
This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.

SUDO integration

We have decided to use the current schema used by SUDO. The schema is described here.

The reason is that Sudo can only understand the native schema anyway. We will have to do a conversion when we implement support for the IPA sudo schema down the road, but it’s simply not needed now.

All rules are store under cn=sudorules,cn=custom,cn=$domain,cn=sysdb subtree.

SUDO calls SSS_SUDO_GET_SUDORULES command, providing a user name of the requesting user.


Sends all sudo rules entries that contains keyword ALL or matches requested user name, his groups or netgroups.

<ruleN> = <num_attrs(uint32_t)><attr1><attr2>...
<attrN> = <name(char*)><num_values(uint32_t)><value1(char*)><value2(char*)>...

All strings are terminated with zero character.

If <error_code> signals an error (i.e. it does not equal to SSS_SUDO_ERROR_OK), the remaining fields are omitted.