[Freeipa-devel] [PATCH] 20 Create default disabled sudo bind user
Rob Crittenden
rcritten at redhat.com
Wed Feb 23 20:33:10 UTC 2011
JR Aquino wrote:
> On 2/23/11 11:23 AM, "Simo Sorce"<ssorce at redhat.com> wrote:
>
>> On Wed, 23 Feb 2011 13:50:37 -0500
>> Rob Crittenden<rcritten at redhat.com> wrote:
>>
>>> JR Aquino wrote:
>>>> On 2/22/11 7:45 PM, "JR Aquino"<JR.Aquino at citrix.com> wrote:
>>>>
>>>>> This patch addressees ticket #998
>>>>>
>>>>> It adds:
>>>>>
>>>>> * ldif to create a default sudo bind user: dn:
>>>>> uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
>>>>> * modifications to dsinstance.py to add the ldif
>>>>> * modifications to dsinstance.py to add a call to
>>>>> ipautil.ipa_generate_password() for an random password. It is
>>>>> added to the sub_dict as 'RANDOM_PASSWORD'
>>>>> * addition to the Makefile.am in install/share to account for the
>>>>> new ldif file
>>>>
>>>> Corrections / Additions:
>>>>
>>>> * Correction to dsinstance.py to remove the unnecessary sha1 call
>>>> and library
>>>> * Addition of docstring for the ipa help sudorule to explain usage
>>>> of the sudo binddn
>>>>
>>>
>>> We need to make sure we don't log random passwords. Can you add this
>>> to your patch?
>>>
>>> --- service.py 2011-02-14 20:18:23.000000000 -0500
>>> +++ /tmp/service.py 2011-02-23 13:49:56.000000000 -0500
>>> @@ -137,6 +137,8 @@
>>> # do not log passwords
>>> if sub_dict.has_key('PASSWORD'):
>>> nologlist = sub_dict['PASSWORD'],
>>> + if sub_dict.has_key('RANDOM_PASSWORD'):
>>> + nologlist = sub_dict['RANDOM_PASSWORD'],
>>
>> Should you append to nologlist ?
>> If I read this right otherwise you'll replace the previous one.
>>
>> Simo.
>
> New corrections posted for the full patch.
>
> Adding a correction to nologlist to initialize it as a dict rather than a
> tuple. Then correctly appending the various sub_dict objects to the list.
> Also corrected 2 trailing whitespace bugs that were present in the
> previous patch.
ack, pushed to master.
I just added a bit more info to the commit message.
rob
More information about the Freeipa-devel
mailing list