[sudo-users] sudo-ldap: Semantics of empty sudoRunAsUser and sudoRunAsGroup

Michael Ströder michael at stroeder.com
Fri May 22 12:07:44 MDT 2015


Disclaimer: I did not check details myself yet.

I've been told by a colleague that semantics are different if attributes
sudoRunAsUser or sudoRunAsGroup are not present at all or contain a
zero-length string.
(Note that only LDAP syntax IA5String actually used allows a zero-length
string as attribute values. All other LDAP syntaxes do not allow that.)

Is that correct?

If yes, is there another sane value not colliding with user/group names etc.
handled semantically equal to a zero-length string?

Ciao, Michael.

More information about the sudo-users mailing list