[sudo-users] sudo + ldap + high cpu and recursive group member searching.
JR Aquino
JR.Aquino at citrixonline.com
Wed Jan 20 22:46:08 EST 2010
Hello everyone.
I have been chasing down a high cpu issue for several days now, and was hoping I could get some answers from the list regarding exactly how sudo performs its ldap searching.
I have a large fleet of nss_ldap based linux servers and I have a selection of ldap(edirectory) servers.
We have sudoRole objects defined which have the following sudo related attributes defined:
sudoCommand
sudoHost
sudoUser
When I perform a sudo and look at the verbose logging of my ldap server, I see that sudo does a search to find the group that I am a member of. Presumably because i have a sudoUser: username inside of this group.
What I did not expect to see, is that sudo then appears to iterate down ALL the members of the (sudoRole) group I belong to.
It appears to be requesting the following for each member:
scope:0 dereference:0 sizelimit:1 timelimit:5 attrsonly:0
filter: "(objectclass=*)"
attribute: "uid"
attribute: "uniqueMember"
attribute: "objectClass"
Is this expected behavior for sudo?
What is the official search expectations of sudo regarding ldap environments? I would think I could get the info I would be looking for by doing a search in the SUDOers group, with the search of: sudoUser=username, asking the attributes of sudoHost, sudoCommand, and sudoOptions...
Could someone please clarify for me?
Thank you.
More information about the sudo-users
mailing list