summaryrefslogtreecommitdiffstats
path: root/install/share/65ipasudo.ldif
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2014-05-14 13:09:28 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-06-25 20:14:49 +0200
commit9304b649a32c57e80f53913d7fbdee92fd76a251 (patch)
tree7d87ea988f69bd644d7dd839ea7087f74e3dde32 /install/share/65ipasudo.ldif
parenta228d7a3cb32b14ff24b47adb14d896d317f6312 (diff)
downloadfreeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.tar.gz
freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.tar.xz
freeipa-9304b649a32c57e80f53913d7fbdee92fd76a251.zip
sudorule: Allow using external groups as groups of runAsUsers
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks sudorule plugin. https://fedorahosted.org/freeipa/ticket/4263 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'install/share/65ipasudo.ldif')
-rw-r--r--install/share/65ipasudo.ldif4
1 files changed, 3 insertions, 1 deletions
diff --git a/install/share/65ipasudo.ldif b/install/share/65ipasudo.ldif
index 3ad103f8a..8895b0dd7 100644
--- a/install/share/65ipasudo.ldif
+++ b/install/share/65ipasudo.ldif
@@ -31,8 +31,10 @@ attributeTypes: (2.16.840.1.113730.3.8.7.11 NAME 'ipaSudoRunAsGroupCategory' DES
attributeTypes: (2.16.840.1.113730.3.8.7.12 NAME 'hostMask' DESC 'IP mask to identify a subnet.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
## Attribute to store sudo command
attributeTypes: (2.16.840.1.113730.3.8.7.13 NAME 'sudoCmd' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactMatch ORDERING caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
+## Attribute to store a name of the user not managed by IPA. Command witll be executed under his identity.
+attributeTypes: (2.16.840.1.113730.3.8.7.14 NAME 'ipaSudoRunAsExtUserGroup' DESC 'Multivalue string attribute that allows storing groups of users that are not managed by IPA the command can be run as' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4' )
## Object class for SUDO rules
-objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ ipaSudoRunAsExtUserGroup ) X-ORIGIN 'IPA v2' )
## Object class for SUDO commands
objectClasses: (2.16.840.1.113730.3.8.8.2 NAME 'ipaSudoCmd' DESC 'IPA object class for SUDO command' STRUCTURAL MUST ( ipaUniqueID $ sudoCmd ) MAY ( memberOf $ description ) X-ORIGIN 'IPA v2' )
## Object class for groups of the SUDO commands