OpenLDAP schema file for Sudo in on-line configuration (OLC) format.

From Frederic Pasteleurs.
2025-08-22 09:57:41 +00:00 · 2018-11-09 10:38:49 -07:00 · 2018-11-09 10:38:49 -07:00 · 5e098a782d
commit 5e098a782d
parent d6c2c53688
5 changed files with 105 additions and 5 deletions
--- a/1
+++ b/1
@ -28,6 +28,7 @@ doc/fixmdoc.sh
 doc/schema.ActiveDirectory
 doc/schema.OpenLDAP
 doc/schema.iPlanet
+doc/schema.olcSudo
 doc/sudo.cat
 doc/sudo.conf.cat
 doc/sudo.conf.man.in
--- a/README.LDAP
+++ b/README.LDAP
@ -57,9 +57,11 @@ Schema Changes
 You must add the appropriate schema to your LDAP server before it
 can store sudoers content.

-For OpenLDAP, copy the file schema.OpenLDAP to the schema directory
-(e.g. /etc/openldap/schema).  You must then edit your slapd.conf and
-add an include line the new schema, e.g.
+For OpenLDAP, there are two options, depending on how slapd is configured.
+
+The first option is to copy the file schema.OpenLDAP to the schema
+directory (e.g. /etc/openldap/schema).  You must then edit your
+slapd.conf and add an include line the new schema, e.g.

    # Sudo LDAP schema
    include	/etc/openldap/schema/sudo.schema
@ -72,6 +74,22 @@ the attribute 'sudoUser', e.g.

 After making the changes to slapd.conf, restart slapd.

+The second option is only for OpenLDAP 2.3 and higher where slapd.conf
+has been configured to use on-line configuration.  If your slapd.conf
+file includes the line:
+
+    database config
+
+it should be possible to use the schema.olcSudo file.
+
+You can apply schema.olcSudo using the ldapadd utility or another
+suitable LDAP browser.  For example:
+
+    # ldapadd -f schema.olcSudo -H ldap://ldapserver -W -x \
+	-D cn=Manager,dc=example,dc=com
+
+There is no need to restart slapd when updating on-line configuration.
+
 For Netscape-derived LDAP servers such as SunONE, iPlanet or Fedora Directory,
 copy the schema.iPlanet file to the schema directory with the name 99sudo.ldif.

@ -118,7 +136,7 @@ Import into your directory server.  The following example is for
 OpenLDAP.  If you are using another directory, provide the LDIF
 file to your LDAP Administrator.

-  # ldapadd -f /tmp/sudoers.ldif -h ldapserver \
+  # ldapadd -f /tmp/sudoers.ldif -H ldap://ldapserver \
    -D cn=Manager,dc=example,dc=com -W -x

 Step 3:
--- a/doc/CONTRIBUTORS
+++ b/doc/CONTRIBUTORS
@ -109,6 +109,7 @@ you believe you should be listed, please send a note to sudo@sudo.ws.
    Ouellet, Jean-Philippe
    Paquet, Eric
    Paradis, Chantal
+    Pasteleurs, Frederic
    Percival, Ted
    Perera, Andres
    Peron, Christian S.J.
--- a/doc/schema.OpenLDAP
+++ b/doc/schema.OpenLDAP
@ -1,6 +1,7 @@
 #
 # OpenLDAP schema file for Sudo
-# Save as /etc/openldap/schema/sudo.schema
+# Save as /etc/openldap/schema/sudo.schema and restart slapd.
+# For a version that uses online configuration, see schema.olcSudo.
 #

 attributetype ( 1.3.6.1.4.1.15953.9.1.1
--- a/doc/schema.olcSudo
+++ b/doc/schema.olcSudo
@ -0,0 +1,79 @@
+dn: cn=sudoschema,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: sudoschema
+#
+# OpenLDAP schema file for Sudo in on-line configuration (OLC) format.
+# Import using ldapadd or another suitable LDAP browser.
+# Converted to OLC format by Frederic Pasteleurs <frederic@askarel.be>
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
+    NAME 'sudoUser'
+    DESC 'User(s) who may  run sudo'
+    EQUALITY caseExactIA5Match
+    SUBSTR caseExactIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
+    NAME 'sudoHost'
+    DESC 'Host(s) who may run sudo'
+    EQUALITY caseExactIA5Match
+    SUBSTR caseExactIA5SubstringsMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.3
+    NAME 'sudoCommand'
+    DESC 'Command(s) to be executed by sudo'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.4
+    NAME 'sudoRunAs'
+    DESC 'User(s) impersonated by sudo (deprecated)'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
+    NAME 'sudoOption'
+    DESC 'Options(s) followed by sudo'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
+    NAME 'sudoRunAsUser'
+    DESC 'User(s) impersonated by sudo'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
+    NAME 'sudoRunAsGroup'
+    DESC 'Group(s) impersonated by sudo'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
+    NAME 'sudoNotBefore'
+    DESC 'Start of time interval for which the entry is valid'
+    EQUALITY generalizedTimeMatch
+    ORDERING generalizedTimeOrderingMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+#
+olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.9
+    NAME 'sudoNotAfter'
+    DESC 'End of time interval for which the entry is valid'
+    EQUALITY generalizedTimeMatch
+    ORDERING generalizedTimeOrderingMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+#
+olcattributeTypes: ( 1.3.6.1.4.1.15953.9.1.10
+    NAME 'sudoOrder'
+    DESC 'an integer to order the sudoRole entries'
+    EQUALITY integerMatch
+    ORDERING integerOrderingMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+#
+olcobjectclasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+    DESC 'Sudoer Entries'
+    MUST ( cn )
+    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
+        description )
+    )