<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello,<br>
<br>
I noticed today that the schema used by latest version of SUDO has
changed:<br>
<a class="moz-txt-link-freetext" href="http://www.sudo.ws/sudo/sudoers.ldap.man.html">http://www.sudo.ws/sudo/sudoers.ldap.man.html</a><br>
<br>
It is simplified and adds 3 new attributes:<br>
<br>
<dl>
<dt><strong><a name="sudonotbefore" class="item"><strong>sudoNotBefore</strong></a></strong></dt>
<dd>
<p>A timestamp in the form <code>yyyymmddHHMMZ</code> that
indicates start of validity
of this <code>sudoRole</code>.
If multiple <strong>sudoNotBefore</strong> entries are
present, the earliest is used.</p>
</dd>
<dt><strong><a name="sudonotafter" class="item"><strong>sudoNotAfter</strong></a></strong></dt>
<dd>
<p>A timestamp in the form <code>yyyymmddHHMMZ</code> that
indicates end of validity
of this <code>sudoRole</code>.
If multiple <strong>sudoNotAfter</strong> entries are
present, the last one is used.</p>
</dd>
<dt><strong><a name="sudoorder" class="item"><strong>sudoOrder</strong></a></strong></dt>
<dd>
<p>The sudoRole entries retrieved from the LDAP directory have
no
inherent order. The <strong>sudoOrder</strong> attribute is
an integer (or
floating point value for LDAP servers that support it) that is
used
to sort the matching entries. This allows LDAP-based sudoers
entries
to more closely mimic the behaviour of the sudoers file, where
the
of the entries influences the result. If multiple entries
match,
the entry with the highest <strong>sudoOrder</strong>
attribute is chosen. This
corresponds to the "last match" behavior of the sudoers file.
If
the <strong>sudoOrder</strong> attribute is not present, a
value of 0 is assumed.</p>
</dd>
</dl>
<br>
<pre><pre> attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )</pre>
<pre> attributetype ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )</pre>
<pre> attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
Those changes were recently introduced:
<a class="moz-txt-link-freetext" href="http://www.sudo.ws/sudo/devel.html#1.7.5b2">http://www.sudo.ws/sudo/devel.html#1.7.5b2</a>
</pre>
</pre>
Question is: should we do something about it now? <br>
Should we defer our SUDO support in IPAv2 to IPA v2.1 and redo it
according to the latest schema? <br>
It is unclear whether SUDO schema is backward compatible and what
impact the new schema would have on the old clients that do not
support it. <br>
Thoughts?<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>