HPCC-14962 Remove support for LDAP "Sudoers" feature

Remove SUDOERS support from LDAP Security Manager. Throw "unsupported"
exception from ws_access sudoers methods.

Signed-off-by: Russ Whitehead <russwhitehead@yahoo.com>

esp/applications/common/ldap/ldap.yaml

@@ -13,7 +13,6 @@ ldap:
   sharedCache: true
   filesBasedn: ou=files,ou=ecl
   groupsBasedn: ou=groups,ou=ecl
-  sudoersBasedn: ou=SUDOers
   systemBasedn: cn=Users
   usersBasedn: ou=users,ou=ecl
   resourcesBasedn: ou=WsEcl,ou=EspServices,ou=ecl

esp/eclwatch/ws_XSLT/CMakeLists.txt

@@ -163,8 +163,6 @@ FOREACH ( iFILES
     ${CMAKE_CURRENT_SOURCE_DIR}/access_resourceaddinput.xslt
     ${CMAKE_CURRENT_SOURCE_DIR}/access_resourcedelete.xslt
     ${CMAKE_CURRENT_SOURCE_DIR}/access_resources.xslt
-    ${CMAKE_CURRENT_SOURCE_DIR}/access_sudoers.xslt
-    ${CMAKE_CURRENT_SOURCE_DIR}/access_sudoersinput.xslt
     ${CMAKE_CURRENT_SOURCE_DIR}/access_useraction.xslt
     ${CMAKE_CURRENT_SOURCE_DIR}/access_useredit.xslt
     ${CMAKE_CURRENT_SOURCE_DIR}/access_usergroupedit.xslt

esp/eclwatch/ws_XSLT/access_sudoers.xslt

@@ -1,59 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®.
-
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
--->
-
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:fo="http://www.w3.org/1999/XSL/Format">
-<xsl:output method="html"/>
-    <xsl:output method="html"/>
-    <xsl:template match="/">
-        <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-        <head>
-            <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
-            <title>SUDOers edit Result</title>
-      <link rel="stylesheet" type="text/css" href="/esp/files/yui/build/fonts/fonts-min.css" />
-      <link rel="stylesheet" type="text/css" href="/esp/files/css/espdefault.css" />
-      <link rel="stylesheet" type="text/css" href="/esp/files/css/eclwatch.css" />
-    </head>
-    <body class="yui-skin-sam">
-            <xsl:apply-templates/>
-        </body>
-        </html>
-    </xsl:template>
-    <xsl:template match="UserSudoersResponse">
-<table>
-<tbody>
-<th align="left">
-<h2>Edit SUDOers for user <xsl:value-of select="username"/>: </h2>
-</th>
-<tr>
-<td>
-<xsl:value-of select="retmsg"/>
-</td>
-</tr>
-<tr>
-<td>
-<br/>
-<br/>
-<a href="javascript:go('/ws_access/UserSudoersInput?username={username}')">Edit sudoers for user <xsl:value-of select="username"/></a>
-<br/>
-<a href="javascript:go('/ws_access/Users')">Users</a>
-</td>
-</tr>
-</tbody>
-</table>
-    </xsl:template>
-</xsl:stylesheet>

