[sudo-users] New SUDO Schema Expantion
JR Aquino
JR.Aquino at citrix.com
Tue Dec 13 12:14:55 EST 2011
On Jan 30, 2011, at 12:21 PM, Todd C. Miller wrote:
> On Sat, 29 Jan 2011 17:27:31 GMT, JR Aquino wrote:
>
>> It is unclear whether the new SUDO schema is backward compatible
>> and what impact the new schema would have on the old clients that
>> do not support it.
>>
>> If the attributes are present within LDAP, will older clients simply
>> ignore them? Will the current Version of Sudo refuse to process
>> entries if these attribute s are absent?
>
> The sudoNotBefore and sudoNotAfter attribute support is only used
> when ldap.conf enables the SUDOERS_TIMED setting. This is because
> those attributes are used directly in the LDAP filter if available.
> Your LDAP server must have the updated schema if you want to enable
> SUDOERS_TIMED in ldap.conf.
>
> The sudoOrder support does not affect the LDAP filter sudo uses and
> so there is no need to explicitly enable it in ldap.conf. If
> sudoOrder is not present in an entry, a value of 0 is used. If no
> entries contain sudoOrder attributes, the results are in whatever
> order the LDAP server returns them, as in past versions of sudo.
>
What happens if 2 Sudo Rule Objects in the Directory contain the same numerical value for the SudoOrder?
> Older versions of sudo will simply ignore the new attributes if
> they are present.
>
> Hope that clears things up.
>
> - todd
More information about the sudo-users
mailing list