From: Dmitri Pal <d...@redhat.com<mailto:d...@redhat.com>>
Organization: Red Hat
Reply-To: <d...@redhat.com<mailto:d...@redhat.com>>
Date: Sat, 29 Jan 2011 11:25:17 -0500
To: <freeipa-devel@redhat.com<mailto:freeipa-devel@redhat.com>>
Subject: [Freeipa-devel] SUDO community changed SUDO schema!!!


sudoNotBefore

A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this 
sudoRole. If multiple sudoNotBefore entries are present, the earliest is used.

sudoNotAfter

A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this 
sudoRole. If multiple sudoNotAfter entries are present, the last one is used.

sudoOrder

The sudoRole entries retrieved from the LDAP directory have no inherent order. 
The sudoOrder attribute is an integer (or floating point value for LDAP servers 
that support it) that is used to sort the matching entries. This allows 
LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers 
file, where the of the entries influences the result. If multiple entries 
match, the entry with the highest sudoOrder attribute is chosen. This 
corresponds to the "last match" behavior of the sudoers file. If thesudoOrder 
attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27

I have reached out to Todd and the SUDO community to answer these questions and 
concerns Dmitri.

I suspect that we should not have an issue moving forward with the 2.0 effort, 
and that we will want to include the feature support in 2.1.

I'll report further once I have more official information from the source.

-JR

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to