[Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user

Rob Crittenden rcritten at redhat.com
Wed Feb 23 20:33:10 UTC 2011 

JR Aquino wrote:
> On 2/23/11 11:23 AM, "Simo Sorce"<ssorce at redhat.com>  wrote:
>
>> On Wed, 23 Feb 2011 13:50:37 -0500
>> Rob Crittenden<rcritten at redhat.com>  wrote:
>>
>>> JR Aquino wrote:
>>>> On 2/22/11 7:45 PM, "JR Aquino"<JR.Aquino at citrix.com>   wrote:
>>>>
>>>>> This patch addressees ticket #998
>>>>>
>>>>> It adds:
>>>>>
>>>>> * ldif to create a default sudo bind user: dn:
>>>>> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
>>>>> * modifications to dsinstance.py to add the ldif
>>>>> * modifications to dsinstance.py to add a call to
>>>>> ipautil.ipa_generate_password() for an random password. It is
>>>>> added to the sub_dict as 'RANDOM_PASSWORD'
>>>>> * addition to the Makefile.am in install/share to account for the
>>>>> new ldif file
>>>>
>>>> Corrections / Additions:
>>>>
>>>> * Correction to dsinstance.py to remove the unnecessary sha1 call
>>>> and library
>>>> * Addition of docstring for the ipa help sudorule to explain usage
>>>> of the sudo binddn
>>>>
>>>
>>> We need to make sure we don't log random passwords. Can you add this
>>> to your patch?
>>>
>>> --- service.py  2011-02-14 20:18:23.000000000 -0500
>>> +++ /tmp/service.py     2011-02-23 13:49:56.000000000 -0500
>>> @@ -137,6 +137,8 @@
>>>                # do not log passwords
>>>                if sub_dict.has_key('PASSWORD'):
>>>                    nologlist = sub_dict['PASSWORD'],
>>> +            if sub_dict.has_key('RANDOM_PASSWORD'):
>>> +                nologlist = sub_dict['RANDOM_PASSWORD'],
>>
>> Should you append to nologlist ?
>> If I read this right otherwise you'll replace the previous one.
>>
>> Simo.
>
> New corrections posted for the full patch.
>
> Adding a correction to nologlist to initialize it as a dict rather than a
> tuple.  Then correctly appending the various sub_dict objects to the list.
> Also corrected 2 trailing whitespace bugs that were present in the
> previous patch.

ack, pushed to master.

I just added a bit more info to the commit message.

rob

More information about the Freeipa-devel mailing list