esp/eclwatch/ws_XSLT/access_sudoersinput.xslt

@@ -1,86 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-
-    HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®.
-
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
--->
-
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:fo="http://www.w3.org/1999/XSL/Format">
-<xsl:output method="html"/>
-    <xsl:output method="html"/>
-    <xsl:template match="/">
-        <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-        <head>
-            <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
-            <title>POSIX Account</title>
-        </head>
-    <body class="yui-skin-sam">
-            <xsl:apply-templates/>
-        </body>
-        </html>
-    </xsl:template>
-    <xsl:template match="UserSudoersInputResponse">
-        <form method="POST" action="/ws_access/UserSudoers">
-        <input type="hidden" id="username" name="username" value="{username}"/>
-        <table name="table1">
-            <tr>
-                <th colspan="2">
-                    <h3>Edit Sudoers For User <xsl:value-of select="username"/></h3>
-                </th>
-            </tr>
-            <tr>
-                <td>Username:</td>
-                <td>
-                    <input type="text" name="username0" value="{username}" size="35" disabled="disabled"/>
-                </td>
-            </tr>
-            <tr>
-                <td>sudoHost:</td>
-                <td>
-                    <input type="text" name="sudoHost" value="{sudoHost}" size="35"/>
-                </td>
-            </tr>
-            <tr>
-                <td>sudoCommand:</td>
-                <td>
-                    <input type="text" name="sudoCommand" value="{sudoCommand}" size="35"/>
-                </td>
-            </tr>
-            <tr>
-                <td>sudoOption:</td>
-                <td>
-                    <input type="text" name="sudoOption" value="{sudoOption}" size="35"/>
-                </td>
-            </tr>
-            <tr>
-                <td height="10"/>
-            </tr>
-            <tr>
-                <td/>
-                <xsl:choose>
-                    <xsl:when test="insudoers=0">
-                    <input type="hidden" name="action" value="add"/>
-                    <td><input type="submit" class="sbutton" value="  Add  " name="add"/></td>
-                    </xsl:when>
-                    <xsl:otherwise>
-                    <td><input type="submit" class="sbutton" value="Delete" name="action"/>
-                    <xsl:text disable-output-escaping="yes">&amp;nbsp;</xsl:text><input type="submit" class="sbutton" value="Update" name="action"/></td>
-                    </xsl:otherwise>
-                </xsl:choose>
-            </tr>
-        </table>
-
-        </form>
-    </xsl:template>
-</xsl:stylesheet>

esp/eclwatch/ws_XSLT/access_users.xslt

@@ -220,8 +220,6 @@
             <xsl:if test="../../posixok=1">
             <xsl:text disable-output-escaping="yes"> </xsl:text>
             <a href="javascript:go('/ws_access/UserPosixInput?username={username}')">Posix</a>
-            <xsl:text disable-output-escaping="yes"> </xsl:text>
-            <a href="javascript:go('/ws_access/UserSudoersInput?username={username}')">Sudoers</a>
             </xsl:if>
         </td>
         </tr>

esp/services/ws_access/ws_accessService.cpp

@@ -3814,121 +3814,12 @@ bool Cws_accessEx::onUserInfoEditInput(IEspContext &context, IEspUserInfoEditInp
 
 bool Cws_accessEx::onUserSudoersInput(IEspContext &context, IEspUserSudoersInputRequest &req, IEspUserSudoersInputResponse &resp)
 {
-    try
-    {
-        checkUser(context);
-
-        CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
-
-        if(secmgr == NULL)
-            throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
-
-        const char* username = req.getUsername();
-        if(username == NULL || *username == '\0')
-        {
-            throw MakeStringException(ECLWATCH_INVALID_ACCOUNT_NAME, "Please specify a username.");
-        }
-
-        Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username, context.querySecureContext());
-        secmgr->getUserInfo(*user.get(), "sudoers");
-        resp.setUsername(username);
-        resp.setInsudoers(user->getInSudoers());
-        if(user->getInSudoers())
-        {
-            resp.setSudoHost(user->getSudoHost());
-            resp.setSudoCommand(user->getSudoCommand());
-            resp.setSudoOption(user->getSudoOption());
-        }
-        else
-        {
-            resp.setSudoHost("ALL");
-            resp.setSudoCommand("ALL");
-            resp.setSudoOption("!authenticate");
-        }
-    }
-    catch(IException* e)
-    {
-        FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
-    }
-
-    return true;
+    throw MakeStringException(ECLWATCH_INVALID_ACTION, "UserSudoersInput no longer supported");
 }
 
