Bug 766351 - [RFE] Add support for SudoNotBefore and SudoNotAfter attributes
Summary: [RFE] Add support for SudoNotBefore and SudoNotAfter attributes
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: IDM QE LIST
URL:
Whiteboard:
: 1241188 (view as bug list)
Depends On:
Blocks: 736854
TreeView+ depends on / blocked
 
Reported: 2011-12-11 20:10 UTC by Dmitri Pal
Modified: 2015-07-09 14:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 15:08:28 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dmitri Pal 2011-12-11 20:10:17 UTC 
There was a discussion on freeipa-devel list (https://www.redhat.com/archives/freeipa-devel/2011-January/msg00884.html), however I could not find any decision that was made. 

{{{
sudoNotBefore
A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this sudoRole. If multiple sudoNotBefore entries are present, the earliest is used.

sudoNotAfter
A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this sudoRole. If multiple sudoNotAfter entries are present, the last one is used.

sudoOrder
The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
}}}


Filing here as an RFE to have this tracked. 

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1314
Comment 3 Martin Kosek 2015-01-16 12:35:04 UTC 
Note that sudoOrder is already supported in the latest FreeIPA/IdM versions.
Comment 4 Martin Kosek 2015-01-21 15:08:28 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.
Comment 5 Petr Vobornik 2015-07-09 12:13:59 UTC 
*** Bug 1241188 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.