[sudo-users] sudo + ldap - nisNetgroupTriple
JR.Aquino at citrixonline.com
Wed May 26 10:16:08 EDT 2010
I guess I should have been more clear to start.
I have written a method of role based authorization control for pam
and am working with the pam_ldap groups to have it committed into
their main branch.
As such, I'd like to have a list of hosts that both sudo and pam_ldap
can look to without having to duplicate the same data in 2 different
Symas and PADL have expressed a desire not to perpetuate the use of
NIS in favor of a more pure ldap object for strict RFC reasons.
Either way, I am indifferent so long as both sudo and pam_ldap can
play nice together without the duplication of data.
So that either means pam_ldap must be able to utilize nisNetgroup's or
that sudo must be able to use a groupOfNames type object.
I was hoping that sudo already supported an alternative to nis out of
It sounds like the answer is no.
On May 25, 2010, at 7:48 PM, Patrick Spinler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I just now checked my Sun DSEE LDAP (which is our current production
> system) and a nisNetgroupTriple is defined as an object type oid
> 220.127.116.11.4.1.1418.104.22.168.26, which is an IA5String.
> As far as I know, IA5String has equality matching, so, this
> shouldn't be
> an issue. Of course, your milage may vary, depending on what your
> server does.
> However, even if your server does something weird, so what? Override
> the definition of nisNetgroupTriple and give it a more sane object
> Doing user defined schema is actually quite easy in most LDAP servers
> I'm aware of.
> - -- Pat
> Jr Aquino wrote:
>> 4.6. Modify Operation ... If an equality match filter has not been
>> defined for an attribute type, clients MUST NOT attempt to delete
>> individual values of that attribute from an entry using the "delete"
>> form of a modification, and MUST instead use the "replace" form. ...
>> OpenLDAP's slapd enforces analogous limitations on add because in
>> absence of an equality rule there's no way to determine whether a new
>> value is duplicate or not.
>> you end up needing to delete all the values of that attribute and add
>> the new set because in the absence of a matching rule there is no
>> way to
>> perform a "delete" on a single value; see RFC2251:
>> On May 25, 2010, at 2:45 PM, Patrick Spinler wrote:
>> Jr Aquino wrote:
>>>>> I am writing the mailing list in hopes that someone has
>>>>> regarding the use of sudo for 'hostgroups' without having to use
>>>>> nisNetgroupTriple attributes.
>>>>> I would like to be able to utilize sudo with ldap entries that
>>>>> list the hostnames under a 'host:' attribute ideally.
>>>>> I've spoken to several of the nss_ldap developers and they have
>>>>> strongly cautioned me against leveraging nisNetgroup's for
>>>>> storing my
>>>>> hosts because of various rfc schema enforcements present in
>>>>> ldap server implementations. (Not being able to modify/add/
>>>>> remove a
>>>>> nisNetgroupTriple without fully removing and readding all
>>>>> nisNetgroupTriple's from an object being one of the major
>> For what it's worth, I got no clue what they're talking about, unless
>> it's some weird ldap server specific thing.
>> I've used nisNetGroup style hostgroups & sudo successfully with both
>> openldap and sun dsee ldap server without issue, including liberally
>> adding modifying and removing nisnetgrouptriples containing host (and
>> user) attributes.
>> -- Pat
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
More information about the sudo-users