[sudo-users] Re: sudo ldap

Aaron Spangler as at insight.rr.com
Mon Jun 7 23:20:02 EDT 2004


You might consider consolidating the 600 roles since they are likely to be 
similar.  In LDAP you can have multi-valued attributes.  So you can have a 
Role that has more than one sudoUser attribute.   For example, if you were 
able to include 200 similar users into one sudoRole entry, 400 into a second, 
and the remainder into a few more, you should be able to collapse it into 
maybe 30 roles total. Or maybe into 5 if they are almost all identical. 
(Thats one of the strengths of LDAP).  This should also make it easier to 
manage.  If the entries are created automatically, you could modify your 
automated add script to do an 'ldap modify' instead of 'ldap add' to add the 
new attribute (user) to a specific role.

If you're stuck, export a few of the examples or send me screen shots and I'll 
try to help explain what I mean.

Remember that the 'sizelimit' is the number of LDAP entries (objects) not 
attributes.  So even if an single entry (Role) has 200 attributes (Users) on 
it, it only counts as one entry according to 'sizelimit'.

I hope all this makes sense.  Please let me know and I will be glad to help 


On Friday 04 June 2004 12:45 am, you wrote:
> Hi Aaron :)
> Just wanted to drop you a line to say thanks! for coding the sudo/ldap
> stuff.
> I am currently in the process of making it happen.. and I hit a snag!!! 
> took me about 2 days to figure
> it out (im a ldap newb), but just thought you might be interested in what I
> found:
> Basically, it's an extremely good idea to include
> 'sizelimit 10000' or unlimited or -1 in the slapd.conf
> otherwise, when you have a HUGE sudoers file like i do ( 12000 lines
> long..) it will fail
> a horrible death whenever the netgroups resolution occurs (i.e. searching
> for sudoUser=+*)
> When i orinially ran sudo, everything worked EXCEPT for user netgroup
> resolution. The problem, as stated above,
> was simply that there were approximately 600 roles returned when it
> searched for sudoUser=+*, which, of course,
> is greater than 500 (ldap default sizelimit). The ldap_search_s doesnt
> return anything meaningful, and so netgroups failed for me.
> Im sure this is elementary ldap.. but I just thought I'd mention it :)
> THANKS again for your hard work.
> Chris.

More information about the sudo-users mailing list