Bug 855

Summary: cvtsudoers input from LDAP
Product: Sudo Reporter: Daniele Palumbo <daniele>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: ASSIGNED ---    
Severity: normal CC: daniele
Priority: low    
Version: 1.8.25   
Hardware: PC   
OS: Linux   

Description Daniele Palumbo 2018-10-18 08:00:11 MDT 
Hi,

As by cvtsudoers manual, the input can be an LDIF
https://www.sudo.ws/man/1.8.25/cvtsudoers.man.html
"""
-i input_format, --input-format=input_format
    Specify the input format. The following formats are supported:

    LDIF
        LDIF (LDAP Data Interchange Format) files can be exported from an LDAP server to convert security policies used by sudoers.ldap(5). If a base DN (distinguished name) is specified, only sudoRole objects that match the base DN will be processed. Not all sudoOptions specified in a sudoRole can be translated from LDIF to sudoers format.
[...]
"""

At the same time, in the changelog
https://www.sudo.ws/stable.html
"""
The file, ldap and sss sudoers backends now share a common set of formatting functions for "sudo -l" output, which is also used by the cvtsudoers utility. 
"""

I suppose, given the above, that having cvtsudoers reading directly from LDAP would be not an issue.

It would be really useful to implement an additional input flag, LDAP, which can parse the full LDAP tree.
Comment 1 Todd C. Miller 2018-10-18 08:11:39 MDT 
I have no plans for cvtsudoers to do LDAP queries itself, that is really outside the scope of the tool.  You can simply use a tool like ldapsearch to dump the data in LDIF format and pipe that to cvtsudoers.