[Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
Simo Sorce
ssorce at redhat.com
Wed Feb 23 19:23:35 UTC 2011
On Wed, 23 Feb 2011 13:50:37 -0500
Rob Crittenden <rcritten at redhat.com> wrote:
> JR Aquino wrote:
> > On 2/22/11 7:45 PM, "JR Aquino"<JR.Aquino at citrix.com> wrote:
> >
> >> This patch addressees ticket #998
> >>
> >> It adds:
> >>
> >> * ldif to create a default sudo bind user: dn:
> >> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
> >> * modifications to dsinstance.py to add the ldif
> >> * modifications to dsinstance.py to add a call to
> >> ipautil.ipa_generate_password() for an random password. It is
> >> added to the sub_dict as 'RANDOM_PASSWORD'
> >> * addition to the Makefile.am in install/share to account for the
> >> new ldif file
> >
> > Corrections / Additions:
> >
> > * Correction to dsinstance.py to remove the unnecessary sha1 call
> > and library
> > * Addition of docstring for the ipa help sudorule to explain usage
> > of the sudo binddn
> >
>
> We need to make sure we don't log random passwords. Can you add this
> to your patch?
>
> --- service.py 2011-02-14 20:18:23.000000000 -0500
> +++ /tmp/service.py 2011-02-23 13:49:56.000000000 -0500
> @@ -137,6 +137,8 @@
> # do not log passwords
> if sub_dict.has_key('PASSWORD'):
> nologlist = sub_dict['PASSWORD'],
> + if sub_dict.has_key('RANDOM_PASSWORD'):
> + nologlist = sub_dict['RANDOM_PASSWORD'],
Should you append to nologlist ?
If I read this right otherwise you'll replace the previous one.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list