From 3a56b155e80a744c7a924915aae954e0a3d81e9e Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 14 May 2014 13:18:00 +0200 Subject: sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute Makes sure we dereference the correct attribute. Also adds object class checking. https://fedorahosted.org/freeipa/ticket/4324 Reviewed-By: Petr Viktorin --- install/share/schema_compat.uldif | 2 +- install/updates/10-schema_compat.update | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'install') diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif index 79fce21b0..b5f61bb10 100644 --- a/install/share/schema_compat.uldif +++ b/install/share/schema_compat.uldif @@ -96,7 +96,7 @@ add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' add:schema-compat-entry-attribute: 'sudoRunAsUser=%deref("ipaSudoRunAs","uid")' add:schema-compat-entry-attribute: 'sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory","all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")")' add:schema-compat-entry-attribute: 'sudoRunAsGroup=%{ipaSudoRunAsExtGroup}' -add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' +add:schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' add:schema-compat-entry-attribute: 'sudoOption=%{ipaSudoOpt}' dn: cn=computers, cn=Schema Compatibility, cn=plugins, cn=config diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update index 6f0ed9080..7c362105d 100644 --- a/install/updates/10-schema_compat.update +++ b/install/updates/10-schema_compat.update @@ -1,10 +1,13 @@ dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config only:schema-compat-entry-rdn:'%ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn}")' -replace: schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")::sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' - -dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-entry-attribute: 'sudoHost=%ifeq("hostCategory","all","ALL","%{hostMask}")' add:schema-compat-entry-attribute: 'sudoRunAsUser=%%%{ipaSudoRunAsExtUserGroup}' +# Fix for #4324 (regression of #1309) +remove:schema-compat-entry-attribute:'sudoRunAsGroup=%deref("ipaSudoRunAs","cn")' + +# We need to add the value in a separate transaction +dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config +add: schema-compat-entry-attribute: 'sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(objectclass=posixGroup)","cn")' # Change padding for host and userCategory so the pad returns the same value # as the original, '' or -. -- cgit