RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 766351 - [RFE] Add support for SudoNotBefore and SudoNotAfter attributes
Summary: [RFE] Add support for SudoNotBefore and SudoNotAfter attributes
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: IDM QE LIST
URL:
Whiteboard:
: 1241188 (view as bug list)
Depends On:
Blocks: 736854
TreeView+ depends on / blocked
 
Reported: 2011-12-11 20:10 UTC by Dmitri Pal
Modified: 2015-07-09 14:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 15:08:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Dmitri Pal 2011-12-11 20:10:17 UTC 
There was a discussion on freeipa-devel list (https://www.redhat.com/archives/freeipa-devel/2011-January/msg00884.html), however I could not find any decision that was made. 

{{{
sudoNotBefore
A timestamp in the form yyyymmddHHMMZ that indicates start of validity of this sudoRole. If multiple sudoNotBefore entries are present, the earliest is used.

sudoNotAfter
A timestamp in the form yyyymmddHHMMZ that indicates end of validity of this sudoRole. If multiple sudoNotAfter entries are present, the last one is used.

sudoOrder
The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the "last match" behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed.


 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
}}}


Filing here as an RFE to have this tracked. 

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1314
Comment 3 Martin Kosek 2015-01-16 12:35:04 UTC 
Note that sudoOrder is already supported in the latest FreeIPA/IdM versions.
Comment 4 Martin Kosek 2015-01-21 15:08:28 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.
Comment 5 Petr Vobornik 2015-07-09 12:13:59 UTC 
*** Bug 1241188 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.