Bug 855 – cvtsudoers input from LDAP

Bug 855 - cvtsudoers input from LDAP


Summary:	cvtsudoers input from LDAP

Status:	ASSIGNED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.25
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-10-18 08:00 MDT by Daniele Palumbo
Modified:	2018-10-18 08:11 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniele Palumbo 2018-10-18 08:00:11 MDT

Hi,

As by cvtsudoers manual, the input can be an LDIF
https://www.sudo.ws/man/1.8.25/cvtsudoers.man.html
"""
-i input_format, --input-format=input_format
    Specify the input format. The following formats are supported:

    LDIF
        LDIF (LDAP Data Interchange Format) files can be exported from an LDAP server to convert security policies used by sudoers.ldap(5). If a base DN (distinguished name) is specified, only sudoRole objects that match the base DN will be processed. Not all sudoOptions specified in a sudoRole can be translated from LDIF to sudoers format.
[...]
"""

At the same time, in the changelog
https://www.sudo.ws/stable.html
"""
The file, ldap and sss sudoers backends now share a common set of formatting functions for "sudo -l" output, which is also used by the cvtsudoers utility. 
"""

I suppose, given the above, that having cvtsudoers reading directly from LDAP would be not an issue.

It would be really useful to implement an additional input flag, LDAP, which can parse the full LDAP tree.

Comment 1 Todd C. Miller 2018-10-18 08:11:39 MDT

I have no plans for cvtsudoers to do LDAP queries itself, that is really outside the scope of the tool.  You can simply use a tool like ldapsearch to dump the data in LDIF format and pipe that to cvtsudoers.