[sudo-workers] proposed patch: timed sudoRole entries
Andreas Mueller
afm at othello.ch
Wed Sep 8 12:27:41 EDT 2010
Hi,
the attached patch sudo-1.7.4p4-timed.patch introduces two
now attributes sudoNotBefore and sudoNotAfter that allow
a sudoRole entry to be timed. Special privileges can be
given to a user for a certain time window.
The feature is not activated unless the sudoers_timed option
is set in the ldap.conf. If it is activated, then the
search filter for relevant sudoRole nodes is extended to
also include a filter that accepts only those entries that
are valid. If an entry does not have sudoNotBefore or
sudoNotAfter, its validity is unlimited, onesided limitations
(e.g. privilege terminates on a certain day) are also possible.
Timed entries are preferable to adding and removing entries
for two reasons:
1. a process needs to be put in place to make sure entries
are removed when no longer needed. In practice, they are
often forgotten
2. if entries can be left in the directory, they document
the privileges that were granted to a user even after
they have expired.
The patch has one small problem: I cannot provide an updated
schema.ActiveDirectory, as I don't have access to AD. The other
schema files were tested on a customers LDAP infrastructure ;-)
Best regards
Andreas Mueller
--
Prof. Dr. Andreas Mueller
andreas.mueller at othello.ch
Bubental 53, 8852 Altendorf
Voice: +41 55 4621481 Fax/Data: +41 55 4621482
http://www.eurocketry.org/forum/german/viewtopic.php?p=15049#15049
http://www.youtube.com/watch?v=keweeQdMAFM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo-1.7.4p4-timed.patch
Type: text/x-patch
Size: 11790 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20100908/2e1bc03f/attachment.bin>
More information about the sudo-workers
mailing list