[Freeipa-devel] SUDO community changed SUDO schema!!!

Dmitri Pal dpal at redhat.com
Sat Jan 29 16:25:17 UTC 2011 

Hello,

I noticed today that the schema used by latest version of SUDO has changed:
http://www.sudo.ws/sudo/sudoers.ldap.man.html

It is simplified and adds 3 new attributes:

**sudoNotBefore**

    A timestamp in the form |yyyymmddHHMMZ| that indicates start of
    validity of this |sudoRole|. If multiple *sudoNotBefore* entries are
    present, the earliest is used.

**sudoNotAfter**

    A timestamp in the form |yyyymmddHHMMZ| that indicates end of
    validity of this |sudoRole|. If multiple *sudoNotAfter* entries are
    present, the last one is used.

**sudoOrder**

    The sudoRole entries retrieved from the LDAP directory have no
    inherent order. The *sudoOrder* attribute is an integer (or floating
    point value for LDAP servers that support it) that is used to sort
    the matching entries. This allows LDAP-based sudoers entries to more
    closely mimic the behaviour of the sudoers file, where the of the
    entries influences the result. If multiple entries match, the entry
    with the highest *sudoOrder* attribute is chosen. This corresponds
    to the "last match" behavior of the sudoers file. If the *sudoOrder*
    attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )


 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )


 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )


Those changes were recently introduced:
http://www.sudo.ws/sudo/devel.html#1.7.5b2



Question is: should we do something about it now?
Should we defer our SUDO support in IPAv2 to IPA v2.1 and redo it
according to the latest schema?
It is unclear whether SUDO schema is backward compatible and what impact
the new schema would have on the old clients that do not support it.
Thoughts?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110129/aeca93ef/attachment.htm>

More information about the Freeipa-devel mailing list