On Sun, Jan 30, 2011 at 11:53:19PM -0500, Dmitri Pal wrote:
> On 01/30/2011 11:23 AM, JR Aquino wrote:
> > On 1/29/11 3:40 PM, "Dmitri Pal" <d...@redhat.com> wrote:
> >
> >> On 01/29/2011 12:37 PM, JR Aquino wrote:
> >>> On 1/29/11 9:30 AM, "JR Aquino" <jr.aqu...@citrix.com> wrote:
> >>>
> >>>> From: Dmitri Pal <d...@redhat.com<mailto:d...@redhat.com>>
> >>>> Organization: Red Hat
> >>>> Reply-To: <d...@redhat.com<mailto:d...@redhat.com>>
> >>>> Date: Sat, 29 Jan 2011 11:25:17 -0500
> >>>> To: <freeipa-devel@redhat.com<mailto:freeipa-devel@redhat.com>>
> >>>> Subject: [Freeipa-devel] SUDO community changed SUDO schema!!!
> >>>>
> >>>>


> The main concern about the solution is the following scenario.
> 1) IPA releases as is without support of the order attribute.
> 2) Some time passes and new version of SUDO gets released into some
> distros we care about
> 3) Support for ordered attribute needs to be added to IPA
>     Option 1: Allow some entries to have ordered attribute while some
> other entries would not. This would allow admin to slowly migrate SUDO
> rules from unordered to ordered mode. I see two problems with this:
>                     a) If some entries get populated with order
> attribute and some do not the clients that have newer version of SUDO
> will assume that everything is sorted but the result will be different
> from the older clients leading to inconsistency between client
> behaviour. This problem can be solved in the SUDO code would have a
> config flag to enable and disable sorting but this is outside of our
> control.

Why? I think adding this kind of option is very reasonable and if we
kindly ask the SUDO community to consider this option I would expect
that we can find an agreement that this should be added. And if the
community does not have resources to add this option we should consider
to provide a patch before the release of a new official version which
support the extended schema.

I could imagine that most of the discussion will be on what kind of
option should be used. My idea would be to add a version number to the
LDAP schema and add an attribute telling the client which schema version
it should use to evaluate the rules which can be lesser or equal the
installed schema version on the server.


Freeipa-devel mailing list

Reply via email to