefile.am1
-rw-r--r--install/share/sudobind.ldif9
-rw-r--r--ipalib/plugins/sudorule.py15
-rw-r--r--ipaserver/install/dsinstance.py8
-rw-r--r--ipaserver/install/service.py6
5 files changed, 36 insertions, 3 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 4527a922..c6361099 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -48,6 +48,7 @@ app_DATA = \
modrdn-krbprinc.ldif \
entryusn.ldif \
root-autobind.ldif \
+ sudobind.ldif \
$(NULL)
EXTRA_DIST = \
diff --git a/install/share/sudobind.ldif b/install/share/sudobind.ldif
new file mode 100644
index 00000000..77a2aad9
--- /dev/null
+++ b/install/share/sudobind.ldif
@@ -0,0 +1,9 @@
+#SUDO bind user
+dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: sudo
+userPassword: $RANDOM_PASSWORD
+passwordExpirationTime: 20380119031407Z
+nsIdleTimeout: 0
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index a4eacd1d..2565cd81 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -17,7 +17,20 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
-Sudo Rule
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a designated binddn to use with SUDO located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
+-h ipa.example.com -ZZ -D "cn=Directory Manager" \
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+For more information, see the FreeIPA Documentation to Sudo.
"""
from ipalib import api, errors
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2544e167..bf631a67 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -249,6 +249,7 @@ class DsInstance(service.Service):
self.step("adding replication acis", self.__add_replication_acis)
self.step("configuring user private groups", self.__user_private_groups)
self.step("configuring netgroups from hostgroups", self.__host_nis_groups)
+ self.step("creating default SUDO bind user", self.__add_sudo_binduser)
if hbac_allow:
self.step("creating default HBAC rule allow_all", self.add_hbac)
@@ -311,6 +312,7 @@ class DsInstance(service.Service):
server_root = find_server_root()
self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
PASSWORD=self.dm_password,
+ RANDOM_PASSWORD=self.generate_random(),
SUFFIX=self.suffix.lower(),
REALM=self.realm_name, USER=DS_USER,
SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -475,6 +477,9 @@ class DsInstance(service.Service):
def __add_enrollment_module(self):
self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
+ def generate_random(self):
+ return ipautil.ipa_generate_password()
+
def __enable_ssl(self):
dirname = config_dirname(self.serverid)
dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
@@ -735,6 +740,9 @@ class DsInstance(service.Service):
def __root_autobind(self):
self._ldap_mod("root-autobind.ldif")
+ def __add_sudo_binduser(self):
+ self._ldap_mod("sudobind.ldif", self.sub_dict)
+
def replica_populate(self):
self.ldap_connect()
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1235eaff..41b22141 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -127,7 +127,7 @@ class Service:
fd = None
path = ipautil.SHARE_DIR + ldif
hostname = installutils.get_fqdn()
- nologlist=()
+ nologlist=[]
if sub_dict is not None:
txt = ipautil.template_file(path, sub_dict)
@@ -136,7 +136,9 @@ class Service:
# do not log passwords
if sub_dict.has_key('PASSWORD'):
- nologlist = sub_dict['PASSWORD'],
+ nologlist.append(sub_dict['PASSWORD'])
+ if sub_dict.has_key('RANDOM_PASSWORD'):
+ nologlist.append(sub_dict['RANDOM_PASSWORD'])
if self.dm_password:
[pw_fd, pw_name] = tempfile.mkstemp()