[sudo-users] Converting from sudoers to ldif

Daniele Palumbo daniele at retaggio.net
Thu Feb 22 17:17:43 MST 2018

Il giorno 19 feb 2018, alle ore 03:39, Todd C. Miller <Todd.Miller at sudo.ws> ha scritto:
> I'm not sure I understand.  Do you mean that you'd like to be able
> to specify a starting number (or range) for sudoOrder when converting
> to LDIF?
> Currently, cvtsudoers uses a sudoOrder of 1 for the first sudoRole
> and increments by one for each sudoOrder.  I'm open to making that
> more configurable.

Sorry for the delay.

Yes, I would like to have a customizable way to set the sudoOrder.

A possible suggestion is to have a config file for cvtsudoers, that define if there must be a sudoOrder or not.

Also, please consider the following:
aaron	shanty = /usr/sbin/tcpdump, NOEXEC: /usr/bin/more, /usr/bin/vi

On LDAP, to the best of my knowledge, this is translated to two entries.
Of course, in this case the sudoOrder does apply.

To deal with that use case i am not sure which is the best.
Probably again a configuration file.

Example (proto code):
headerchars: 3 (means take 3 character, that can be enforced to be numbers)
sudoOrderOffset: 2 (mean take 2 number for sudoOrder in addition to be above one.

In the above case, a file called:
That contains
aaron	shanty = /usr/sbin/tcpdump, NOEXEC: /usr/bin/more, /usr/bin/vi

Lead to two LDAP entries:
sudoOrder: 10001

NOEXEC: /usr/bin/more, /usr/bin/vi
sudoOrder: 10002

There are a number of constraint and possible solution, i am open to evaluate it all.
And of course to make some beta test.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://www.sudo.ws/pipermail/sudo-users/attachments/20180223/eee196b9/attachment.bin>

More information about the sudo-users mailing list