Merge in ordered LDAP entry support from Andreas Mueller.

diff --git a/doc/schema.ActiveDirectory b/doc/schema.ActiveDirectory
index fb758ac3ce8e884a38dcdd8c44ddd9dcc01d61fe..cfdc7cbb9988369191527d78a73f7d1b8fa5ad75 100644 (file)
--- a/doc/schema.ActiveDirectory
+++ b/doc/schema.ActiveDirectory
@@ -196,6 +196,25 @@ name: sudoNotAfter
 schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
 objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
 
+dn: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
+changetype: add
+objectClass: top
+objectClass: attributeSchema
+cn: sudoOrder
+distinguishedName: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
+instanceType: 4
+attributeID: 1.3.6.1.4.1.15953.9.1.10
+attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.27
+isSingleValued: TRUE
+showInAdvancedViewOnly: TRUE
+adminDisplayName: sudoOrder
+adminDescription: an integer to order the sudoRole entries
+oMSyntax: 22
+lDAPDisplayName:  sudoOrder
+name: sudoOrder
+schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
+objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
+
 dn:\r
 changetype: modify\r
 add: schemaUpdateNow\r
@@ -222,6 +241,7 @@ mayContain: sudoRunAsGroup
 mayContain: sudoUser\r
 mayContain: sudoNotBefore
 mayContain: sudoNotAfter
+mayContain: sudoOrder
 rDNAttID: cn\r
 showInAdvancedViewOnly: FALSE\r
 adminDisplayName: sudoRole\r

diff --git a/doc/schema.OpenLDAP b/doc/schema.OpenLDAP
index 5da4c2b82e8a425619fac2b33c20902e3a8ee212..e14f7ad1b38e88ee7256ba652cf786efbd29c9d7 100644 (file)
--- a/doc/schema.OpenLDAP
+++ b/doc/schema.OpenLDAP
@@ -61,9 +61,16 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.9
     ORDERING generalizedTimeOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
 
+attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+    NAME 'sudoOrder'
+    DESC 'an integer to order the sudoRole entries'
+    EQUALITY integerMatch
+    ORDERING integerOrderingMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
     DESC 'Sudoer Entries'
     MUST ( cn )
-    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $
+    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $
            description )
     )

diff --git a/doc/schema.iPlanet b/doc/schema.iPlanet
index 0cb00388e1a0ece1220c89114f6a563fe2f55b47..8382960a81c4a375789efc0cd19edba89f3eed75 100644 (file)
--- a/doc/schema.iPlanet
+++ b/doc/schema.iPlanet
@@ -8,4 +8,5 @@ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) imp
 attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
 attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
 attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) X-ORIGIN 'SUDO' )
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ description ) X-ORIGIN 'SUDO' )

diff --git a/doc/sudoers.ldap.pod b/doc/sudoers.ldap.pod
index 4622bc773c0ca8e94bb4c4ac305ae84684fc7c8f..1b26d395f5fe1f82efb84d566e427bcf00f25fab 100644 (file)
--- a/doc/sudoers.ldap.pod
+++ b/doc/sudoers.ldap.pod
@@ -150,6 +150,15 @@ A timestamp in the form C<yyyymmddHHMMZ> that indicates end of validity
 of this C<sudoRole>.
 If multiple B<sudoNotAfter> entries are present, the last one is used.
 
+=item B<sudoOrder>
+
+The sudoRole entries retrieved from the LDAP directory have no
+inherent order. The B<sudoOrder> attribute is an integer that will
+be used to sort the matching entries.  This allows to more closely
+mimic the behaviour of the sudoers file, where the of the entries
+does have an influence on the result.  If the B<sudoOrder> attribute
+is not present, a value of 0 is assumed.
+
 =back
 
 Each component listed above should contain a single value, but there
@@ -324,7 +333,7 @@ in which case they are queried in the order specified.
 
 =item B<SUDOERS_TIMED> on/true/yes/off/false/no
 
-Whether or not to evaluate the sudoNotBefore and sudoNotAfter
+Whether or not to evaluate the B<sudoNotBefore> and B<sudoNotAfter>
 attributes that implement time-dependent sudoers entries.
 
 =item B<SUDOERS_DEBUG> debug_level
@@ -742,12 +751,19 @@ C<include> line in C<slapd.conf> and restart B<slapd>.
     ORDERING generalizedTimeOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
 
+ attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+     NAME 'sudoOrder'
+     DESC 'an integer to order the sudoRole entries'
+     EQUALITY integerMatch
+     ORDERING integerOrderingMatch
+     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
  objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
     DESC 'Sudoer Entries'
     MUST ( cn )
     MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
          sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
-         description )
+         sudoOrder $ description )
     )
 
 =head1 SEE ALSO