[sudo-workers] proposed patch: timed sudoRole entries

Andreas Mueller afm at othello.ch
Wed Sep 8 12:27:41 EDT 2010


the attached patch sudo-1.7.4p4-timed.patch introduces two
now attributes sudoNotBefore and sudoNotAfter that allow
a sudoRole entry to be timed. Special privileges can be
given to a user for a certain time window.

The feature is not activated unless the sudoers_timed option
is set in the ldap.conf. If it is activated, then the
search filter for relevant sudoRole nodes is extended to
also include a filter that accepts only those entries that
are valid. If an entry does not have sudoNotBefore or
sudoNotAfter, its validity is unlimited, onesided limitations
(e.g. privilege terminates on a certain day) are also possible.

Timed entries are preferable to adding and removing entries
for two reasons:
1. a process needs to be put in place to make sure entries
    are removed when no longer needed. In practice, they are
    often forgotten
2. if entries can be left in the directory, they document
    the privileges that were granted to a user even after
    they have expired.

The patch has one small problem: I cannot provide an updated
schema.ActiveDirectory, as I don't have access to AD. The other
schema files were tested on a customers LDAP infrastructure ;-)

Best regards

Andreas Mueller

Prof. Dr. Andreas Mueller
andreas.mueller at othello.ch
Bubental 53, 8852 Altendorf
Voice: +41 55 4621481  Fax/Data: +41 55 4621482


-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo-1.7.4p4-timed.patch
Type: text/x-patch
Size: 11790 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20100908/2e1bc03f/attachment.bin>

More information about the sudo-workers mailing list