[sudo-users] New SUDO Schema Expantion

Todd C. Miller Todd.Miller at courtesan.com
Sun Jan 30 15:21:36 EST 2011


On Sat, 29 Jan 2011 17:27:31 GMT, JR Aquino wrote:

> It is unclear whether the new SUDO schema is backward compatible
> and what impact the new schema would have on the old clients that
> do not support it.
>
> If the attributes are present within LDAP, will older clients simply
> ignore them?  Will the current Version of Sudo refuse to process
> entries if these attribute s are absent?

The sudoNotBefore and sudoNotAfter attribute support is only used
when ldap.conf enables the SUDOERS_TIMED setting.  This is because
those attributes are used directly in the LDAP filter if available.
Your LDAP server must have the updated schema if you want to enable
SUDOERS_TIMED in ldap.conf.

The sudoOrder support does not affect the LDAP filter sudo uses and
so there is no need to explicitly enable it in ldap.conf.  If
sudoOrder is not present in an entry, a value of 0 is used.  If no
entries contain sudoOrder attributes, the results are in whatever
order the LDAP server returns them, as in past versions of sudo.

Older versions of sudo will simply ignore the new attributes if
they are present.

Hope that clears things up.

 - todd



More information about the sudo-users mailing list