Bug 815

Summary: dynamic filters on LDAP rules
Product: Sudo Reporter: Daniele Palumbo <daniele>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: NEW ---    
Severity: enhancement CC: daniele
Priority: low    
Version: 1.8.21   
Hardware: All   
OS: All   

Description Daniele Palumbo 2017-12-06 18:49:09 MST 
Currently any LDAP rule will be applied without any filter to all of the host that Sudo is able to lookup.

It would be very useful to add dynamic filters directly into LDAP.

In example, 
uname -s
output.

In a complex environment, this would really be effective in segregating the environments.

To make a quick example:
sudoFilter: "/usr/local/bin/customcommand"
Which will be applied if exit code is 0, otherwise will not be applied.

Or

sudoFilter: "$(uname -s) == Linux"

This will allow a certain rule to be applied only on Linux AND/OR Solaris AND/OR AIX, ...

The best would be:
sudoFilter: "$(uname -s) == Linux AND $(uname -r|sed -e 's/\.//g'|cut -d "-" -f 1) >= 3160"

In this case, also the syntax has to be defined.