sudo with ldap support

Aaron Spangler as at
Mon Jun 23 07:24:15 EDT 2003

My Client is supposed to release the patch this week.  It is a nice
implementation of sudoers inside LDAP.  It scales well and gives much more
granularity of the sudo options on a per sudoRole basis.  (sudoRole is defined
as a combination of a set of users on a set of hosts running a set of commands
as a set of runas users.  You can have as many sudoRoles as you want - Even
thousands and it should scale well.  The LDAP server never needs to have all
of its entries dumped - only a small subset searched based upon the groups &
netgroups a user belongs to.)

I am hoping the patch will eventually become mainstreamed into sudo since it
co-exists in the code nicely.  It even allows for globally ignorring the
/etc/sudoers file on all machines based upon a global sudo option in ldap.

Also since sudo has PAM support, sudo can use LDAP authentication via
PAM_LDAP.  (I have tested this and this is what we use)

 - Aaron

Ulrich Weber wrote:

> Hi Aaron,
> any news from your client to release your ldap patch for sudo ?
> Bye
>   Ulrich
> Aaron Spangler wrote:
> > Acutally I wrote a schema and created a patch for sudo to work with
> > LDAP.  We are using it at my client and it works great on 400+ machines.
> > I'm trying to get my client to release it back to sudo under the BSD
> > license.
> >
> >  -Aaron
> >
> > Ulrich Weber wrote:
> >
> >
> >>Hi Aaron,
> >>
> >>you wrote about a LDAP schema for sudo at the sudo mailing list.
> >>
> >>Is there an existing ldap implementation or any plans to develope one
> >>for sudo ?
> >>If not, do you know something similar like sudo with ldap support?
> >>
> >>Best regards
> >>  Ulrich
> >
> >

More information about the sudo-users mailing list