[sudo-users] sudo + ldap - nisNetgroupTriple

[Jr Aquino]

I guess I should have been more clear to start.

I have written a method of role based authorization control for pam  
and am working with the pam_ldap groups to have it committed into  
their main branch.

As such, I'd like to have a list of hosts that both sudo and pam_ldap  
can look to without having to duplicate the same data in 2 different  
formats.

Symas and PADL have expressed a desire not to perpetuate the use of  
NIS in favor of a more pure ldap object for strict RFC reasons.

Either way, I am indifferent so long as both sudo and pam_ldap can  
play nice together without the duplication of data.

So that either means pam_ldap must be able to utilize nisNetgroup's or  
that sudo must be able to use a groupOfNames type object.

I was hoping that sudo already supported an alternative to nis out of  
the box.

It sounds like the answer is no.

-Jr

On May 25, 2010, at 7:48 PM, Patrick Spinler wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I just now checked my Sun DSEE LDAP (which is our current production
> system) and a nisNetgroupTriple is defined as an object type oid
> 1.3.6.1.4.1.1466.115.121.1.26, which is an IA5String.
>
> As far as I know, IA5String has equality matching, so, this  
> shouldn't be
> an issue.  Of course, your milage may vary, depending on what your
> server does.
>
> However, even if your server does something weird, so what?  Override
> the definition of nisNetgroupTriple and give it a more sane object  
> type.
> Doing user defined schema is actually quite easy in most LDAP servers
> I'm aware of.
>
> - -- Pat
>
> Jr Aquino wrote:
>> 4.6. Modify Operation ... If an equality match filter has not been
>> defined for an attribute type, clients MUST NOT attempt to delete
>> individual values of that attribute from an entry using the "delete"
>> form of a modification, and MUST instead use the "replace" form. ...
>> OpenLDAP's slapd enforces analogous limitations on add because in
>> absence of an equality rule there's no way to determine whether a new
>> value is duplicate or not.
>> you end up needing to delete all the values of that attribute and add
>> the new set because in the absence of a matching rule there is no  
>> way to
>> perform a "delete" on a single value; see RFC2251:
>>
>> On May 25, 2010, at 2:45 PM, Patrick Spinler wrote:
>>
>> Jr Aquino wrote:
>>>>> I am writing the mailing list in hopes that someone has  
>>>>> information
>>>>> regarding the use of sudo for 'hostgroups' without having to use  
>>>>> the
>>>>> nisNetgroupTriple attributes.
>>>>>
>>>>> I would like to be able to utilize sudo with ldap entries that  
>>>>> sanely
>>>>> list the hostnames under a 'host:' attribute ideally.
>>>>>
>>>>> I've spoken to several of the nss_ldap developers and they have
>>>>> strongly cautioned me against leveraging nisNetgroup's for  
>>>>> storing my
>>>>> hosts because of various rfc schema enforcements present in  
>>>>> various
>>>>> ldap server implementations. (Not being able to modify/add/ 
>>>>> remove a
>>>>> nisNetgroupTriple without fully removing and readding all
>>>>> nisNetgroupTriple's from an object being one of the major
>>>>> disadvantages...)
>>
>> For what it's worth, I got no clue what they're talking about, unless
>> it's some weird ldap server specific thing.
>>
>> I've used nisNetGroup style hostgroups & sudo successfully with both
>> openldap and sun dsee ldap server without issue, including liberally
>> adding modifying and removing nisnetgrouptriples containing host (and
>> user) attributes.
>>
>> -- Pat
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkv8i/UACgkQNObCqA8uBsx1nQCfXHvUwN9kM4z94JI/eNpA+Akw
> 8IsAn1+MQwOeF2PcsCCdEjWxg0z5IfPl
> =8nUI
> -----END PGP SIGNATURE-----