Bug 495

Summary: sudoNotBefore and sudoNotAfter syntax error
Product: Sudo Reporter: arun.jayanth
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.1   
Hardware: IBM   
OS: AIX   

Description arun.jayanth 2011-05-25 13:44:38 MDT 
We have compiled sudo with Tivoli Directory Server V6.2 and we have added the sudo schema as per the guide . For sudoNotAfter and sudoNotBefore it uses generalized Time Syntax which has a format of yyyymmddHHMMSSZ for UTC. But for sudoNotAfter and sudoNotBefore attributes , this doesn't work out as it uses yyymmddHHMMZ as the value.
Comment 1 Todd C. Miller 2011-05-25 13:54:50 MDT 
RFC 4517 says:

If a time is specified with the minutes or seconds absent, then the number of minutes or seconds (respectively) is assumed to be zero.

Are you saying that Tivoli Directory Server V6.2 requires the seconds to be present?
Comment 2 arun.jayanth 2011-05-25 14:07:15 MDT 
(In reply to comment #1)
> RFC 4517 says:
> If a time is specified with the minutes or seconds absent, then the
> number of minutes or seconds (respectively) is assumed to be zero.
> Are you saying that Tivoli Directory Server V6.2 requires the seconds
> to be present?

Yes Todd , 

As you can see , i'm adding sudoNotBefore for a sudo role, with the format yyyymmddHHMMZ 
dn: cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
changetype: modify
replace: sudoNotBefore
sudoNotBefore: 201105251632Z

Operation 0 modifying entry cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
ldap_modify: Invalid syntax

It gave me the error of invalid syntax 

Now , i added with yyyymmddHHMMSSZ format 

dn: cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
changetype: modify
replace: sudoNotBefore
sudoNotBefore: 20110525163200Z

It changed successfully

prlldps01:root:/home/root # ldapmodify ${ADMINDN} -f /tmp/ldif
Operation 0 modifying entry cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com

prlldps01:root:/home/root # echo $?
0
Comment 3 Todd C. Miller 2011-05-25 15:00:55 MDT 
You should probably file a bug with IBM about that as the RFC clearly states that the seconds (and also the minutes) are optional.

I'll modify the ldap filter code to include the seconds and update the manual to also mention the seconds in the description.
Comment 4 arun.jayanth 2011-06-02 05:45:32 MDT 
Hi Todd , 

IBM confirmed that RFC 4517 is not included in TDS V6.2
Comment 5 Todd C. Miller 2011-08-24 10:16:59 MDT 
Sudo 1.8.2 uses the yyymmddHHMMZ timestamp format.