[sudo-users] sudo + ldap - nisNetgroupTriple
Jr Aquino
JR.Aquino at citrixonline.com
Tue May 25 17:58:14 EDT 2010
4.6. Modify Operation ... If an equality match filter has not been
defined for an attribute type, clients MUST NOT attempt to delete
individual values of that attribute from an entry using the "delete"
form of a modification, and MUST instead use the "replace" form. ...
OpenLDAP's slapd enforces analogous limitations on add because in
absence of an equality rule there's no way to determine whether a new
value is duplicate or not.
you end up needing to delete all the values of that attribute and add
the new set because in the absence of a matching rule there is no way
to perform a "delete" on a single value; see RFC2251:
On May 25, 2010, at 2:45 PM, Patrick Spinler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jr Aquino wrote:
>> I am writing the mailing list in hopes that someone has information
>> regarding the use of sudo for 'hostgroups' without having to use the
>> nisNetgroupTriple attributes.
>>
>> I would like to be able to utilize sudo with ldap entries that sanely
>> list the hostnames under a 'host:' attribute ideally.
>>
>> I've spoken to several of the nss_ldap developers and they have
>> strongly cautioned me against leveraging nisNetgroup's for storing my
>> hosts because of various rfc schema enforcements present in various
>> ldap server implementations. (Not being able to modify/add/remove a
>> nisNetgroupTriple without fully removing and readding all
>> nisNetgroupTriple's from an object being one of the major
>> disadvantages...)
>
> For what it's worth, I got no clue what they're talking about, unless
> it's some weird ldap server specific thing.
>
> I've used nisNetGroup style hostgroups & sudo successfully with both
> openldap and sun dsee ldap server without issue, including liberally
> adding modifying and removing nisnetgrouptriples containing host (and
> user) attributes.
>
> - -- Pat
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkv8RQoACgkQNObCqA8uBswowACfaLmB8KpDZ5VtO6SJP3l/iQZc
> wPMAnjTqS5HcQsKaV0wWiYV3/juuGTo3
> =ssaq
> -----END PGP SIGNATURE-----
More information about the sudo-users
mailing list