Cloned Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=766351
There was a discussion on freeipa-devel list (https://www.redhat.com/archives/freeipa-devel/2011-January/msg00884.html), however I could not find any decision that was made.
sudoNotBefore A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this sudoRole. If multiple sudoNotBefore entries are present, the earliest is used. sudoNotAfter A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this sudoRole. If multiple sudoNotAfter entries are present, the last one is used. sudoOrder The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed. attributetype ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributetype ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
Filing here as an RFE to have this tracked.
I think we have a ticket on this but we will accept this one too.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=766351
An important bit for the documentation:
The sudoNotBefore and sudoNotAfter attribute support is only used when ldap.conf enables the SUDOERS_TIMED setting. This is because those attributes are used directly in the LDAP filter if available. Your LDAP server must have the updated schema if you want to enable SUDOERS_TIMED in ldap.conf.
Only clients >= 1.7.5b2 will work with these new attributes.
The current 389-ds sudo schema includes these three attributes.
Re: duplicate sudoOrder:
As you might expect, the results are undefined--there's no way to know which will be chosen. The objects are sorted using the qsort() function which is not a "stable sort" so it may alter the order (as returned by LDAP) of two entries with the same value of SudoOrder.
This is the limitation of the solution. I do not think we can do much about it.
We can enforce uniqueness in the framework. This won't prevent someone from changing it over LDAP but it is better than nothing.
I'm going to support just a subset of GeneralizedTime, excluding seconds and fractions.
Support for just sudoOrder:
master: d55d8bf
ipa-2-2: eb8309d
Patch is obsolete, removing on_review flag.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1394663 (Red Hat Enterprise Linux 7)
Metadata Update from @shanks: - Issue assigned to rcritten - Issue set to the milestone: Tickets Deferred
Login to comment on this ticket.