 bool Cws_accessEx::onUserSudoers(IEspContext &context, IEspUserSudoersRequest &req, IEspUserSudoersResponse &resp)
 {
-    try
-    {
-        checkUser(context);
-
-        CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
-
-        if(secmgr == NULL)
-            throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
-
-        const char* username = req.getUsername();
-        if(username == NULL || *username == '\0')
-        {
-            resp.setRetcode(-1);
-            resp.setRetmsg("username can't be empty");
-            return false;
-        }
-
-        resp.setUsername(username);
-
-        Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username, context.querySecureContext());
-        const char* action = req.getAction();
-        if(!action || !*action)
-        {
-            resp.setRetcode(-1);
-            resp.setRetmsg("Action can't be empty");
-            return false;
-        }
-
-        user->setSudoHost(req.getSudoHost());
-        user->setSudoCommand(req.getSudoCommand());
-        user->setSudoOption(req.getSudoOption());
-
-        bool ok = false;
-        StringBuffer retmsg;
-
-        try
-        {
-            if(stricmp(action, "add") == 0)
-                ok = secmgr->updateUser("sudoersadd", *user.get());
-            else if(stricmp(action, "delete") == 0)
-                ok = secmgr->updateUser("sudoersdelete", *user.get());
-            else if(stricmp(action, "update") == 0)
-                ok = secmgr->updateUser("sudoersupdate", *user.get());
-        }
-        catch(IException* e)
-        {
-            ok = false;
-            e->errorMessage(retmsg);
-            e->Release();
-        }
-        catch(...)
-        {
-            ok = false;
-            retmsg.append("unknown exception");
-        }
-
-        if(!ok)
-        {
-            resp.setRetcode(-1);
-            resp.setRetmsg(retmsg.str());
-        }
-        else
-        {
-            resp.setRetcode(0);
-            resp.setRetmsg("succeeded.");
-        }
-    }
-    catch(IException* e)
-    {
-        FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
-    }
-
-    return true;
+    throw MakeStringException(ECLWATCH_INVALID_ACTION, "UserSudoers no longer supported");
 }
 
 bool Cws_accessEx::onAccountPermissions(IEspContext &context, IEspAccountPermissionsRequest &req, IEspAccountPermissionsResponse &resp)

initfiles/DOCUMENTATION.rst

@@ -37,7 +37,7 @@ Most install procedures are handled in install-init directly, but install-init a
 sub-installs using install files that are placed in /opt/HPCCSystems/etc/init.d/install/
 
 The final steps of the install are to set permissions correctly for the hpcc user, along with
-calling add_conf_settings.sh to add the sudoers and limits.conf changes.
+calling add_conf_settings.sh to add the limits.conf changes.
 
 Init uninstall
 ==============
@@ -55,7 +55,7 @@ Directory structure of initfiles
  - processor.cpp - simple application used at build time to search and replace ###<REPLACE>### in bash scripts
 
  - sbin/ - Directory containing administration based scripts
-  - add_conf_settings.sh.in - used to add sudoers and limits.conf settings on package install
+  - add_conf_settings.sh.in - used to add limits.conf settings on package install
   - alter_confs.sh - contains functions used by add_conf_settings.sh.in and rm_conf_settings.sh.in
   - complete-uninstall.sh.in - script to remove package and all directories from platform
   - configmgr.in - configmgr start script
@@ -68,7 +68,7 @@ Directory structure of initfiles
   - prerm.in - script run pre-remove of the installed DEB or RPM
   - regex.awk.in.cmake - regex awk code used by configmgr
   - remote-install-engine.sh.in - payload install script used by install-cluster.sh
-  - rm_conf_settings.sh.in - remove sudoers and limits.conf settings on package uninstall
+  - rm_conf_settings.sh.in - remove limits.conf settings on package uninstall
 
