#1314 [RFE] Add support for sudo schema extension.
Opened 8 years ago by shanks. Modified 2 years ago

Cloned Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=766351

There was a discussion on freeipa-devel list (https://www.redhat.com/archives/freeipa-devel/2011-January/msg00884.html), however I could not find any decision that was made.

sudoNotBefore
A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this sudoRole. If multiple sudoNotBefore entries are present, the earliest is used.

sudoNotAfter
A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this sudoRole. If multiple sudoNotAfter entries are present, the last one is used.

sudoOrder
The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

Filing here as an RFE to have this tracked.


I think we have a ticket on this but we will accept this one too.

An important bit for the documentation:

The sudoNotBefore and sudoNotAfter attribute support is only used
when ldap.conf enables the SUDOERS_TIMED setting. This is because
those attributes are used directly in the LDAP filter if available.
Your LDAP server must have the updated schema if you want to enable
SUDOERS_TIMED in ldap.conf.

Only clients >= 1.7.5b2 will work with these new attributes.

The current 389-ds sudo schema includes these three attributes.

Re: duplicate sudoOrder:

As you might expect, the results are undefined--there's no way to
know which will be chosen. The objects are sorted using the qsort()
function which is not a "stable sort" so it may alter the order (as
returned by LDAP) of two entries with the same value of SudoOrder.

This is the limitation of the solution. I do not think we can do much about it.

We can enforce uniqueness in the framework. This won't prevent someone from changing it over LDAP but it is better than nothing.

I'm going to support just a subset of GeneralizedTime, excluding seconds and fractions.

Support for just sudoOrder:

master: d55d8bf

ipa-2-2: eb8309d

Patch is obsolete, removing on_review flag.

Metadata Update from @shanks:
- Issue assigned to rcritten
- Issue set to the milestone: Tickets Deferred

2 years ago

Login to comment on this ticket.

Metadata