[Freeipa-devel] SUDO community changed SUDO schema!!!
Dmitri Pal
dpal at redhat.com
Sat Jan 29 16:25:17 UTC 2011
Hello,
I noticed today that the schema used by latest version of SUDO has changed:
http://www.sudo.ws/sudo/sudoers.ldap.man.html
It is simplified and adds 3 new attributes:
**sudoNotBefore**
A timestamp in the form |yyyymmddHHMMZ| that indicates start of
validity of this |sudoRole|. If multiple *sudoNotBefore* entries are
present, the earliest is used.
**sudoNotAfter**
A timestamp in the form |yyyymmddHHMMZ| that indicates end of
validity of this |sudoRole|. If multiple *sudoNotAfter* entries are
present, the last one is used.
**sudoOrder**
The sudoRole entries retrieved from the LDAP directory have no
inherent order. The *sudoOrder* attribute is an integer (or floating
point value for LDAP servers that support it) that is used to sort
the matching entries. This allows LDAP-based sudoers entries to more
closely mimic the behaviour of the sudoers file, where the of the
entries influences the result. If multiple entries match, the entry
with the highest *sudoOrder* attribute is chosen. This corresponds
to the "last match" behavior of the sudoers file. If the *sudoOrder*
attribute is not present, a value of 0 is assumed.
attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
Those changes were recently introduced:
http://www.sudo.ws/sudo/devel.html#1.7.5b2
Question is: should we do something about it now?
Should we defer our SUDO support in IPAv2 to IPA v2.1 and redo it
according to the latest schema?
It is unclear whether SUDO schema is backward compatible and what impact
the new schema would have on the old clients that do not support it.
Thoughts?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110129/aeca93ef/attachment.htm>
More information about the Freeipa-devel
mailing list