  - etc/
   - bash_completion/ - contains bash completion scripts used by the bash shell

initfiles/componentfiles/configschema/xsd/ldapserver.xsd

@@ -62,8 +62,6 @@
                               hpcc:tooltip="The ldap 'base distinguished name' that ecl server should use when looking up workunit scopes in the ldap (Active Directory) server"/>
                 <xs:attribute name="filesBasedn" type="xs:string" hpcc:displayName="Files Base DN" use="required" hpcc:presetValue="ou=files,ou=ecl"
                               hpcc:tooltip="The ldap 'base distinguished name' that ecl server should use when looking up file scopes in the ldap (Active Directory) server"/>
-                <xs:attribute name="sudoersBasedn" type="xs:string" hpcc:displayName="Sudoers Base DN" hpcc:presetValue="ou=SUDOers"
-                              hpcc:tooltip="The place to hold the sudoers entries"/>
                 <xs:attribute name="serverType" use="required" hpcc:displayName="Server Type" hpcc:presetValue="ActiveDirectory"
                               hpcc:tooltip="LDAP Server Implementation Type">
                     <xs:simpleType>

initfiles/componentfiles/configxml/dali.xsl

@@ -280,9 +280,6 @@
             <xsl:attribute name="modulesBasedn">
                 <xsl:value-of select="/Environment/Software/LDAPServerProcess[@name=$ldapServerName]/@modulesBasedn"/>
             </xsl:attribute>
-            <xsl:attribute name="sudoersBasedn">
-                <xsl:value-of select="/Environment/Software/LDAPServerProcess[@name=$ldapServerName]/@sudoersBasedn"/>
-            </xsl:attribute>
             <xsl:attribute name="usersBasedn">
                 <xsl:value-of select="/Environment/Software/LDAPServerProcess[@name=$ldapServerName]/@usersBasedn"/>
             </xsl:attribute>

initfiles/componentfiles/configxml/ldapserver.xsd

@@ -265,13 +265,6 @@
                     </xs:appinfo>
                 </xs:annotation>
             </xs:attribute>
-            <xs:attribute name="sudoersBasedn" type="xs:string" use="optional" default="ou=SUDOers">
-                <xs:annotation>
-                    <xs:appinfo>
-                        <tooltip>The place to hold the sudoers entries.</tooltip>
-                    </xs:appinfo>
-                </xs:annotation>
-            </xs:attribute>
             <xs:attribute name="serverType" use="required" default="ActiveDirectory">
                 <xs:annotation>
                     <xs:appinfo>

initfiles/componentfiles/configxml/ldapserver.xsl

@@ -33,7 +33,6 @@
  #base dc=internal,dc=sds
  filesBasedn="<xsl:value-of select="@filesBasedn"/>"
  resourcesBasedn="<xsl:value-of select="@resourcesBasedn"/>"
- sudoersBasedn="<xsl:value-of select="@sudoersBasedn"/>"
  systemBasedn="<xsl:value-of select="@systemBasedn"/>"
  usersBasedn="<xsl:value-of select="@usersBasedn"/>"
  workunitsBasedn="<xsl:value-of select="@workunitsBasedn"/>"

system/security/LdapSecurity/ldapconnection.cpp

@@ -266,7 +266,6 @@ private:
     StringBuffer         m_filescope_basedn;
     StringBuffer         m_view_basedn;
     StringBuffer         m_workunitscope_basedn;
-    StringBuffer         m_sudoers_basedn;
     StringBuffer         m_template_name;
 
     StringBuffer         m_sysuser;
@@ -526,12 +525,6 @@ public:
             throw MakeStringException(-1, "One of the following basedns need to be defined: modulesBasedn, resourcesBasedn, filesBasedn or workunitScopesBasedn.");
         }
 
-        dnbuf.clear();
-        cfg->getProp(".//@sudoersBasedn", dnbuf);
-        if(dnbuf.length() == 0)
-            dnbuf.append("ou=SUDOers");
-        LdapUtils::normalizeDn(dnbuf.str(), m_basedn.str(), m_sudoers_basedn);
-
         cfg->getProp(".//@templateName", m_template_name);
         cfg->getProp(".//@authMethod", m_authmethod);
         cfg->getProp(".//@ldapDomain", m_domain);
@@ -709,8 +702,6 @@ public:
             return m_view_basedn.str();
         else if(rtype == RT_WORKUNIT_SCOPE)
             return m_workunitscope_basedn.str();
-        else if(rtype == RT_SUDOERS)
-            return m_sudoers_basedn.str();
         else
             return m_resource_basedn.str();
     }
@@ -1589,7 +1580,6 @@ public:
             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE), PT_DEFAULT);
             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_VIEW_SCOPE), PT_ADMINISTRATORS_ONLY);
             createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_WORKUNIT_SCOPE), PT_DEFAULT);
-            createLdapBasedn(NULL, m_ldapconfig->getResourceBasedn(RT_SUDOERS), PT_ADMINISTRATORS_ONLY);
 
