sudo: add host info options

Adds some option that allows to manually configure a host filter.

ldap_sudo_use_host_filter - if false, we will download all rules regardless their sudoHost attribute
ldap_sudo_hostnames - list hostnames and/or fqdn that should be downloaded, separated with spaces
ldap_sudo_ip - list of IPv4/6 address and/or network that should be downloaded, separated with spaces
ldap_sudo_include_netgroups - include rules that contains netgroup in sudoHost
ldap_sudo_include_regexp - include rules that contains regular expression in sudoHost

5 files changed, 25 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 2bd6e3499..99ccc5ab1 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -294,6 +294,11 @@ option_strings = {
     'ldap_sudo_search_base' : _('Base DN for sudo rules lookups'),
     'ldap_sudo_full_refresh_interval' : _('Automatic full refresh period'),
     'ldap_sudo_smart_refresh_interval' : _('Automatic smart refresh period'),
+    'ldap_sudo_use_host_filter' : _('Whether to filter rules by hostname, IP addresses and network'),
+    'ldap_sudo_hostnames' : _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'),
+    'ldap_sudo_ip' : _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'),
+    'ldap_sudo_include_netgroups' : _('Whether to include rules that contains netgroup in host attribute'),
+    'ldap_sudo_include_regexp' : _('Whether to include rules that contains regular expression in host attribute'),
     'ldap_sudorule_object_class' : _('Object class for sudo rules'),
     'ldap_sudorule_name' : _('Sudo rule name'),
     'ldap_sudorule_command' : _('Sudo rule command attribute'),
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 6838a71f6..2af849ff7 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -130,6 +130,11 @@ ldap_chpass_dns_service_name = str, None, false
 ldap_sudo_search_base = str, None, false
 ldap_sudo_full_refresh_interval = int, None, false
 ldap_sudo_smart_refresh_interval = int, None, false
+ldap_sudo_use_host_filter = bool, None, false
+ldap_sudo_hostnames = str, None, false
+ldap_sudo_ip = str, None, false
+ldap_sudo_include_netgroups = bool, None, false
+ldap_sudo_include_regexp = bool, None, false
 ldap_sudorule_object_class = str, None, false
 ldap_sudorule_name = str, None, false
 ldap_sudorule_command = str, None, false
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 6fb73999c..6eedc0019 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -69,6 +69,11 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_sudo_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_sudo_full_refresh_interval", DP_OPT_NUMBER, { .number = 21600 }, NULL_NUMBER },
     { "ldap_sudo_smart_refresh_interval", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, /* 15 mins */
+    { "ldap_sudo_use_host_filter", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+    { "ldap_sudo_hostnames", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_sudo_ip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_sudo_include_netgroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+    { "ldap_sudo_include_regexp", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ldap_autofs_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_schema", DP_OPT_STRING, { "ipa_v1" }, NULL_STRING },
     { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 5f41060f1..f62e372f7 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -49,6 +49,11 @@ struct dp_option default_basic_opts[] = {
     { "ldap_sudo_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_sudo_full_refresh_interval", DP_OPT_NUMBER, { .number = 21600 }, NULL_NUMBER }, /* 360 mins */
     { "ldap_sudo_smart_refresh_interval", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, /* 15 mins */
+    { "ldap_sudo_use_host_filter", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+    { "ldap_sudo_hostnames", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_sudo_ip", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "ldap_sudo_include_netgroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
+    { "ldap_sudo_include_regexp", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ldap_autofs_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_schema", DP_OPT_STRING, { "rfc2307" }, NULL_STRING },
     { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 2b5ac8ad1..4ca755e32 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -168,6 +168,11 @@ enum sdap_basic_opt {
     SDAP_SUDO_SEARCH_BASE,
     SDAP_SUDO_FULL_REFRESH_INTERVAL,
     SDAP_SUDO_SMART_REFRESH_INTERVAL,
+    SDAP_SUDO_USE_HOST_FILTER,
+    SDAP_SUDO_HOSTNAMES,
+    SDAP_SUDO_IP,
+    SDAP_SUDO_INCLUDE_NETGROUPS,
+    SDAP_SUDO_INCLUDE_REGEXP,
     SDAP_AUTOFS_SEARCH_BASE,
     SDAP_SCHEMA,
     SDAP_OFFLINE_TIMEOUT,