[sudo-users] avoid LDAP search sudoUser=+*
Michael Ströder
michael at stroeder.com
Wed Feb 5 14:01:15 MST 2014
Michael Ströder wrote:
> On Wed, 05 Feb 2014 11:58:09 -0700 "Todd C. Miller" <Todd.Miller at courtesan.com>
> wrote
>> On Wed, 05 Feb 2014 18:55:56 +0100, "Michael =?UTF-8?B?U3Ryw7ZkZXI=?=" wrote:
>>
>>> I wondered why things are slow with sudo-ldap and then found this
>>> search in the debug log:
>>>
>>> sudo: ldap search 'sudoUser=+*'
>>
>> That is to support sudoUser records that use netgroups. For Unix
>> groups, it is possible to get a list of all the user's groups before
>> performing the query. The same is not true for netgroups so we
>> need to match any sudoUser that begins with a '+'. This is unfortunate
>> but I'm not aware of a better way, short of removing netgroup support
>> (which people do use). See "Anatomy of LDAP sudoers lookup" in the
>> sudoers.ldap manual.
>
> Substring searches are really bad! I'd consider the LDAP schema to be severely
> broken. Different types of data (user, group, netgroup) should better be put
> into different attributes. So if you want all netgroup-related sudoRole entries
> you could search with
>
> (sudoNetGroups=*)
>
> In this case one could define a presence and/or equality index leading to much
> faster search processing.
>
> Anyway at least the default value for SUDOERS_SEARCH_FILTER should be
> "(objectClass=sudoRole)" to drastically reduce the number of search candidates
> the LDAP server has to examine.
Thinking about this a bit more:
Searching with (&(sudoUser=*)(sudoUser=+*)) is much faster if there's a
presence index configured for 'sudoUser'.
Ciao, Michael.
More information about the sudo-users
mailing list