[sudo-users] sudo + ldap - nisNetgroupTriple

Patrick Spinler spinler.patrick at mayo.edu
Tue May 25 22:48:21 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I just now checked my Sun DSEE LDAP (which is our current production
system) and a nisNetgroupTriple is defined as an object type oid
1.3.6.1.4.1.1466.115.121.1.26, which is an IA5String.

As far as I know, IA5String has equality matching, so, this shouldn't be
an issue.  Of course, your milage may vary, depending on what your
server does.

However, even if your server does something weird, so what?  Override
the definition of nisNetgroupTriple and give it a more sane object type.
 Doing user defined schema is actually quite easy in most LDAP servers
I'm aware of.

- -- Pat

Jr Aquino wrote:
> 4.6. Modify Operation ... If an equality match filter has not been
> defined for an attribute type, clients MUST NOT attempt to delete
> individual values of that attribute from an entry using the "delete"
> form of a modification, and MUST instead use the "replace" form. ...
> OpenLDAP's slapd enforces analogous limitations on add because in
> absence of an equality rule there's no way to determine whether a new
> value is duplicate or not.
> you end up needing to delete all the values of that attribute and add
> the new set because in the absence of a matching rule there is no way to
> perform a "delete" on a single value; see RFC2251:
> 
> On May 25, 2010, at 2:45 PM, Patrick Spinler wrote:
> 
> Jr Aquino wrote:
>>>> I am writing the mailing list in hopes that someone has information
>>>> regarding the use of sudo for 'hostgroups' without having to use the
>>>> nisNetgroupTriple attributes.
>>>>
>>>> I would like to be able to utilize sudo with ldap entries that sanely
>>>> list the hostnames under a 'host:' attribute ideally.
>>>>
>>>> I've spoken to several of the nss_ldap developers and they have
>>>> strongly cautioned me against leveraging nisNetgroup's for storing my
>>>> hosts because of various rfc schema enforcements present in various
>>>> ldap server implementations. (Not being able to modify/add/remove a
>>>> nisNetgroupTriple without fully removing and readding all
>>>> nisNetgroupTriple's from an object being one of the major
>>>> disadvantages...)
> 
> For what it's worth, I got no clue what they're talking about, unless
> it's some weird ldap server specific thing.
> 
> I've used nisNetGroup style hostgroups & sudo successfully with both
> openldap and sun dsee ldap server without issue, including liberally
> adding modifying and removing nisnetgrouptriples containing host (and
> user) attributes.
> 
> -- Pat
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkv8i/UACgkQNObCqA8uBsx1nQCfXHvUwN9kM4z94JI/eNpA+Akw
8IsAn1+MQwOeF2PcsCCdEjWxg0z5IfPl
=8nUI
-----END PGP SIGNATURE-----



More information about the sudo-users mailing list