[sudo-users] sudo 1.6.8p9 making copious netgroup requests to Sun ONE LDAP server

Morgan, Chris Chris.Morgan at rbccm.com
Wed Nov 8 04:29:49 EST 2006

I'm having a problem with every sudo command making hundreds of requests
to the LDAP server each time it is called. This is my configuration:


  Solaris Sparc 8/9/10 & x86 10

  Sudo version 1.6.8p9

  Sun ONE LDAP server 5.2 p4


The problem is readily reproducible on ALL my Solaris servers
irrespective of OS version or architecture. The problem is NOT evident
on any HP or Redhat servers.


Each time I run sudo from any Solaris server, I register literally
hundreds of hits such as the following on the LDAP server:


[08/Nov/2006:08:55:52 +0000] conn=9132643 op=1 msgId=2 - SRCH
base="ou=netgroup,dc=mycompany,dc=mydomain,dc=com" scope=2
))" attrs="cn nisNetgroupTriple"


There is a hit for each netgroup in the LDAP database - it seems to be
looping through all the netgroups that exist (in this example, I've
substituted the string netgroup_name_here). The net result is not only
that sudo commands take forever to execute but there is a huge load on
the LDAP server too (we use sudo heavily on our Solaris servers).


The problem is compounded by the fact that nscd doesn't cache netgroup


Below are my configuration files. I'm at a loss as to explain why sudo
is behaving this way. I've tried to re-compile the latest version but I
continue to get the same results.


Any suggestions?





passwd:        compat

passwd_compat: ldap

group:         files ldap

hosts:      files dns

ipnodes:    files

networks:   files

protocols:  files

rpc:        files

ethers:     files

netmasks:   files

bootparams: files

publickey:  files

netgroup:   ldap

automount:  files

aliases:    files

services:   files

sendmailvars:   files

auth_attr: files

exec_attr: files

prof_attr: files

user_attr: files

audit_user: files

project:    files



login   auth requisite        pam_authtok_get.so.1

login   auth required         pam_dhkeys.so.1

login   auth required         pam_unix_cred.so.1

login   auth required         pam_dial_auth.so.1

login   auth binding          pam_unix_auth.so.1 server_policy

login   auth required         pam_ldap.so.1

other   auth requisite        pam_authtok_get.so.1

other   auth required         pam_dhkeys.so.1

other   auth required         pam_unix_cred.so.1

other   auth binding          pam_unix_auth.so.1 server_policy

other   auth required         pam_ldap.so.1

passwd  auth binding          pam_passwd_auth.so.1 server_policy

passwd  auth required         pam_ldap.so.1

cron    account required      pam_unix_account.so.1

other   account requisite     pam_roles.so.1

other   account binding       pam_unix_account.so.1 server_policy

other   account required      pam_ldap.so.1

other   session required      pam_unix_session.so.1

other   password required     pam_dhkeys.so.1

other   password requisite    pam_authtok_get.so.1

other   password requisite    pam_authtok_check.so.1

other   password required     pam_authtok_store.so.1 server_policy


/etc/passwd (relevant netgroup-related entries):

+ at netgroup1:x:::::

+ at netgroup2:x:::::





        logfile                 /var/adm/nscd.log

        enable-cache            hosts           yes

        enable-cache            passwd          yes

        enable-cache            group           yes

        debug-level             0

        positive-time-to-live   passwd          600

        negative-time-to-live   passwd          20

        suggested-size          passwd          2000

        keep-hot-count          passwd          200

        old-data-ok             passwd          no

        check-files             passwd          yes

        positive-time-to-live   group           3600

        negative-time-to-live   group           20

        suggested-size          group           2000

        keep-hot-count          group           200

        old-data-ok             group           no

        check-files             group           yes

        positive-time-to-live   hosts           3600

        negative-time-to-live   hosts           20

        suggested-size          hosts           2000

        keep-hot-count          hosts           200

        old-data-ok             hosts           no

        check-files             hosts           yes

        positive-time-to-live   ipnodes         3600

        negative-time-to-live   ipnodes         20

        suggested-size          ipnodes         2000

        keep-hot-count          ipnodes         200

        old-data-ok             ipnodes         no

        check-files             ipnodes         yes

        positive-time-to-live   exec_attr       3600

        negative-time-to-live   exec_attr       20

        suggested-size          exec_attr       2000

        keep-hot-count          exec_attr       200

        old-data-ok             exec_attr       no

        check-files             exec_attr       yes

        positive-time-to-live   prof_attr       3600

        negative-time-to-live   prof_attr       20

        suggested-size          prof_attr       2000

        keep-hot-count          prof_attr       200

        old-data-ok             prof_attr       no

        check-files             prof_attr       yes

        positive-time-to-live   user_attr       3600

        negative-time-to-live   user_attr       20

        suggested-size          user_attr       2000

        keep-hot-count          user_attr       200

        old-data-ok             user_attr       no

        check-files             user_attr       yes


This E-Mail (including any attachments) may contain privileged or confidential information.  It is intended only for the addressee(s) indicated above.
The sender does not waive any of its rights, privileges or other protections respecting this information.  
Any distribution, copying or other use of this E-Mail or the information it contains, by other than an intended recipient, is not sanctioned and is prohibited.
If you received this E-Mail in error, please delete it and advise the sender (by return E-Mail or otherwise) immediately.

This E-Mail (including any attachments) has been scanned for viruses. 
It is believed to be free of any virus or other defect that might affect any computer system into which it is received and opened. 
However, it is the responsibility of the recipient to ensure that it is virus free. 
The sender accepts no responsibility for any loss or damage arising in any way from its use.

E-Mail received by or sent from RBC Capital Markets is subject to review by Supervisory personnel. 
Such communications are retained and may be produced to regulatory authorities or others with legal rights to the information.

More information about the sudo-users mailing list