On 11/13/2012 05:42 PM, Jakub Hrozek wrote:
On Tue, Nov 13, 2012 at 01:58:57PM +0100, Pavel Březina wrote:
https://fedorahosted.org/sssd/ticket/1640
Pavel, the code is fine, can you just explain the change better in the
commit message? I only know why this works because you told me in person
:-)
Sure :)
From f72f13471a6b72aeaad9ded272c57c8319aa63f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 13 Nov 2012 13:53:13 +0100
Subject: [PATCH] sudo: store rules with no sudoHost attribute
https://fedorahosted.org/sssd/ticket/1640
Normal rules requires that sudoHost attribute is present. But this
attribute is not mandatory for a special rule named cn=defaults.
This patch modifies filter so that we store even rules that doesn't
have sudoHost attribute specified. SUDO will then decide whether it
is allowed or not.
---
src/providers/ldap/sdap_sudo.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index ebbc95d14bfa2603806a4f42048723b3d036de2a..636eae41bdf5ff7fc8555b7b58c2a26e99e7ba73 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -327,6 +327,13 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
goto done;
}
+ /* sudoHost is not specified */
+ filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
+ map[SDAP_AT_SUDO_HOST].name);
+ if (filter == NULL) {
+ goto done;
+ }
+
/* ALL */
filter = talloc_asprintf_append_buffer(filter, "(%s=ALL)",
map[SDAP_AT_SUDO_HOST].name);
--
1.7.11.7
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
