Bug 495 - sudoNotBefore and sudoNotAfter syntax error
sudoNotBefore and sudoNotAfter syntax error
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.8.1
IBM AIX
: low normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-25 13:44 MDT by arun.jayanth
Modified: 2011-08-24 10:16 MDT (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description arun.jayanth 2011-05-25 13:44:38 MDT
We have compiled sudo with Tivoli Directory Server V6.2 and we have added the sudo schema as per the guide . For sudoNotAfter and sudoNotBefore it uses generalized Time Syntax which has a format of yyyymmddHHMMSSZ for UTC. But for sudoNotAfter and sudoNotBefore attributes , this doesn't work out as it uses yyymmddHHMMZ as the value.
Comment 1 Todd C. Miller 2011-05-25 13:54:50 MDT
RFC 4517 says:

If a time is specified with the minutes or seconds absent, then the number of minutes or seconds (respectively) is assumed to be zero.

Are you saying that Tivoli Directory Server V6.2 requires the seconds to be present?
Comment 2 arun.jayanth 2011-05-25 14:07:15 MDT
(In reply to comment #1)
> RFC 4517 says:
> If a time is specified with the minutes or seconds absent, then the
> number of minutes or seconds (respectively) is assumed to be zero.
> Are you saying that Tivoli Directory Server V6.2 requires the seconds
> to be present?

Yes Todd , 

As you can see , i'm adding sudoNotBefore for a sudo role, with the format yyyymmddHHMMZ 
dn: cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
changetype: modify
replace: sudoNotBefore
sudoNotBefore: 201105251632Z

Operation 0 modifying entry cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
ldap_modify: Invalid syntax

It gave me the error of invalid syntax 

Now , i added with yyyymmddHHMMSSZ format 

dn: cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
changetype: modify
replace: sudoNotBefore
sudoNotBefore: 20110525163200Z

It changed successfully

prlldps01:root:/home/root # ldapmodify ${ADMINDN} -f /tmp/ldif
Operation 0 modifying entry cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com

prlldps01:root:/home/root # echo $?
0
Comment 3 Todd C. Miller 2011-05-25 15:00:55 MDT
You should probably file a bug with IBM about that as the RFC clearly states that the seconds (and also the minutes) are optional.

I'll modify the ldap filter code to include the seconds and update the manual to also mention the seconds in the description.
Comment 4 arun.jayanth 2011-06-02 05:45:32 MDT
Hi Todd , 

IBM confirmed that RFC 4517 is not included in TDS V6.2
Comment 5 Todd C. Miller 2011-08-24 10:16:59 MDT
Sudo 1.8.2 uses the yyymmddHHMMZ timestamp format.