[sudo-users] sudoers and ldap groups with object class of "groupsofuniquenames"

Kari, Sampath K sampath_k_kari at fanniemae.com
Wed Aug 29 17:34:11 EDT 2007



I know little about ldap but need this for critical issue.


We have 2 types of groups in our ldap.


1)       Regular groups that we can see on all unix servers (solaris
too), with object class of "posixgroup"

2)       Groups that OS cannot use for granting privileges but they
exist in LDAP with object class of "groupsofuniquenames"


*** Want to know if groups in ldap of type 2 listed above can be
specified as User_list in sudoers mainly for sudo runas access
definition line


Kindly help with above information as it will be very useful for us.


Reason for this is to not have people to be part of lot of unix groups
just for the purpose of getting them sudo access as this takes away some
of the groups under 16 group limit Solaris has.


Note, I am aware that netgroup is supported but there are some
performance issues in Sun's implementation of ldap client with netgroup
lookups. Hence, we do not prefer netgroups for that reason.


Also, I am aware that we can go from 16 to 32 groups on Solaris provided
we are not using SYS_AUTH with NFS.




This e-mail and its attachments are confidential and solely for the
intended addressee(s). Do not share or use them without Fannie Mae's
approval. If received in error, contact the sender and delete them.



More information about the sudo-users mailing list