First Last Prev Next    This bug is not in your last search results.
Bug 715 - LDAP sudoers: Allow negations on hosts, commands and runas to work
LDAP sudoers: Allow negations on hosts, commands and runas to work
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudoers
1.8.14
All Linux
: low enhancement
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-24 10:40 MDT by Kelly Block
Modified: 2017-05-10 10:38 MDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kelly Block 2015-08-24 10:40:54 MDT 
Overview: 
According to the docs for Sudoers LDAP:
Negations on the Host, User or Runas are currently ignored

Without this functionality, we are unable to get away from flat files for sudoers and LDAP sudoers is essentially useless for us.

Steps to Reproduce:
In LDAP: matches all hosts including web01
sudoHost: ALL
sudoHost: !web01

Expected Results if this limitation was fixed:
In LDAP: matches all hosts except web01
sudoHost: ALL
sudoHost: !web01
Comment 1 Todd C. Miller 2015-08-24 10:53:45 MDT 
There's no technical reason this cannot be supported but do be aware that because there is no guaranteed ordering within the LDAP results a negative match must always override a positive one, regardless of the order of the rule in the original LDIF.
Comment 2 Todd C. Miller 2017-05-10 10:38:46 MDT 
Support for negated sudoHost entries was added in sudo 1.8.18
First Last Prev Next    This bug is not in your last search results.