[sudo-users] can I prevent sudo on Solaris from performing ldap searches for local users?
Josh Daynard
josh.daynard at icloud.com
Tue Feb 2 17:02:12 MST 2016
I apologize in advance for the lack of deep knowledge on this topic … I have been digging around for a while and can’t seem to answer this seemingly simple question:
How can I make sudo NOT perform any ldap searches when sudo’ing between two local users?
The background - we have *lots* of Solaris hosts that we’re converting from OpenLDAP to IPA for authentication. When we flipped the switch to convert, IPA was flooded with ldap searches with a filter of:
'(&(objectclass= SolarisUserAttr)(uid=my_local_user))’
requesting the attrs: uid, SolarisUserQualifier, SolarisAttrReserved1, SolarisAttrReserved2, SolarisAttrKeyValue
We determined that this was happening as a result of sudo. We use nagios for monitoring and many times per second on thousands of hosts nagios performs a sudo from one local user to another to execute a check. The resulting barrage of ldap searches completely brought down IPA sadly.
But the nagios user is a local user and the user it is sudo’ing to is a local user and it is allowed in /etc/sudoers with NOPASSWD … and neither of those users are in LDAP … so why does sudo insist on making that ldap search and can we stop it?
From /etc/sudoers:
# Nagios can run anything under /usr/local/nagios/libexec as nsmail
MONITORS ALL = (nsmail) NOPASSWD: /usr/local/nagios/libexec/, \
/usr/local/monitor/libexec/
cat /etc/nsswitch.conf
#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
We also have basically the same configuration in Linux (RHEL 6) and sudo there does not perform any ldapsearches when sudo’ing between two local users …
Thanks!
Josh
More information about the sudo-users
mailing list