             createLdapBasedn(NULL, m_ldapconfig->getUserBasedn(), PT_ADMINISTRATORS_ONLY);
             createLdapBasedn(NULL, m_ldapconfig->getGroupBasedn(), PT_ADMINISTRATORS_ONLY);
@@ -2102,69 +2092,6 @@ public:
             return false;
         }
         
-        if(infotype && stricmp(infotype, "sudoers") == 0)
-        {
-            CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
-            if (ldapuser == nullptr)
-            {
-                throw MakeStringException(-1, "Unable to cast user %s to CLdapSecUser", username);
-            }
-
-            TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
-            Owned<ILdapConnection> lconn = m_connections->getConnection();
-            LDAP* ld = lconn.get()->getLd();
-
-            StringBuffer filter("sudoUser=");
-            filter.append(username);
-            char  *attrs[] = {"sudoHost", "sudoCommand", "sudoOption", NULL};
-            const char* basedn = m_ldapconfig->getResourceBasedn(RT_SUDOERS);
-            CLDAPMessage searchResult;
-            int rc = ldap_search_ext_s(ld, (char*)basedn, LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT, &searchResult.msg);
-
-            if ( rc != LDAP_SUCCESS )
-            {
-                DBGLOG("ldap_search_ext_s error: %s, when searching %s under %s", ldap_err2string( rc ), filter.str(), basedn);
-                ldapuser->setSudoersEnabled(false);
-                ldapuser->setInSudoers(false);
-                return false;
-            }
-            
-            ldapuser->setSudoersEnabled(true);
-
-            unsigned entries = ldap_count_entries(ld, searchResult);
-            if(entries == 0)
-            {
-                ldapuser->setInSudoers(false);
-                return true;
-            }
-
-            message = LdapFirstEntry(ld, searchResult);
-            if(message == NULL)
-            {
-                ldapuser->setInSudoers(false);
-                return true;
-            }
-
-            ldapuser->setInSudoers(true);
-            CLDAPGetAttributesWrapper   atts(ld, searchResult);
-            for ( attribute = atts.getFirst();
-                  attribute != NULL;
-                  attribute = atts.getNext())
-            {
-                CLDAPGetValuesLenWrapper vals(ld, message, attribute);
-                if (vals.hasValues())
-                {
-                    if(stricmp(attribute, "sudoHost") == 0)
-                        ldapuser->setSudoHost(vals.queryCharValue(0));
-                    else if(stricmp(attribute, "sudoCommand") == 0)
-                        ldapuser->setSudoCommand(vals.queryCharValue(0));
-                    else if(stricmp(attribute, "sudoOption") == 0)
-                        ldapuser->setSudoOption(vals.queryCharValue(0));
-                }
-            }
-            return true;
-        }
-        else
         {
             StringBuffer filter;
             const char* basedn = m_ldapconfig->getUserBasedn();
@@ -3129,168 +3056,6 @@ public:
                 rc = ldap_modify_ext_s(ld, (char*)userdn.str(), attrs, NULL, NULL);
             }
         }
-        else if(stricmp(type, "sudoersadd") == 0)
-        {
-            CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
-            if (ldapuser == nullptr)
-            {
-                throw MakeStringException(-1, "Unable to cast user %s to CLdapSecUser", username);
-            }
-
-            char *cn_values[] = {(char*)username, NULL };
-            LDAPMod cn_attr =
-            {
-                LDAP_MOD_ADD,
-                "cn",
-                cn_values
-            };
-
-            char *oc_values[] = {"sudoRole", NULL };
-            LDAPMod oc_attr =
-            {
-                LDAP_MOD_ADD,
-                "objectClass",
-                oc_values
-            };
-
-            char *user_values[] = {(char*)username, NULL };
-            LDAPMod user_attr =
-            {
-                LDAP_MOD_ADD,
-                "sudoUser",
-                user_values
-            };
-
-            char* sudoHost = (char*)ldapuser->getSudoHost();
-            char* sudoCommand = (char*)ldapuser->getSudoCommand();
-            char* sudoOption = (char*)ldapuser->getSudoOption();
-
-            char *host_values[] = {sudoHost, NULL };
-            LDAPMod host_attr = 
-            {
-                LDAP_MOD_ADD,
-                "sudoHost",
-                host_values
