From b7ad52356d9e51f027cc7bc32c5e4a74686f49f8 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Sat, 13 Aug 2011 13:50:24 -0400
Subject: [PATCH] Tivoli Directory Server requires that seconds be present in a
 timestamp, even though RFC 4517 states that they are optional.

--HG--
branch : 1.7
---
 ldap.c           |  2 +-
 sudoers.ldap.pod | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ldap.c b/ldap.c
index d26e45812..a1cf4a6c8 100644
--- a/ldap.c
+++ b/ldap.c
@@ -961,7 +961,7 @@ sudo_ldap_timefilter(buffer, buffersize)
     }
 
     /* Format the timestamp according to the RFC. */
-    if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%MZ", tp) == 0) {
+    if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) {
 	warning("unable to format timestamp");
 	goto done;
     }
diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod
index a9816546b..b12c6e6bb 100644
--- a/sudoers.ldap.pod
+++ b/sudoers.ldap.pod
@@ -147,11 +147,12 @@ The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
 
 =item B<sudoNotBefore>
 
-A timestamp in the form C<yyyymmddHHMMZ> that can be used to provide
+A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
 a start date/time for when the C<sudoRole> will be valid.  If
 multiple C<sudoNotBefore> entries are present, the earliest is used.
 Note that timestamps must be in Coordinated Universal Time (UTC),
-not the local timezone.
+not the local timezone.  The minute and seconds portions are optional,
+but some LDAP servers require that they be present (contrary to the RFC).
 
 The C<sudoNotBefore> attribute is only available in B<sudo> versions
 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
@@ -159,11 +160,12 @@ option in F<@ldap_conf@>.
 
 =item B<sudoNotAfter>
 
-A timestamp in the form C<yyyymmddHHMMZ> that indicates an expiration
+A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
 date/time, after which the C<sudoRole> will no longer be valid.  If
 multiple C<sudoNotBefore> entries are present, the last one is used.
 Note that timestamps must be in Coordinated Universal Time (UTC),
-not the local timezone.
+not the local timezone.  The minute and seconds portions are optional,
+but some LDAP servers require that they be present (contrary to the RFC).
 
 The C<sudoNotAfter> attribute is only available in B<sudo> versions
 1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
-- 
2.40.0