[sudo-users] sudo + ldap + high cpu and recursive group member searching.

JR Aquino JR.Aquino at citrixonline.com
Wed Jan 20 22:46:08 EST 2010

Hello everyone.

I have been chasing down a high cpu issue for several days now, and was hoping I could get some answers from the list regarding exactly how sudo performs its ldap searching.

I have a large fleet of nss_ldap based linux servers and I have a selection of ldap(edirectory) servers.

We have sudoRole objects defined which have the following sudo related attributes defined:


When I perform a sudo and look at the verbose logging of my ldap server, I see that sudo does a search to find the group that I am a member of. Presumably because i have a sudoUser: username inside of this group.

What I did not expect to see, is that sudo then appears to iterate down ALL the members of the (sudoRole) group I belong to.

It appears to be requesting the following for each member:

        scope:0  dereference:0  sizelimit:1  timelimit:5  attrsonly:0
        filter: "(objectclass=*)"
        attribute: "uid"
        attribute: "uniqueMember"
        attribute: "objectClass"

Is this expected behavior for sudo?

What is the official search expectations of sudo regarding ldap environments?  I would think I could get the info I would be looking for by doing a search in the SUDOers group, with the search of: sudoUser=username, asking the attributes of sudoHost, sudoCommand, and sudoOptions...

Could someone please clarify for me?

Thank you.

More information about the sudo-users mailing list