[sudo-users] avoid LDAP search sudoUser=+*
Michael Ströder
michael at stroeder.com
Thu Feb 6 14:39:03 MST 2014
Todd C. Miller wrote:
> On Wed, 05 Feb 2014 22:01:15 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
>
>> Thinking about this a bit more:
>> Searching with (&(sudoUser=*)(sudoUser=+*)) is much faster if there's
>> a presence index configured for 'sudoUser'.
>
> The sudoUser=+* query is only performed if there is no match returned
> for the user and groups query.
Not true. Otherwise I would not have raised this issue here.
On some systems with older sudo versions the sudoUser=+* is even sent *before*
the normal user/group query.
> As such it should only be slow for
> people using netgroups or in cases where the command is not allowed.
Not true. And also please re-read what I said about indexes on LDAP servers.
If you perform the netgroup query you have to use
(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))
to get reasonable performance (provided there's present index for 'sudoUser').
Otherwise sudo-ldap is a DoS tool because the LDAP server has to check each
entry and LDAP admins have to protect their servers by setting time limits.
Personally I stripped SUBSTR matching rule from the attribute type description
for 'sudoUser' since we're not using net groups. This is a rather ugly
work-around but helped without having to upgrade all clients. ;-}
Ciao, Michael.
More information about the sudo-users
mailing list