[sudo-users] New SUDO Schema Expantion

JR Aquino JR.Aquino at citrix.com
Sat Jan 29 12:27:31 EST 2011


It is unclear whether the new SUDO schema is backward compatible and what impact the new schema would have on the old clients that do not support it.

If the attributes are present within LDAP, will older clients simply ignore them?
Will the current Version of Sudo refuse to process entries if these attributes are absent?

Thanks Todd!

-JR

-=-

sudoNotBefore

A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this sudoRole. If multiple sudoNotBefore entries are present, the earliest is used.

sudoNotAfter

A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this sudoRole. If multiple sudoNotAfter entries are present, the last one is used.

sudoOrder

The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If thesudoOrder attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )


-=-



More information about the sudo-users mailing list