diff options
author | Tomas Babej <tbabej@redhat.com> | 2014-05-14 13:09:28 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-25 20:14:49 +0200 |
commit | 9304b649a32c57e80f53913d7fbdee92fd76a251 (patch) | |
tree | 7d87ea988f69bd644d7dd839ea7087f74e3dde32 /install/share/65ipasudo.ldif | |
parent | a228d7a3cb32b14ff24b47adb14d896d317f6312 (diff) | |
download | freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.tar.gz freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.tar.xz freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.zip |
sudorule: Allow using external groups as groups of runAsUsers
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.
https://fedorahosted.org/freeipa/ticket/4263
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/share/65ipasudo.ldif')
-rw-r--r-- | install/share/65ipasudo.ldif | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/install/share/65ipasudo.ldif b/install/share/65ipasudo.ldif index 3ad103f8a..8895b0dd7 100644 --- a/install/share/65ipasudo.ldif +++ b/install/share/65ipasudo.ldif @@ -31,8 +31,10 @@ attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'ipaSudoRunAsGroupCategory' DES attributeTypes: (2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) ## Attribute to store sudo command attributeTypes: (2.16.840.1.113730.3.8.7.13 NAME 'sudoCmd' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch ORDERING caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +## Attribute to store a name of the user not managed by IPA. Command witll be executed under his identity. +attributeTypes: (2.16.840.1.113730.3.8.7.14 NAME 'ipaSudoRunAsExtUserGroup' DESC 'Multivalue string attribute that allows storing groups of users that are not managed by IPA the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4' ) ## Object class for SUDO rules -objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ ipaSudoRunAsExtUserGroup ) X-ORIGIN 'IPA v2' ) ## Object class for SUDO commands objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ sudoCmd ) MAY ( memberOf $ description ) X-ORIGIN 'IPA v2' ) ## Object class for groups of the SUDO commands |