-            };
-            char *cmd_values[] = {sudoCommand, NULL };
-            LDAPMod cmd_attr = 
-            {
-                LDAP_MOD_ADD,
-                "sudoCommand",
-                cmd_values
-            };
-            char *option_values[] = {sudoOption, NULL };
-            LDAPMod option_attr = 
-            {
-                LDAP_MOD_ADD,
-                "sudoOption",
-                option_values
-            };
-
-            LDAPMod *attrs[8];
-            int ind = 0;
-            
-            attrs[ind++] = &cn_attr;
-            attrs[ind++] = &oc_attr;
-            attrs[ind++] = &user_attr;
-            if(sudoHost && *sudoHost)
-                attrs[ind++] = &host_attr;
-            if(sudoCommand && *sudoCommand)
-                attrs[ind++] = &cmd_attr;
-            if(sudoOption && *sudoOption)
-                attrs[ind++] = &option_attr;
-
-            attrs[ind] = NULL;
-
-            Owned<ILdapConnection> lconn = m_connections->getConnection();
-            LDAP* ld = lconn.get()->getLd();
-            StringBuffer dn;
-            dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
-            int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
-            if ( rc != LDAP_SUCCESS )
-            {
-                if(rc == LDAP_ALREADY_EXISTS)
-                {
-                    throw MakeStringException(-1, "can't add %s to sudoers, an LDAP object with this name already exists", username);
-                }
-                else
-                {
-                    DBGLOG("error adding %s to sudoers: %s", username, ldap_err2string( rc ));
-                    throw MakeStringException(-1, "error adding %s to sudoers: %s", username, ldap_err2string( rc ));
-                }
-            }
-        }
-        else if(stricmp(type, "sudoersdelete") == 0)
-        {
-            StringBuffer dn;
-            dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
-
-            Owned<ILdapConnection> lconn = m_connections->getConnection();
-            LDAP* ld = lconn.get()->getLd();
-
-            int rc = ldap_delete_ext_s(ld, (char*)dn.str(), NULL, NULL);
-
-            if ( rc != LDAP_SUCCESS )
-            {
-                throw MakeStringException(-1, "Error deleting user %s from sudoers: %s", username, ldap_err2string(rc));
-            }
-        }
-        else if(stricmp(type, "sudoersupdate") == 0)
-        {
-            CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
-            if (ldapuser == nullptr)
-            {
-                throw MakeStringException(-1, "Unable to cast user %s to CLdapSecUser", username);
-            }
-
-            char* sudoHost = (char*)ldapuser->getSudoHost();
-            char* sudoCommand = (char*)ldapuser->getSudoCommand();
-            char* sudoOption = (char*)ldapuser->getSudoOption();
-
-            char *host_values[] = {(sudoHost&&*sudoHost)?sudoHost:NULL, NULL };
-            LDAPMod host_attr =
-            {
-                LDAP_MOD_REPLACE,
-                "sudoHost",
-                host_values
-            };
-
-            char *cmd_values[] = {(sudoCommand&&*sudoCommand)?sudoCommand:NULL, NULL };
-            LDAPMod cmd_attr =
-            {
-                LDAP_MOD_REPLACE,
-                "sudoCommand",
-                cmd_values
-            };
-
-            char *option_values[] = {(sudoOption&&*sudoOption)?sudoOption:NULL, NULL };
-            LDAPMod option_attr =
-            {
-                LDAP_MOD_REPLACE,
-                "sudoOption",
-                option_values
-            };
-
-            LDAPMod *attrs[4];
-            int ind = 0;
-
-            attrs[ind++] = &host_attr;
-            attrs[ind++] = &cmd_attr;
-            attrs[ind++] = &option_attr;
-
-            attrs[ind] = NULL;
-
-            Owned<ILdapConnection> lconn = m_connections->getConnection();
-            LDAP* ld = lconn.get()->getLd();
-            StringBuffer dn;
-            dn.append("cn=").append(username).append(",").append(m_ldapconfig->getResourceBasedn(RT_SUDOERS));
-            int rc = ldap_modify_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
-            if ( rc != LDAP_SUCCESS )
-            {
-                DBGLOG("error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
-                throw MakeStringException(-1, "error modifying sudoers for user %s: %s", username, ldap_err2string( rc ));
-            }
-        }
 
