[sudo-users] Need to know when +netgroup and %group look-ups occur

Five Speed fivespeedv8 at hotmail.com
Fri Sep 5 11:10:02 EDT 2008

We are trying to ascertain the impact on our LDAP service if we start putting netgroup references into the sudoers file.  Our netgroup table is in LDAP.
Right now, we use regular unix groups for many entries:
%usergroup1     ALL = /some/command
%usergroup2     somehost = /some/other/command
and LDAP group lookups are doing OK.
If we decide to add this entry:
%usergroup3    +netgroup = /some/command
When does the netgroup lookup occur?  
   - Only when the executing userID is in usergroup3?  
   - Only when /some/command is issued via sudo?  
   - Always?
Also, does a Host_Alias affect the way the lookup is performed?
Host_Alias  MYHOSTS = +netgroup
%usergroup3    MYHOSTS = /some/command
Is there a doc on the logic used for table lookups?

More information about the sudo-users mailing list