From 52e3ee5c5ff2c5a4341041826a803ad42d2b2de7 Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Wed, 29 Jul 2015 14:51:30 +0200
Subject: sudo: use "higher value wins" when ordering rules

This commit changes the default ordering logic (lower value wins) to
a correct one that is used by native ldap support. It also adds a new
option sudo_inverse_order to switch to the original SSSD (incorrect)
behaviour if needed.

Resolves:
https://fedorahosted.org/sssd/ticket/2682

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/SSSDConfig/__init__.py.in | 1 +
 src/config/etc/sssd.api.conf         | 1 +
 2 files changed, 2 insertions(+)

(limited to 'src/config')

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 49de53eaa..6294d595b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -92,6 +92,7 @@ option_strings = {
 
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
+    'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'),
 
     # [autofs]
     'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index cf6ce6301..2e5b02e3e 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -63,6 +63,7 @@ pam_account_expired_message = str, None, false
 [sudo]
 # sudo service
 sudo_timed = bool, None, false
+sudo_inverse_order = bool, None, false
 
 [autofs]
 # autofs service
-- 
cgit