         if (rc == LDAP_SUCCESS )
             DBGLOG("User %s successfully updated", username);

system/security/LdapSecurity/ldapsecurity.cpp

@@ -41,8 +41,6 @@ CLdapSecUser::CLdapSecUser(const char *name, const char *pw) :
     setName(name);
     setUserID(0);
     setPosixenabled(false);
-    setSudoersEnabled(false);
-    setInSudoers(false);
     setSessionToken(0);
     setSignature(nullptr);
 }

system/security/LdapSecurity/ldapsecurity.ipp

@@ -63,11 +63,6 @@ private:
     StringAttr   m_homedirectory;
     StringAttr   m_loginshell;
 
-    bool         m_sudoersenabled;
-    bool         m_insudoers;
-    StringAttr   m_sudoHost;
-    StringAttr   m_sudoCommand;
-    StringAttr   m_sudoOption;
     unsigned     m_sessionToken;//User's ESP session token
     StringBuffer m_signature;//User's digital signature
 
@@ -212,48 +207,6 @@ public:
     {
         return m_posixenabled;
     }
-
-// Sudoers specific fields  
-    virtual void setSudoersEnabled(bool enabled)
-    {
-        m_sudoersenabled = enabled;
-    }
-    virtual bool getSudoersEnabled()
-    {
-        return m_sudoersenabled;
-    }
-    virtual void setInSudoers(bool in)
-    {
-        m_insudoers = in;
-    }
-    virtual bool getInSudoers()
-    {
-        return m_insudoers;
-    }
-    virtual void setSudoHost(const char* host)
-    {
-        m_sudoHost.set(host);
-    }
-    virtual const char* getSudoHost()
-    {
-        return m_sudoHost.get();
-    }
-    virtual void setSudoCommand(const char* cmd)
-    {
-         m_sudoCommand.set(cmd);
-    }
-    virtual const char* getSudoCommand()
-    {
-        return m_sudoCommand.get();
-    }
-    virtual void setSudoOption(const char* option)
-    {
-        m_sudoOption.set(option);
-    }
-    virtual const char* getSudoOption()
-    {
-        return m_sudoOption.get();
-    }
 };
 
 

system/security/shared/authmap.cpp

@@ -195,7 +195,6 @@ const char* resTypeDesc(SecResourceType type)
     case RT_SERVICE: return "Service";
     case RT_FILE_SCOPE: return "FileScope";
     case RT_WORKUNIT_SCOPE: return "Workunit_Scope";
-    case RT_SUDOERS: return "Sudoers";
     case RT_TRIAL: return "Trial";
     case RT_VIEW_SCOPE: return "View";
     default: return "<unknown>";

system/security/shared/seclib.hpp

@@ -122,7 +122,7 @@ enum SecResourceType : int
     RT_SERVICE = 2,
     RT_FILE_SCOPE = 3,
     RT_WORKUNIT_SCOPE = 4,
-    RT_SUDOERS = 5,
+//no longer supported    RT_SUDOERS = 5,
     RT_TRIAL = 6,
     RT_VIEW_SCOPE = 7,
     RT_SCOPE_MAX = 8