[sudo-users] Allowing all users via LDAP?
Jacob Pszonowsky
jdp16 at mac.com
Mon Jul 12 16:02:50 EDT 2004
Aaron -
Based upon your schema the sudoUser, sudoHost, sudoCommand, sudoRunAs,
and sudoOption attributes are syntax = "1.3.6.1.4.1.1466.115.121.1.26"
which is IA5String - Case Sensitive.
If you're trying to use Case Insensitive Strings - you should be using:
syntax = "1.3.6.1.4.1.1466.115.121.1.15" - Directory String
You'll also need to update the EQUALITY and SUBSTRING definitions.
I'm guessing you'd want to have Case Insensitive Strings for sudoUser,
sudoHost, sudoRunAs and possibly sudoOption.
In that case the schema definition should look like:
#
# schema file for sudo
#
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top
STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $
sudoOption $
description )
)
-Jake
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
On Jul 8, 2004, at 7:26 PM, Aaron Spangler wrote:
> Weird. All the attributes should be case insensitive. The code
> ignores case when doing comparison, however for the sudoUser
> attribute, the comparison is actually performed by the LDAP server.
> If you used the LDAP Schema definition included in the documentation,
> it should be a case-insensitive comparison. Try setting
> 'sudoers_debug' to 2 in /etc/ldap.conf and watching the results come
> back from the LDAP server. Try different variations of case and see
> it it make a difference in the search results as they come back. Send
> me both results and maybe I can help.
> Also if you don't mind me asking, which LDAP server are you using?
> Maybe I need to rewrite the LDAP sudoUser schema definition to be
> something slightly different so that strings are compared
> case-insensative for ALL LDAP server software.
>
> -Aaron
>
>
> Jacob Pszonowsky wrote:
>
>> Thanks Aaron - I think the problem was that I was using "All" - when
>> I tried "ALL" it works.
>>
>> Should capitalization matter here?
>>
>> Thanks,
>> Jake
>>
>> Jacob Pszonowsky
>>
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918
>>
>> On Jul 7, 2004, at 6:14 PM, Aaron Spangler wrote:
>>
>>> Yes.
>>>
>>> -Aaron
>>>
>>> Jacob Pszonowsky wrote:
>>>
>>>> Is the All keyword allowed in the sudoUser attribute for All users
>>>> in a system?
>>>>
>>>> -Jake
>>>>
>>>> Jacob Pszonowsky
>>>>
>>>> jdp16 at mac.com
>>>> (c) 415.225.2647
>>>> (f) 415.358.5918
>>>>
>>>>
>>>>
>>>> Jacob Pszonowsky
>>>>
>>>> jdp16 at mac.com
>>>> (c) 415.225.2647
>>>> (f) 415.358.5918
>>>>
>>>> ____________________________________________________________
>>>> sudo-users mailing list <sudo-users at gratisoft.us>
>>>> For list information, options, or to unsubscribe, visit:
>>>> http://www.gratisoft.us/mailman/listinfo/sudo-users
>>>
>>>
>>>
>>
>>
>>
>> Jacob Pszonowsky
>>
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918
>>
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
More information about the sudo-users
mailing list