[sudo-users] New SUDO Schema Expantion

JR Aquino JR.Aquino at citrix.com
Tue Dec 13 12:14:55 EST 2011

On Jan 30, 2011, at 12:21 PM, Todd C. Miller wrote:

> On Sat, 29 Jan 2011 17:27:31 GMT, JR Aquino wrote:
>> It is unclear whether the new SUDO schema is backward compatible
>> and what impact the new schema would have on the old clients that
>> do not support it.
>> If the attributes are present within LDAP, will older clients simply
>> ignore them?  Will the current Version of Sudo refuse to process
>> entries if these attribute s are absent?
> The sudoNotBefore and sudoNotAfter attribute support is only used
> when ldap.conf enables the SUDOERS_TIMED setting.  This is because
> those attributes are used directly in the LDAP filter if available.
> Your LDAP server must have the updated schema if you want to enable
> SUDOERS_TIMED in ldap.conf.
> The sudoOrder support does not affect the LDAP filter sudo uses and
> so there is no need to explicitly enable it in ldap.conf.  If
> sudoOrder is not present in an entry, a value of 0 is used.  If no
> entries contain sudoOrder attributes, the results are in whatever
> order the LDAP server returns them, as in past versions of sudo.

What happens if 2 Sudo Rule Objects in the Directory contain the same numerical value for the SudoOrder?

> Older versions of sudo will simply ignore the new attributes if
> they are present.
> Hope that clears things up.
> - todd

More information about the sudo-users mailing list