Bug 766351

Summary: [RFE] Add support for SudoNotBefore and SudoNotAfter attributes
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED DEFERRED QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: cparent, jgalipea, mkosek
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-21 15:08:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 736854    

Description Dmitri Pal 2011-12-11 20:10:17 UTC 
There was a discussion on freeipa-devel list (https://www.redhat.com/archives/freeipa-devel/2011-January/msg00884.html), however I could not find any decision that was made. 

{{{
sudoNotBefore
A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this sudoRole. If multiple sudoNotBefore entries are present, the earliest is used.

sudoNotAfter
A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this sudoRole. If multiple sudoNotAfter entries are present, the last one is used.

sudoOrder
The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
}}}


Filing here as an RFE to have this tracked. 

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1314
Comment 3 Martin Kosek 2015-01-16 12:35:04 UTC 
Note that sudoOrder is already supported in the latest FreeIPA/IdM versions.
Comment 4 Martin Kosek 2015-01-21 15:08:28 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.
Comment 5 Petr Vobornik 2015-07-09 12:13:59 UTC 
*** Bug 1241188 has been marked as a duplicate of this bug. ***