the sudo plugin doesnt allow to save the sudoOrder

Hello,

since 1.7.5 sudo can have an order

sudoOrder The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behaviour of the sudoers file, where the of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. This corresponds to the “last match” behavior of the sudoers file. If the sudoOrder attribute is not present, a value of 0 is assumed. The sudoOrder attribute is only available in sudo versions 1.7.5 and higher.

not sure how to implement this but here is a conversion of the sudoers of a wheezy

dn: cn=defaults,ou=sudoers,dc=labo,dc=opensides,dc=be cn: defaults description: Default sudoOption's go here sudoOption: env_reset sudoOption: mail_badpass sudoOption: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" sudoOrder: 1 objectClass: top objectClass: sudoRole

dn: cn=root,ou=sudoers,dc=labo,dc=opensides,dc=be objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAsUser: ALL sudoRunAsGroup: ALL sudoCommand: ALL sudoOrder: 2

dn: cn=www-data,ou=sudoers,dc=labo,dc=opensides,dc=be objectClass: top objectClass: sudoRole cn: www-data sudoUser: www-data sudoHost: ALL sudoCommand: ALL sudoOption: !authenticate sudoOrder: 3

dn: cn=%sudo,ou=sudoers,dc=labo,dc=opensides,dc=be objectClass: top objectClass: sudoRole cn: %sudo sudoUser: %sudo sudoHost: ALL sudoRunAsUser: ALL sudoRunAsGroup: ALL sudoCommand: ALL sudoOrder: 4

Cheers

(from redmine: issue id 3525, created on 2014-12-17, closed on 2015-02-19)

• Relations:
  • copied_to #3549 (closed)
• Changesets:
  • Revision fb3fbe4a by Côme Chilliet on 2015-01-26T16:19:11.000Z:

Fixes #3525 Added support for sudoOrder, sudoRunAsUser and sudoRunAsGroup

• Revision e14ace50 by Côme Chilliet on 2015-01-27T10:41:37.000Z:

Fixes #3525 Added support for sudoOrder, sudoRunAsUser and sudoRunAsGroup

• Revision 135c0fa4 by Côme Chilliet on 2015-02-11T09:45:19.000Z:

Fixes #3525 Fixed defaults value in sudo plugin

• Revision 8efbdc42 by Côme Chilliet on 2015-02-11T09:45:40.000Z:

Fixes #3525 Fixed defaults value in sudo plugin

• Custom Fields:
  • Bug in version: 1.0.8.2
• Uploads:
  • 0001-Fixes-3525-Added-support-for-sudoOrder-sudoRunAsUser.patch
  • 0002-Fixes-3525-Fixed-defaults-value-in-sudo-plugin.patch

I think adding sudoOrder as an integer should be enough. I’ll see if I can also sort entries using this integer in the management class.

From your examples it also seems sudoRunAsUser and sudoRunAsGroup have replaced sudoRunAs. Should I update the whole schema and adapt to this behavior as well? (it will break compatibility with older sudo installations)

(from redmine: written on 2015-01-26)

Note: this breaks retro-compatibility, users will have to relist users and groups in sudoRunAsUser and sudoRunAsGroup from sudoRunAs if any.

(from redmine: written on 2015-01-26)

hello,

applied to 1.0.8.4-fixes, develop seems to miss some patches

Cheers

(from redmine: written on 2015-01-26)

Hello,

applied to develop

Cheers

(from redmine: written on 2015-01-27)

hello,

applied to 1.0.8.4-fixes and develop

Cheers

(from redmine: written on 2015-02-11)

The attribute sudoOrder is add and we can modify the attribute with the priority.

Work well.

Close issue

(from redmine: written on 2015-02-19)

closed

added Added label