[sudo-users] Converting from sudoers to ldif
Daniele Palumbo
daniele at retaggio.net
Thu Feb 22 17:17:43 MST 2018
Il giorno 19 feb 2018, alle ore 03:39, Todd C. Miller <Todd.Miller at sudo.ws> ha scritto:
> I'm not sure I understand. Do you mean that you'd like to be able
> to specify a starting number (or range) for sudoOrder when converting
> to LDIF?
> Currently, cvtsudoers uses a sudoOrder of 1 for the first sudoRole
> and increments by one for each sudoOrder. I'm open to making that
> more configurable.
Sorry for the delay.
Yes, I would like to have a customizable way to set the sudoOrder.
A possible suggestion is to have a config file for cvtsudoers, that define if there must be a sudoOrder or not.
Also, please consider the following:
aaron shanty = /usr/sbin/tcpdump, NOEXEC: /usr/bin/more, /usr/bin/vi
On LDAP, to the best of my knowledge, this is translated to two entries.
Of course, in this case the sudoOrder does apply.
To deal with that use case i am not sure which is the best.
Probably again a configuration file.
Example (proto code):
headerchars: 3 (means take 3 character, that can be enforced to be numbers)
sudoOrderOffset: 2 (mean take 2 number for sudoOrder in addition to be above one.
In the above case, a file called:
100-aaron
That contains
“”"
aaron shanty = /usr/sbin/tcpdump, NOEXEC: /usr/bin/more, /usr/bin/vi
“”"
Lead to two LDAP entries:
1:
/usr/sbin/tcpdump
sudoOrder: 10001
2:
NOEXEC: /usr/bin/more, /usr/bin/vi
sudoOrder: 10002
There are a number of constraint and possible solution, i am open to evaluate it all.
And of course to make some beta test.
HTH,
Daniele
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://www.sudo.ws/pipermail/sudo-users/attachments/20180223/eee196b9/attachment.bin>
More information about the sudo-users
mailing list