Create default disabled sudo bind user

Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.

https://fedorahosted.org/freeipa/ticket/998

install/share/Makefile.am

@@ -48,6 +48,7 @@ app_DATA =				\
 	modrdn-krbprinc.ldif		\
 	entryusn.ldif			\
 	root-autobind.ldif		\
+	sudobind.ldif			\
 	$(NULL)
 
 EXTRA_DIST =				\

install/share/sudobind.ldif

@@ -0,0 +1,9 @@
+#SUDO bind user
+dn: uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX
+changetype: add
+objectclass: account
+objectclass: simplesecurityobject
+uid: sudo
+userPassword: $RANDOM_PASSWORD
+passwordExpirationTime: 20380119031407Z
+nsIdleTimeout: 0

ipalib/plugins/sudorule.py

@@ -17,7 +17,20 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
-Sudo Rule
+Sudo (su "do") allows a system administrator to delegate authority to
+give certain users (or groups of users) the ability to run some (or all)
+commands as root or another user while providing an audit trail of the
+commands and their arguments.
+
+FreeIPA provides a designated binddn to use with SUDO located at:
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+To enable the binddn run the following command to set the password:
+LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W \
+-h ipa.example.com -ZZ -D "cn=Directory Manager" \
+uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+For more information, see the FreeIPA Documentation to Sudo.
 """
 
 from ipalib import api, errors

ipaserver/install/dsinstance.py

@@ -249,6 +249,7 @@ class DsInstance(service.Service):
         self.step("adding replication acis", self.__add_replication_acis)
         self.step("configuring user private groups", self.__user_private_groups)
         self.step("configuring netgroups from hostgroups", self.__host_nis_groups)
+        self.step("creating default SUDO bind user", self.__add_sudo_binduser)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
 
@@ -311,6 +312,7 @@ class DsInstance(service.Service):
         server_root = find_server_root()
         self.sub_dict = dict(FQHN=self.fqdn, SERVERID=self.serverid,
                              PASSWORD=self.dm_password,
+                             RANDOM_PASSWORD=self.generate_random(),
                              SUFFIX=self.suffix.lower(),
                              REALM=self.realm_name, USER=DS_USER,
                              SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -475,6 +477,9 @@ class DsInstance(service.Service):
     def __add_enrollment_module(self):
         self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
 
+    def generate_random(self):
+        return ipautil.ipa_generate_password()
+
     def __enable_ssl(self):
         dirname = config_dirname(self.serverid)
         dsdb = certs.CertDB(self.realm_name, nssdir=dirname, subject_base=self.subject_base)
@@ -735,6 +740,9 @@ class DsInstance(service.Service):
     def __root_autobind(self):
         self._ldap_mod("root-autobind.ldif")
 
+    def __add_sudo_binduser(self):
+        self._ldap_mod("sudobind.ldif", self.sub_dict)
+
     def replica_populate(self):
         self.ldap_connect()
 

ipaserver/install/service.py

@@ -127,7 +127,7 @@ class Service:
         fd = None
         path = ipautil.SHARE_DIR + ldif
         hostname = installutils.get_fqdn()
-        nologlist=()
+        nologlist=[]
 
         if sub_dict is not None:
             txt = ipautil.template_file(path, sub_dict)
@@ -136,7 +136,9 @@ class Service:
 
             # do not log passwords
             if sub_dict.has_key('PASSWORD'):
-                nologlist = sub_dict['PASSWORD'],
+                nologlist.append(sub_dict['PASSWORD'])
+            if sub_dict.has_key('RANDOM_PASSWORD'):
+                nologlist.append(sub_dict['RANDOM_PASSWORD'])
 
         if self.dm_password:
             [pw_fd, pw_name] = tempfile.mkstemp()