Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1080209
Description of problem: Attempting to set a subnet in an external host filter for a sudo rule fails with "IPA Error 3009". Version-Release number of selected component (if applicable): ipa-server-3.0.0-26.el6_4.2.x86_64 Steps to Reproduce: 1. Create a sudo rule 2. Add "10.0.0.0/8" as an external host. 3. Actual results: IPA Error 3009 invalid 'host': only letters, numbers, _, and - are allowed. DNS label may not start or end with - Expected results: success Additional info: The sudoers man page defines a host filter as: Host ::= '!'* host name | '!'* ip_addr | '!'* network(/netmask)? | '!'* +netgroup | '!'* Host_Alias The sudoers.ldap man page even says the 'sudoHost' LDAP attribute supports "IP network". Thus "10.0.0.0/8" should be accepted as a valid host filter.
Another ticket with missing sudo functionality: #4263
Original design that mentions hostmask but which was not implemented: http://www.freeipa.org/page/FreeIPAv2:SUDO_Schema_Design
hostmask
Starting review
pushed to master as part of sudorule enhancements:
Metadata Update from @mkosek: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 4.0 Backlog
Login to comment on this ticket.