[Freeipa-devel] SUDO community changed SUDO schema!!!

JR Aquino JR.Aquino at citrix.com
Sat Jan 29 17:30:27 UTC 2011 

From: Dmitri Pal <dpal at redhat.com<mailto:dpal at redhat.com>>
Organization: Red Hat
Reply-To: <dpal at redhat.com<mailto:dpal at redhat.com>>
Date: Sat, 29 Jan 2011 11:25:17 -0500
To: <freeipa-devel at redhat.com<mailto:freeipa-devel at redhat.com>>
Subject: [Freeipa-devel] SUDO community changed SUDO schema!!!


sudoNotBefore

A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this sudoRole. If multiple sudoNotBefore entries are present, the earliest is used.

sudoNotAfter

A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this sudoRole. If multiple sudoNotAfter entries are present, the last one is used.

sudoOrder

The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If thesudoOrder attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

I have reached out to Todd and the SUDO community to answer these questions and concerns Dmitri.

I suspect that we should not have an issue moving forward with the 2.0 effort, and that we will want to include the feature support in 2.1.

I'll report further once I have more official information from the source.

-JR

More information about the Freeipa-devel mailing list