Dmitri Pal wrote:
Simo Sorce wrote:
On Wed, 20 Oct 2010 15:42:17 -0400
Dmitri Pal d...@redhat.com wrote:
Any suggestions what it should be?
Should we create a new attribute or there is something handy to reuse?
Probably makes sense to add a custom attribute, properly named.
Ok I will propose one.
The attached patch should address the issue.
I did the change but I have not done the build so view this patch as a
proposal.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
From 34896a5f24a9fba8e3483b53a7b30c1bb737 Mon Sep 17 00:00:00 2001
From: Dmitri Pal d...@redhat.com
Date: Sun, 24 Oct 2010 22:37:27 -0400
Subject: [PATCH] [SUDO] 3. Changing command attr to be case sensitive
* Fixed comments
* Added attribute
* Fixed objectclass
---
install/share/60sudo.ldif |8 +---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/install/share/60sudo.ldif b/install/share/60sudo.ldif
index d7080859be12abd7b1f27a5f9cbeebee44af8969..638f131ba7b2f50dd767f5ea958934d7564429a8 100644
--- a/install/share/60sudo.ldif
+++ b/install/share/60sudo.ldif
@@ -5,9 +5,9 @@ dn: cn=schema
## Attributes: 2.16.840.1.113730.3.8.7.x
## ObjectClasses: 2.16.840.1.113730.3.8.8.x
##
-## Attribute to store DN of a SUDO command or a group of SUDO commands
+## Attribute to store DN of an allowed SUDO command or a group of SUDO commands
attributetypes: (2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Reference to a command or group of the commands that are allowed by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
-## Attribute to store command category
+## Attribute to store DN of a prohibited SUDO command or a group of SUDO commands
attributetypes: (2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Reference to a command or group of the commands that are denied by the rule.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
## Attribute to store command category
attributeTypes: (2.16.840.1.113730.3.8.7.3 NAME 'cmdCategory' DESC 'Additional classification for commands' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
@@ -29,9 +29,11 @@ attributeTypes: (2.16.840.1.113730.3.8.7.10 NAME 'ipaSudoRunAsExtGroup' DESC 'Mu
attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'ipaSudoRunAsGroupCategory' DESC 'Additional classification for groups' SUP userCategory X-ORIGIN 'IPA v2' )
## Attribute to store host mask
attributeTypes: (2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+## Attribute to store sudo command
+attributeTypes: (2.16.840.1.113730.3.8.7.13 NAME 'sudoCmd' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch ORDERING caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
## Object class for SUDO rules
objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' )
## Object class for SUDO commands
-objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ cn ) MAY ( memberOf $ description ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ sudoCmd ) MAY ( memberOf $ description ) X-ORIGIN 'IPA v2' )
## Object class for groups of the SUDO commands
objectClasses: (2.16.840.1.113730.3.8.8.3 NAME 'ipaSudoCmdGrp' DESC 'IPA object class to store groups of SUDO commands' SUP groupOfNames MUST ( ipaUniqueID ) STRUCTURAL X-ORIGIN 'IPA v2' )
--
1.5.5.6
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel