[sudo-users] sudo + ldap - nisNetgroupTriple

Jr Aquino JR.Aquino at citrixonline.com
Tue May 25 17:58:14 EDT 2010

4.6. Modify Operation ... If an equality match filter has not been  
defined for an attribute type, clients MUST NOT attempt to delete  
individual values of that attribute from an entry using the "delete"  
form of a modification, and MUST instead use the "replace" form. ...
OpenLDAP's slapd enforces analogous limitations on add because in  
absence of an equality rule there's no way to determine whether a new  
value is duplicate or not.
you end up needing to delete all the values of that attribute and add  
the new set because in the absence of a matching rule there is no way  
to perform a "delete" on a single value; see RFC2251:

On May 25, 2010, at 2:45 PM, Patrick Spinler wrote:

> Hash: SHA1
> Jr Aquino wrote:
>> I am writing the mailing list in hopes that someone has information
>> regarding the use of sudo for 'hostgroups' without having to use the
>> nisNetgroupTriple attributes.
>> I would like to be able to utilize sudo with ldap entries that sanely
>> list the hostnames under a 'host:' attribute ideally.
>> I've spoken to several of the nss_ldap developers and they have
>> strongly cautioned me against leveraging nisNetgroup's for storing my
>> hosts because of various rfc schema enforcements present in various
>> ldap server implementations. (Not being able to modify/add/remove a
>> nisNetgroupTriple without fully removing and readding all
>> nisNetgroupTriple's from an object being one of the major
>> disadvantages...)
> For what it's worth, I got no clue what they're talking about, unless
> it's some weird ldap server specific thing.
> I've used nisNetGroup style hostgroups & sudo successfully with both
> openldap and sun dsee ldap server without issue, including liberally
> adding modifying and removing nisnetgrouptriples containing host (and
> user) attributes.
> - -- Pat
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> wPMAnjTqS5HcQsKaV0wWiYV3/juuGTo3
> =ssaq

More information about the sudo-users mailing list